SpinOffice’s commitment to GDPR

Security of information and privacy are our most important assets. It is in our greatest interest that you have confidence in how we handle your personal information and all data in your database. This is possible only when our software works accurately and securely, our internal processes and policy are correct and when our colleagues handle (business) data correctly.

To strengthen an individual’s rights to privacy, the European Union brought about the General Data Protection Regulation or GDPR, fortifying existing directives on data protection. The Regulation issued by the European Union applies to businesses processing personal data of European residents, and has been in force since 25th May 2018.


7 Key Principles of the GDPR

The GDPR encourages businesses to be responsible about an individual’s data. By ensuring protection and privacy of this data, businesses earn customer trust and they are likely to engage better with the business. GDPR provides a framework for businesses to standardize and regularize real-world security and privacy needs of an individual’s data used for business purposes.

The key principles which the GDPR requires businesses to operate on are:

1. Lawful, fair and transparent processing:
Emphasizes transparency for all individuals i.e. when data is collected, businesses must be clear as to why data is being collected and what will it be used for.

2. Purpose limitation:
Collect data, only for the purpose you need it for. That is, data collected for specific purposes/reasons cannot be further processed in a manner incompatible with those purposes/reasons.

3. Data minimization:
Ensure data captured is adequate, relevant and limited. Based on this principle, organizations must ensure they store minimum amount of data required for their purpose.

4. Accurate and up-to-date processing:
Data controllers must ensure information remains accurate, valid and fit for purpose. To comply, organizations must institute processes and policies to address how they maintain data they are processing and storing it.

5. Limitation of storage in a form that permits identification:
Have control over storage and movement of data within the organization. This includes implementing and enforcing data retention policies, and preventing unauthorised movement and storage of data.

6. Confidential and secure:
An organization collecting and processing data is solely responsible for implementing appropriate security measures to protect the individuals data.

7. Accountability and liability:
Organizations must be able to demonstrate adoption of necessary steps to protect an individual’s personal data, and be able to pull up every step within the GDPR strategy as evidence.

SpinOffice CRM and the GDPR

We offer a Data Processing Agreement

When using SpinOffice CRM, our organization (Mulberry Garden B.V.) is the ‘processor’ of your data. In accordance with the upcoming GDPR legislation, it is required to conclude a ‘data processing agreement’ with all your processors. The data processing agreement is an agreement between the controller (you as the customer) and the processor (we), which specifies how the processor must deal with the personal data.

GDPR Compliance Checklist

Use the checklist from IT Governance, it highlights the essential steps you need to take to prepare for the GDPR and demonstrate compliance.

For more information about the GDPR, visit the in-depth beginners guide from VPN Geeks.

The responsibility for having a processing agreement lies with the controller, but we as a processor have drawn up an agreement already for you. If you wish to receive this agreement, please contact us. After we received the signed agreement, we sign it as well and send it back to you in digital form.

Two-step verification on login

In view of the GDPR we have upgraded our security with the introduction of two-factor authentication for SpinOffice CRM. This feature enables secure access to your account and ensures safety of your data and resources that reside in your SpinOffice account.

When you log in to your average social networking site or app, you typically enter your username/email and password to access your account. This may be the single step taken by the website/app to verify your identity and grant access to your account. This is known as one-factor authentication. When you add another factor to this password-only authentication system, it is known as two-factor authentication (2FA). In such a setup, you are required to provide an additional piece of information to verify your identity.

2FA ensures that even if one of the factors have been compromised or leaked, the other factor keeps hackers/criminals from breaking into your account, thereby minimizing the risk of data theft.

Frequently asked questions about the GDPR and SpinOffice CRM

How is the security of the CRM system guaranteed?

We takes adequate organizational and technological measures to ensure the security and confidentiality of your personal information.

We use Amazon Web Services (AWS) to host the application servers that are needed to run SpinOffice CRM. All client databases, email messages and files are securely saved and managed on AWS. The data centers that we use are located within the EU and our network is a private network to whom nobody else has access. Our virtual private network spans over two AWS data centers within one availability zone. This allows us to host our servers it two separate data centers. In case of a problem in one data center, the other one will pickup the load and users can continue to work.

Our databases are encrypted by a company key and any file that is stored in SpinOffice is stored encrypted.

What about the backups?

Without having to do anything, we automatically make an external backup of your database according to a daily schedule. This backup contains all messages, files and contacts in your database. With a cloud backup your data is safely stored externally, this eliminates dangers such as fire and theft, hazards to which local backups are exposed to.

In addition to the daily backup of your database, versions of files are continuously stored. SpinOffice keeps snapshots of all changes made to files in your SpinOffice database within the past 5 days. After that, we move your document to a backup server for the next 100 days.

For how long are deleted items from the database stored in a backup?

When a user has deleted data from the database, we keep the data in the background for 30 days. This period is used to restore incorrectly deleted files at the request of the customer. After 30 days, all deleted data are automatically deleted.

Email messages that are deleted remain in the deleted folder for 90 days, after which they are permanently deleted from our server.

How will data leaks be reported?

As mentioned in the Data Processing Agreement between the controller (you as the customer) and the processor (we), without unreasonable delay and no later than 24 hours after discovery, the processor shall noti-fy the controller of a data breach via email to the controller’s contact person.

SpinOffice is committed to cooperate with the controller to meet all the legal requirements in relation to the reporting to the Dutch Data Protection Authority. SpinOffice shall keep the controller informed of the progress of the internal investigation and the developments with regard to the data breach, and will keep the controller informed on the recently implemented security measures.

Which settings does SpinOffice CRM have so that the organization can comply with the GDPR Act?

See the points above the frequently asked questions.

We will continue to inform you about steps that needs to be taken to better comply with this new legislation. Compliance with the GDPR legislation is not only having data processor agreements but also requires attention for internal processes within your own organization.

For more details on how we guarantee the security of information and privacy, please refer to the applicable SpinOffice terms and conditions. And, of course, you may always contact us for a personal explanation.