Virtuagym's Information Security & Compliance

 

Virtuagym's security practices and latest noticeable changes

Inline with European and United States legislation, like the GDPR, Virtuagym is continuously working on optimizing the security and privacy of your and your clients’ information. Sometimes this requires operational or technical changes. In order to provide you with relevant knowledge on our information security  measures and processes the below overview gives you a comprehensive and understandable overview of a broad range of security aspects that are in place at Virtuagym.

Please go to 'NOTICEABLE CHANGES' in the overview below to get insight in the changes that you might encounter or have a look at 'SECURITY MEASURES' to get insight in what we do to safeguard your and your clients data.

 

EXPERT KNOWLEDGE

Virtuagym has a team of information security specialists fully dedicated to securing your and your clients’ data. Every member of the department has his or her specialties ensuring that all aspects of the information security domain are covered internally. Your data is secured inline with industry standards.

Some of the things our professionals do are:

  • Maintain the systems
  • Develop, review and update security processes
  • Optimise Virtuagym's security infrastructure
  • Implement Virtuagym's security policies
  • Perform security risk analysis

Our team engages with clients, industry stakeholders, and supervisory authorities to shape the Virtuagym services in a manner that helps clients meet their compliance needs.

 

OUR POLICIES

Our data processing agreements clearly articulate our privacy and security commitments to you and your clients. Our 'Terms of Use' and 'Privacy Statement' are regularly updated to reflect our efforts regarding security and privacy. It goes without saying that the before mentioned documentation is updated according to the GDPR.

In order to safeguard data to the best of our abilities, and to be able to act appropriate in the unlikely situation of a security breach, we established multiple policies and procedures. All of the policies below are periodically reviewed and, if applicable, tested.

  • Acceptable use policy
  • Access control policy
  • Asset management policy
  • Business continuity procedure
  • Data-security policy
  • Disaster recovery plan
  • New hire policy
  • Personnel termination policy
  • Physical security policy
  • Privacy Statement
  • Security incident response plan
  • Terms of Use

 

STANDARDS & CERTIFICATIONS

Our clients and regulators expect independent verification of security, privacy, and compliance controls. The Virtuagym services undergo independent third-party audits on a regular basis to provide this assurance. Apart from that Virtuagym also conducts regular internal vulnerability testing.

 

NOTICEABLE CHANGES

At Virtuagym we are constantly optimizing our information security. Sometimes in order to grant the best security, operational or technical changes are required. You may find that some of these  information security related changes are noticeable and other aren't. We want to be as transparent as possible. Therefore, a list of the changes that you most likely will notice, together with a short explanation why and what the new situation is, is given below.

Starting 14-05-2018 | Granting access to your portal

Because we want to reduce chances of data being corrupted or getting loss as much as possible, we decided to further limit access to your data. By only entering a portal after getting access from a staff member we act accordingly. Therefore, it might be that in order to give you the required level of support we will ask you to grant us access. You are always able to grant as well as revoke this access by switching on a toggle in your portal. The period of access is always limited.

Grating access through the web portal:

  • Select the arrow next to your name in the portal
  • Go to 'Account settings'
  • Select 'Privacy'
  • Switch the toggle on to grant access to Virtuagym
  • Click 'Accept'

Grating access through your mobile device is coming soon!

On 24-05-2018 | Our Privacy Statement was updated

The latest update strengthens your privacy rights and explains these rights. The most significant changes are:

  • We provided more details on the types of data we collect and why we collect it.
  • We expanded upon how personal information can be controlled and made it easier to tell us what to do.
  • We have added your rights with regards to personal information.

Please find our privacy statement here

The following currently only applies for clients located within the EU
Starting 14-05-2018 | Data Processing Agreements in your portal if you have the role 'Club manager'

Under the GDPR 'Controller' and 'Processor' are asked to document responsibilities around the processing of personal data. Therefore, we created a comprehensive Data Processing Agreement that reflects the specific situation that applies to Virtuagym, and you as our client, regarding the processing of personal data. The Data Processing Agreement will be available in your portal if you have 'Club manager' privileges. You will be notified through in-portal communication of the document being ready for you to sign. After signing, the document will remain available in your portal.

Signing the Data Processing Agreement:

  • Go to the 'Business settings'
  • Select 'Agreements'
  • If you agree with the provisions stipulated in the Data Processing Agreement, fill out all fields
  • Click 'Submit'
  • Your signed Data Processing Agreement can be found under business settings 'Agreements'

 

GRANTING ACCESS TO YOUR PORTAL AND DATA

At Virtuagym we want to reduce chances of data being corrupted or getting loss as much as possible. Therefore, we decided to further limit access to your data. By only entering a portal after getting access from a staff member we act accordingly. Therefor, it might be that in order to give you the required level of support we will ask you to grant us access. You are always able to grant as well as revoke this access by putting on a switch in the portal. The period of access is always limited.

Grating access through the web portal:

  • Select the arrow next to your name in the portal
  • Go to 'Account settings'
  • Select 'Privacy'
  • Switch the toggle on to grant access to Virtuagym
  • Click 'Accept'

Grating access through your mobile device is coming soon!

 

DATA PROCESSING AGREEMENT IN YOUR PORTAL IF YOU HAVE THE ROLE 'CLUB MANAGER'

The following currently only applies for clients located within the EU

Under the GDPR 'Controller' and 'Processor' are asked to document responsibilities around the processing of personal data. Therefore, we created a comprehensive Data Processing Agreement that reflects the specific situation that applies to Virtuagym, and you as our client, regarding the processing of personal data. The Data Processing Agreement will be available in your portal if you have 'Club manager' privileges. You will be notified through in-portal communication of the document being ready for you to sign. After signing, the document will remain available in your portal.

Signing the Data Processing Agreement:

  • Go to the 'Business settings'
  • Select 'Agreements'
  • If you agree with the provisions stipulated in the Data Processing Agreement, fill out all fields
  • Click 'Submit'
  • Your signed Data Processing Agreement can be found under business settings 'Agreements'

 

SECURITY MEASURES

Virtuagym aims to safeguard your and your client's data, and the service, by implementing industry standards security measures. A comprehensive overview of the measures implemented and standards that are to be met is presented below.

REGULATORY COMPLIANCE

Virtuagym meets the following general requirements:

  • Ensuring an information security officer is in place, along with a security team focused on managing and maintaining Virtuagym’s information security program;
  • Maintaining an organizational diagram outlining the roles and responsibilities of all individuals performing security functions; and
  • Obtaining and maintaining an industry standard comprehensive Information Security Program.

OPERATIONAL SECURITY

Virtuagym documents and maintains a comprehensive Information Security Policy that is communicated to all personnel and all other parties permitted to have access to Personal Data.  In addition, Virtuagym:

  • Requires personnel and all other parties to acknowledge and adhere to its security policies and practices when accessing and handling Personal Data; and
  • Formally reviews (and updates when applicable) all security policies at minimum on an annual basis.

SECURITY AWARENESS TRAINING

Virtuagym maintains a security awareness training program for all personnel that at least will include i) the nature of Personal Data, ii) proper methods for handling, protecting, transferring and storing Personal Data, iii) procedures for reporting security incidents and iv) consequences for failing to comply with the Information Security Policy.

Virtuagym ensures that each member of its personnel conducts the security awareness training at least annually and upon employment.

If any faults or omissions in the security awareness training are detected, Virtuagym will update the Security Awareness Training accordingly in a timely manner.

HUMAN RESOURCES

Virtuagym is responsible for performing background checks on all employees. Baseline requirements for background checks can include past employment verification, verification of education, reference screenings and social media screenings.

CHANGE MANAGEMENT

Virtuagym aims to enforce an industry accepted change control process for all supporting infrastructures/assets. The change control process contains activity logs and roll back processes.

ENVIRONMENTAL SECURITY

This section sets forth Virtuagym’s environmental security measurements.

Virtuagym maintains and enforces, at all locations where services relating directly or indirectly to its services are performed, physical and computer system security procedures that are:

  • Equal to industry standards for such types of service locations; and
  • In compliance with applicable law, specifically including applicable GDPR security requirements in all cases where Personal Data is stored or transmitted.

At locations where data is stored Virtuagym aims for all server rooms to have fire detection and suppression systems, a redundant air-cooling system, that controls are in place to ensure telecom cables are protected from interception or damage, and that facilities are equipped with adequate equipment to sustain power supply in the event of a power disruption disruption.

Virtuagym aims for industry standard security compliances for locations where data is stored. Such can be: maintaining qualified security guards at data hosting facilities that will ensure that only authorized individuals are permitted to locations that access, process, and store data, or support the client.

Virtuagym requests all visitors, contractors, and maintenance personnel (Visitors) to check-in. Visitors are always escorted by a member of staff.

SECURITY TESTING

Virtuagym performs regular testing on applications and the supporting network and infrastructure that transmit, process, or store Personal data on behalf of Controller. Any improvements identified will be processed and applicable measures will be implemented within a reasonable timeframe.

SECURITY AND BREACH NOTIFICATION

Virtuagym has documented procedures in place for reporting and handling security incidents to include network intrusion, data theft, unauthorized data access, equipment theft, external threats to systems (including virus); and ensures that an industry accepted incident response program is in place, enforced, up-to-date, and communicated. Virtuagym supports such process with a designated emergency response team and maintains a security incident log on all security incidents.

Virtuagym aims to communicate actual security incidents involving Controller’s or a related data subject’s data within 24 hours of detection. Virtuagym will continue providing appropriate status reports to the client regarding the resolution of the security incident and prevention of future such security incidents until Virtuagym reasonably finds that the security incident is resolved.

ENCRYPTION

Virtuagym enforces encryption for transmissions and storage of Personal Data. Virtuagym complies with applicable international and national standards, as well as all Dutch legal and regulatory controls.

Virtuagym securely manages all cryptographic keys and certificates in accordance with documented control requirements and procedures consistent with current industry best practices and Virtuagym’s Information Security Policy, and protects Controller's data from unauthorized access or destruction.

ACCESS MANAGEMENT

Virtuagym maintains policies and adequate technical controls that provide the following security measures:

  • Access controls are in place that are designed to limit access to data to authorized users only;
  • Processes are documented and enforced to ensure all Personal Data is anonymized after a set period of time after the owner became inactive;
  • User accounts can be made inactive manually at any time;
  • Reconciliation of system accounts to existing users is performed at least annually;
  • Unique user IDs and passwords are used for all Virtuagym’s personnel;
  • Processes are documented and enforced to review and track user privileges when a user changes job roles/responsibilities;
  • A compiled list of personnel with administrator privileges and other high-level privileges is maintained;
  • The system enforces user account lockout after a maximum number of login attempts to prevent password guessing attacks;
  • Privileged access to production environments by developers is used only for planned or emergency change support; and
  • Service accounts are dedicated for a specific purpose and must not be utilized by individuals for any other purpose.

PASSWORD MANAGEMENT

Virtuagym maintains policies for its systems, user accounts, all supporting service accounts, and all management protocols supporting authentication adequately provide the following password management controls:

  • Authentication mechanisms that cannot be bypassed to gain unauthorized access to systems; and
  • Authentication data such as passwords are stored in an encrypted form that does not allow the authentication data to be recovered in readable form.

DATA PROTECTION

Virtuagym stores all backup and archival media containing data in secure, environmentally-controlled storage areas.

SYSTEMS & NETWORK SECURITY

Virtuagym documents and seeks to ensure that:

  • Firewalls with adequate ACLs (Access Control Lists) are enforced;
  • Dedicated firewalls are in place to protect the services provided by Virtuagym; and
  • Firewall logs are used to record and monitor all traffic in and out of the firewalls.

INTRUSION PREVENTION

Virtuagym deploys industry standard intrusion detection and prevention tools to identify and respond to suspected or actual cyber-attacks.

CLOUD COMPUTING

Virtuagym provides a cloud-based service to Controller and the data subjects.

ENDPOINT SECURITY

Virtuagym systems have real-time malware-protection enabled and updated.

PATCH MANAGEMENT

Virtuagym maintains and enforces patch management. Virtuagym implements security patches and other relevant security vulnerability updates when available and approved.

SYSTEM MONITORING & STORAGE

Virtuagym maintains logs of all key events, such as those that have the potential to impact the confidentiality, integrity and availability of the services to Controller and that may assist in identifying or investigating material incidents and/or breaches of access rights occurring in relation to the Controller’s data.

Virtuagym keeps such logs for a period off at least twelve (12) months after creation and will protect such logs against unauthorized change (including, amending or deleting a log).

BACKUP & DISASTER RECOVERY

Virtuagym has a backup strategy and process in place for business continuity. Backups are handled in a manner consistent with backup and security best practices; and Virtuagym ensures that backups are frequent enough and tested on a regular basis to ensure that systems can be restored to a known good state.

Virtuagym has a formal business continuity and Disaster recovery plan implemented.

 

EMPLOYEE CONFIDENTIALITY

All of Virtuagym’s employees are required to sign a confidentiality agreement and complete mandatory awareness training. This training includes topics such as confidentiality, privacy and security. Virtuagym’s Awareness training outlines expected behavior with respect to the protection and handling of information.

 

DATA PROCESSING

For more information regarding the processing of data, please see our Privacy Statement

 

DATA ERASURE

Under several legislation, like the GDPR, ‘the right to be forgotten’ applies to data that can be related to an individual. This means that individuals can request for their data to be erased. Virtuagym has a technical solution developed that enables us to erase personal and sensitive data upon request.

Under 'Data request' more information is given on what to do when an individual has a data request that involves Virtuagym.

 

DATA RETENTION

Virtuagym believes, in line with GDPR and other applicable legislation, that data that is traceable to individuals should not be stored any longer than is reasonably necessary. Therefore, Virtuagym ensures  anonymization of data after the predetermined retention period expires.

The retention periods that are set for the different data types will soon become available here.

 

DATA PORTABILITY

Your clients can ask for a copy of their data. Virtuagym has systems in place to provide these. We will always present the data in an electronic readable format like CSV or Excel. Furthermore, as a client you have the possibility to connect to our open and private API. 

We are always working to enhance the robustness of the data export capabilities of the Virtuagym services.

Under 'Data request' more information is given on what to do when an individual has a portability request that involves Virtuagym.

 

DATA REQUEST

Whether one of your clients requests a copy of its data, for its data to be erased or to get more information on how its data is handled, Virtuagym is capable of assisting you. For any data request the following steps need to be made:

  • Notify our Client Success team or your Key Account Manager by emailing to support@virtuagym.com, include - FULL NAME, EMAIL ADDRESS and SPECIFIC REQUEST of the individual putting in the request. Also include your FULL NAME and CLUB NAME, and GRANT US ACCESS to your portal by switching the toggle under 'account settings' > 'privacy'
  • Our team will notify you of receipt and will provide you with additional information
  • Our team will handle the request timely and in an appropriate manner
  • if applicable, our team the shares requested documentation
  • Possible costs for handling the request are charged on your next invoice

 

USE OF SUBPROCESSORS

A sub processor is a sub-contractor hired by Virtuagym to process or store data. Virtuagym tries to limit the number of sub processors and aims to obligate each sub-processor to comply with confidentiality obligations, notification obligations and security measures relating to the processing of personal data, which obligations and measures must at least comply with industry standards.

Virtuagym engages with multiple sub processors for a variety of reasons. The list of sub-processors presented below gives an overview of all sub-processors that Processor uses to process and/or store data. The sub-processors handling large amounts of Personal Data are introduced, after which it is explained how the sub-processor’s services are used. Finally, additional security information for these sub-processors is shared.

Portal functionalities, analytics and hosting - sub-processors

DOMO, Inc.

INTRODUCTION - Domo is an all-in-one business intelligence platform to effectively extract and visualize data. Domo is one of the biggest players in the market of Business Intelligence and serves all sorts of companies, including multi-nationals. Being a data company, data-security is one of their top-priorities.

USE - Processor uses Domo services i) to grant its clients access to advanced dashboarding for analytical purposes, and ii) for Processor’s analytical purposes.

ADDITIONAL SECURITY INFORMATION - Domo complies with the highest industry standards for security, e.g. HIPAA, SOC-2 and the US-EU privacy shield framework. Domo never owns, nor uses any entry of data and is in no circumstance provided access to Processor’s database without the explicit permission of Processor. In accordance with the GDPR, Processor will only grant DOMO access i) if necessary for service purposes, and ii) for business continuity purposes.

Amazon Web Services

INTRODUCTION - Amazon Web Services provides reliable and scalable cloud services. Amazon Web Services is world's largest cloud service platform, providing hosting to all sorts of companies.

USE - Processor uses Amazon Web Services to securely store the data and optimize the Service.

ADDITIONAL SECURITY INFORMATION - Amazon Web Services operates to high level security standards and enables Processor to store data to the same high standards. Amazon Web Services never owns, nor uses any entry of data and is in no circumstance provided access to Processor’s database without the explicit permission of Processor. In accordance with the GDPR, Processor will only grant Amazon Web Services access i) if necessary for service purposes, and ii) for business continuity purposes.

Marketing and Sales - sub-processors

  • Salesforce
  • Hubspot
  • Hotjar
  • Zoom
  • LinkedIn Sales Navigator
  • LinkedIn Ads
  • Yesware
  • Docusign
  • Google Analytics
  • MailChimp

Client Support - sub-processors

  • Zendesk
  • Intercom
  • Jira
  • FluentStream
  • Voys
  • Teamviewer
  • GoToWebinar
  • Typeform
  • Receptive
  • UserVoice

Administration and internal communication - sub-processors

  • Google (G Suite)
  • Microsoft Office
  • Exact

 

INCIDENT NOTIFICATION

Virtuagym has documented procedures for reporting and handling security incidents. We will within promptly inform you of incidents involving your or your clients data that may have a material impact on the protection of this data. Of course, we will take reasonable measures to prevent or limit the impact of the incident and prevent future incidents.

 

General Data Protection Regulation

As of 25 May 2018, European data protection legislation is updated for the first time in 20 years. The GDPR replaces the 1995 EU Data Protection Directive and strengthens the rights that individuals have regarding personal data relating to them and seeks to harmonize data protection laws across Europe, regardless of where that data is processed.

You can rest assured that Virtuagym is committed to ongoing GDPR compliance. We are also committed to helping our clients comply with the GDPR by providing appropriate privacy and security protections that are built into our service and contracts.

If you work at a company that offers services within the EU or to EU individuals. Your role, as a Virtuagym client, will typically be to act as a data controller for most of the personal data you and your clients enter in your Virtuagym portal(s). For this data several purposes for processing the data are stated in the license agreement you have with Virtuagym and in the Data Processing Agreement that was made available in your portal. Virtuagym processes the data you control on your behalf any time personal data is entered in your Virtuagym portal(s).

If you are a data controller, you may find guidance related to your responsibilities under GDPR by regularly checking the website of your national or lead data protection authority, by checking this website or one of our other media channels, like blogs, email and in-portal messaging. 

 

Disclaimer - even though the information on this webpage is checked as well as possible in terms of its accuracy and how up-to-date it is, no rights can be derived from this webpage.