Version 1.5, November 2024
We are committed to safeguarding our product and protecting the personal data and confidential information we keep.
This document provides insight into our privacy and security practices. In line with this, we refer to companies that use Openli ApS (“Openli” or “we,” “us,” “our”) as "you" and "your."
This document is publicly available on our website and shared with our employees, including temporary workers and contractors.
As part of our ongoing commitment to maintaining high data security and operational reliability, Openli is SOC 2 Type 1 certified and is pursuing SOC 2 Type 2 compliance. Our first SOC 2 Type 2 report is expected by December 2024, which will provide further assurance of our operational effectiveness over time.
We operate a compliance platform for the use by companies.
Our mission is to help companies with various parts of GDPR compliance, vendor compliance management and build trust & transparency in the digital landscape.
Our services are focused on the Openli Privacy Hub, where we provide services for companies to easily collect data from their vendors, collect consents from users and generate the record of processing activities (RoPA/Art. 30).
Companies can use our services through our SaaS platform available at www.openli.com.
We have a Director of Privacy to oversee our data privacy and data protection efforts and lead our compliance program to ensure that it is up to date and compliant.
If you have questions about the data processing activities that we carry out on your company’s behalf, you’re most welcome to contact us at privacy@openli.com.
We have a highly skilled security team tasked with maintaining and enhancing our SOC 2 Type 2 compliance. The team ensures that our data protection and information security practices meet SOC 2 standards, focusing on continuous improvement and regular SOC 2 Type 2 audits.
Our CPO takes on the role of Chief Information Security Officer and leads our security team.
Our security policies and supporting documents form the basis of our information security framework. These are regularly reviewed and updated to align with internationally recognized standards, including SOC 2 Type 1 compliance, with ongoing enhancements to meet SOC 2 Type 2 requirements.
The goal of our Information Security Policy is to protect all the data we retain and process.
We align our practices with ISO 27001, ISO 27002, ISO 27018, and ISO 27701, and adhere to the SOC 2 Trust Services Criteria for Security, Availability, and Confidentiality. These principles govern our controls for logical access, change management, incident response, and data classification.
Our work also includes working with Cloud Security Alliance Consensus Assessments Initiative Questionnaire and Vendor Security Alliance VSA Questionnaire.
Our Information Security Policy aligns with current international regulatory and industry best-practice guidance, including SOC 2 trust services criteria. Our security program is designed around the SOC 2 framework, focusing on security, availability, and confidentiality to protect all data we retain and process.
Further details of our Information Security Policy are confidential.
In the event of a data incident, we have a documented policy and firm processes to guide our actions, as well as a Data Incident Response Team to handle the incident and a Data Incident Registry where we log forensics records, sequence of actions and decisions taken to analyze, mitigate and communicate an incident.
Aligned with SOC 2 requirements, we maintain a robust Data Incident Policy that includes:
You can request a copy of the policy by emailing privacy@openli.com.
We comply with the GDPR and will notify you by email should we become aware of a data breach that affects you and requires notification. An email will be sent to the email addresses registered in our product or as contact persons for your subscription with us. Feel free to email privacy@openli.com if you wish to receive such alerts to other email addresses.
Our Business Continuity Policy, structured around SOC 2 availability criteria, ensures the continuity and timely recovery of our critical business processes and services. This policy forms a core part of our SOC 2 compliance, ensuring operational resilience and robust recovery capabilities.
Our continuity and recovery plans are based on a business impact analysis that we review on an annual basis.
Our product is hosted in a proven PaaS infrastructure, Heroku, which is managed according to SOC 2 security and availability criteria. Our data centers employ state-of-the-art security measures to comply with SOC 2 standards, ensuring the protection and availability of your data.
As a principle, all our processors and sub-processors are Software as a Service. This gives us multiple advantages in the event of an incident or disaster, such as having our teams work from anywhere and much faster being able to replace a (sub-)processor that is causing issues.
We review our Business Continuity Policy annually and our most recent review showed no critical areas of risk.
Our Business Continuity Policy incorporates requirements from our SOC 2 compliance efforts, ensuring high availability and fault tolerance.
Further details of our Business Continuity Policy are confidential.
As our customer, your use of our services is governed by a Service Subscription Agreement and a Data Processing Agreement.
Our Service Subscription Agreement sets out the rights and obligations for you and for us, including our obligation to keep your information and data confidential and thoroughly protected.
Our Data Protection Agreement is described in section 5.1.
We expect those who use our product or do business with us to make decisions that reflect strong ethics and are consistent with our values. We therefore require our employees, sub-processors and processors, and business partners to adhere to the principles set out in our Code of Conduct.
As set out in our Code of Conduct, we’re committed to maintaining a high ethical standard, and we require that our employees and business partners comply with all the relevant anti-corruption laws of the countries that we do business in.
All of our employees need to know what they can and cannot do when handling confidential information and personal data. In addition to their obligation to follow our Code of Conduct, our employees must observe strict confidentiality with regard to our affairs. This requirement is included in all of our employment contracts and in our Code of Conduct.
The obligation of confidentiality includes not only our activities, but also extends to relationships with businesses and customers. It continues to apply after termination of the employment contract.
If a staff member breaches their confidentiality obligations, intentionally or negligently, we consider it a material breach of their employment contract that can result in disciplinary action, including termination or immediate dismissal.
As part of our recruitment process for hiring new employees, we carry out reference checks where relevant. As a default, we do not perform any criminal or credit checks, but we may choose to do so for specific roles.
Our new employees go through a new hire program that includes education and training about how to protect and handle information. New hires learn about our commitment to information security and data privacy, our Code of Conduct, and our requirements for protecting and safeguarding information.
In addition to upholding their employment contract, our employees must read and comply with our Code of Conduct.
When employees leave us, we revoke their access to our services in a timely manner. For more information about this, please see section 7.2.
We use the terms “data controller”, “processor” and “sub-processor” below. The terms are defined in Article 28 of the EU’s General Data Protection Regulation (“GDPR”), where the data controller and the processor, and the processor and the sub-processor, are required to have a “data processing agreement” (“DPA”) in place that documents the data processing activities being carried out.
Our Data Processing Agreement (DPA) is crafted to meet GDPR requirements. You can find a copy of our DPA on our website here. We recommend that you keep a copy of our DPA on file in case you need to show that you comply with Article 28 of the GDPR. If you need a signed copy of our DPA, you can request this on our website or send us an email at privacy@openli.com and include the following information:
We consider any data relating to an identified or identifiable person as “personal data”; examples:
We do not process sensitive data or special categories of data.
When we build products, Privacy by Design is part of our development process so we ensure that we have legitimate purpose when we process specific personal data, limit our processing of data, and retain data securely and only for as long as the purpose legitimates.
For details on the personal data we keep, and why and how we and our processors and sub-processors retain and delete this data, please see Section 5.4 and 5.5.
We use specialized companies to assist us with delivering our services to you, such as providing our data centers. Pursuant to the GDPR, these companies are, depending on our own role, called “processors” or “sub-processors”.
Before we engage a processor or a sub-processor, we perform a thorough security and privacy risk assessment of the company’s services. The risk assessment aligns with the Data Protection Impact Assessment (“DPIA”) process and is a requirement of the GDPR. As part of this process, we evaluate the company’s privacy and security practices, we carry out a risk assessment of the personal data that we would be sharing with the company, and we review the company’s DPA. We follow this process to determine whether the company is competent to process personal data in line with the legislation and meets our requirements and standards. We will only share personal data of your users with a company provided that these requirements are in place.
We monitor the performance and applicability of our processors and sub-processors on an ongoing basis, and we review the DPIA’s on an annual basis. We may find it necessary to add or replace a company as a processor or sub-processor, and if we do, we will notify you through the email we have registered as the owner of your account. Feel free to email privacy@openli.com if you wish to receive such notification also to other email addresses.
When we stop using a company as a processor or sub-processor, we will remove the company from our product and infrastructure, and we will request the deletion of all personal data about you and your users retained by the company.
Data to and from our processors and sub-processors is encrypted during transit, and to safeguard the traffic between our users and our product, all web communication is 128-bit encrypted as minimum. All of our websites use TLS 1.2, and we only support data sent via web submissions that use HTTPS.
Access to our processors and sub-processors is protected by secure multi-factor authentication. We operate on principles of least privilege first, which means that access is limited to those of our employees who have a genuine work-related need, which we monitor continuously.
We secure the emails we send through our product with TLS 1.2, SPF and DKIM. If the receiving email server doesn’t support TLS, we automatically use the next most secure protocol supported by the receiving email server.
When you share personal data about your users with us, your company acts as data controller and we act as processor.
We process this data solely on your behalf, and we use the data solely for the purpose of providing our services to you. We kindly ask you to limit the data shared to what is needed for you to use our product. Please never share sensitive and special category personal data with us.
Please note that our basic functionality does not require you to share such personal data with us, the only data you would need to share is an Id that to us would be anonymous in nature. However, some of our more advanced functionalities, such as double opt-in or marketing consent, will require you to share personal data about your users, e.g. the user’s email address.
When one of your users provides or retracts consent for specific purposes, done through one of the integrations we make available to you, we capture an evidence of the consent. You can see the data we include in the consent evidence here. If you do not request us to delete a consent evidence, we will retain it for as long as you retain your account with us.
Should you use our consent widgets, we will automatically capture the IP address of the user as part of the consent evidence.
Should you choose to upload files with existing consents to our product, our product will import the consents to your account and immediately delete the uploaded files.
We comply with Data Subject Rights (aka “the rights of the individual”) pursuant to the GDPR and similar legislation.
Should we receive a request from one of your users to exercise one or more of their rights, e.g. their right to information or their right to be deleted, we will defer the request to you.
To help you in responding to such requests, we provide you with the option to download or delete any consent evidence that your users have provided. To initiate this, please write to privacy@openli.com and we will be happy to assist. We will provide downloaded data in a machine-readable format.
Please note that once one of your users has been deleted, it may take up to ninety (90) days before the data is deleted from all parts of our systems, including our sub-processors, our technical logs and our backups.
You can see the list of the sub-processors we use to process personal data about your users here.
Individuals who use our product are referred to as “employees”. When you as an employee share personal data about yourself, we act as a data controller.
We process your personal data for the purpose of providing the various functionalities of our product to you, enabling you to e.g. sign-up for an account, sign-in to the account, consent to cookies, give access to others to your account, configure your account, review consent evidence, receive newsletters, receive transactional emails, and receive invoices.
Employees in your account are created, managed and deleted by you within our product. If you do not delete an employee, or have one of your colleagues do it, or ask us to delete it on your behalf, we will retain the employee for as long as you retain your account with us.
In our Privacy Policy, we set out what types of information we process as a data controller related to our website and product, including information about our cookies, and how we process personal data.
We comply with Data Subject Rights (aka “the rights of the individual”) pursuant to the GDPR and similar legislations.
Should you choose to exercise one or more of your rights, e.g. your right to information or your right to be deleted, you can log into our product and perform the required action yourself. Alternatively, you can email your request to us at privacy@openli.com, where we will process it with due respect for the timeliness required by the law. Should you contact us by email, your request must be about your own personal data. Like other companies, we have experienced requests where the email sender tries to trick us to provide or delete personal data of another person. To avoid this we reserve the right to ask for confirmation of your identity.
When you exercise your right to be deleted, we will delete your personal data unless you are, or have been, involved in contractual matters, compliance matters or similar with us. The reason is that other legislation requires us to keep your personal data in such situations.
When we delete your personal data, we will confirm the deletion to you by email, and we will register evidence of the deletion in our secure and limited access Deletion Log, and retain it for three (3) years after which it is automatically deleted.
Please note that once data has been deleted, it may take up to ninety (90) days before the data is deleted from all parts of our systems, including our processors, our technical logs and our backups.
Should you request us not to sell or resell your data, we will duly register and confirm your request, however please note that we would not sell or resell your data in any case.
You can see the list of the processors we use to process personal data about you here.
We host our data centers with our processors and sub-processors, re. Section 5.4.2 and 5.5.2. We do not host any data center facilities ourselves.
Our data centers are highly secure and use state-of-the-art electronic surveillance, intrusion detection and multi-factor access control. Trained security guards patrol the data centers around the clock, and access is authorized strictly for those who have a genuine business need, following the principle of least privilege. The environmental systems are designed to minimize the impact of disruptions to operations.
Our proven PaaS infrastructure provides us with best practice in many areas, such as availability, scalability, security, customer data segregation, data input controls, protection against externally and internally generated attacks, and development process.
Operating systems, databases, and applications in our data centers have been hardened to reduce vulnerabilities and maximize their security.
Our data centers provide us with a synchronized time-service protocol to ensure all our functionalities have a common time reference.
Access to our data center services is protected by secure multi-factor authentication.
Temporary files are retained only for as long as they are needed, then deleted by means of automation.
We host our production environment, our staging environment and our test environment in our data centers, where we keep our production environment, and the data therein, strictly separate from the staging and test environments.
Our product provides a sandbox environment to customers for testing.
Our security framework is built to align with SOC 2 trust services criteria, with continuous assessments and enhancements to meet or exceed these standards. We integrate SOC 2 compliant practices in the development, reliability, and improvement of our product and services.
The physical security of our data centers are handled by our processors and sub-processors, where our databases are encrypted at rest with AES-256, block-level storage encryption.
We operate on principles of least privilege first, which means that access is limited to those of our employees who have a genuine work-related need. We monitor and align this continuously.
The backend infrastructure of our data centers is frequently recreated via code to ensure a lean and clean infrastructure that further enhances our immutable architecture.
We run an agile, dual-track software development lifecycle (SDLC) process. We pass all software changes through a formalized code review process prior to being released into isolated environments. We test all changes to mobile code, which we limit to JavaScript, on all commonly used browser environments. Upon successful testing and quality assurance, and after removing any debugging and test code elements, the changes are promoted into production. We train new staff in our SDLC using peer training.
We maintain documentation of our key management process, and provide controls to manage encryption keys throughout their lifecycle and to protect against unauthorized use. With the exception of our API keys, that are owned and managed by our technical leadership, our keys are owned and managed by our processors and sub-processors.
We do not rely on outsourced development - all of our development is in-house.
We do not supply custom-built software to customers, we strictly limit our scope to our generic products.
We frequently conduct automated third party vulnerability scans and penetration tests of our products. You can request a copy of the most recent vulnerability scan and penetration test by emailing privacy@openli.com.
You are welcome to conduct your own security scans and penetration tests of our services, as long as these are of a non-malicious nature and you ask us for pre-approval. We need the pre-approval solely because your scans and tests could trigger monitoring anomalies on our side that we would like to react appropriately to. We also openly engage security researchers to challenge our services, identify and report any vulnerabilities to us so that we can address them. Please contact privacy@openli.com to initiate any such.
Our adherence to SOC 2 criteria includes:
Heroku’s PaaS builds our backend infrastructure with code and follow infrastructure-as-code principles, which means that our infrastructure is frequently rebuilt to ensure that it’s always complete, lean and clean, with the benefit that we don’t need to use anti-virus or anti-malware software on the server instances of our data center.
We maintain a bill of materials of third party libraries and code used in our product.
We continuously monitor our infrastructure and product for errors so that we can detect and address these quickly.
We have a formal process for management and correction of vulnerabilities (bugs, quality issues, etc.). Vulnerabilities should be reported to hello@openli.com. When we have identified the vulnerability as legitimate and requiring remediation, we log it as an issue, prioritize it according to severity, assign an owner and address it according to priority. We track the vulnerabilities and we follow up frequently until we can verify that the vulnerability has been remediated.
Heroku uses automation to apply all security patches to their AWS infrastructure programmatically.
We use Github Dependabot to keep our code libraries updated and with all security patches.
We send our logs to our processors and sub-processors where they are aggregated, reviewed, and analyzed.
Our logs are confidential and unavailable outside our company.
Our logs are stored in a secure, tamper-proof manner and cannot be manipulated or changed.
We retain our logs for a maximum of ninety (90) days, after which the logs are automatically deleted.
Examples of activities we log are:
We use Heroku’s PGBackups to manage our database backups.
Our backup procedure includes, as a minimum, a daily full backup.
We perform backup recovery tests regularly.
Our backups are stored in a secure, tamper-proof manner, and cannot be manipulated or changed.
We retain our backups for a maximum of ninety (90) days, after which a backup is deleted.
You can access our product at https://app.openli.com.
Before you use our product, you need to accept our Terms of Service and Privacy Policy.
Once you have accepted, we will collect and process information about your use of our product.
Depending on your subscription with us, one or more of your employees may have been granted user access to work within our product. All of the employees will be granted the same rights.
You can log in to our business web portal using a native multi-factor authentication login, where our password policy aligns with the recommendations of the National Institute of Standards and Technology (NIST). We use bcrypt to hash the passwords.
As part of your subscription, you may have access to data via our API. API access requires an API key and secret, which are unique to your company.
When you establish your configuration in our product, we recommend that you use separate projects for testing purposes, so you keep your production and test data segregated.
We log all user actions performed in our product. If needed, our administrators have the ability to deactivate a specific user.
One of our employees may need to access your account to assist you with setting it up, maintaining it, investigating support issues, etc. When this is needed, it will be captured in the audit trail of your account including the reason for access. You can request a copy of your account’s audit trail by emailing privacy@openli.com.
To stop your use of our product, please contact our Support team at successs@openli.com, that will assist you in deleting your account.
When you request deletion of your account all the data connected to the account will be deleted at the same time, including the consent evidence provided by your users. To not lose this data, you may choose to download your data in machine-readable form. To do so, please contact our Support team at success@openli.com, that will assist you.
Please note that once an account has been deleted, it may take up to ninety (90) days before the data is deleted from all parts of our systems, including our technical logs and backups.
Our IT team manages our internal accounts, password security, access to systems and data, and IT assets - covering both hardware and software.
All our employees are granted an individual @openli.com personal user account. We don’t allow any two employees to share or use the same personal user account.
Access permissions for individual services and user roles are granted from our role-based access control model using least privilege first principles and granted according to work-related needs. Before we grant access, the internal owner of the respective service must approve the assignment of access rights and roles. We require a segregation of duties between the person requesting access and the person approving.
In compliance with SOC 2 standards, access rights to our services and data are rigorously reviewed and adjusted (at least annually). Our procedures for access review and removal reflect SOC 2 requirements for access control and management, ensuring that access is limited to authorized personnel only.
When a staff member leaves, their user accounts are immediately disabled and, once they are no longer subject to other legal requirements, deleted. Any information security and legal responsibilities held by the staff member remains valid after they leave our employment.
All internal user accounts are protected with a password which must meet the rules described in our password policy that aligns with the recommendations of the National Institute of Standards and Technology (NIST).
We use Google as our internal identity directory, where we have enforced multi-factor authentication. We only grant access for authorized employees with work-related need access.
We rely on the principle of “working from anywhere”, where our staff are free to work from wherever they are located.
Our office networks therefore do not provide any protection or security specific to our product, and our product considers our office networks as any Internet connected network.
To enable this, no application or file storage services are provided by our office networks, and we instead make use of our processors and sub-processors, that can all be accessed securely from anywhere.
We broadly define our network equipment, stationary devices, mobile devices, software, and removable media as IT assets.
We identify, register, and assign owners for all our IT assets.
All our devices are configured to automatically install software updates, security patches and firmware upgrades.
Our IT team ensures that disk encryption, screen lock timeout, virus and malware detection, and protection software is enabled on all devices that we use to access our technical environment.
Our employees are instructed not to carry out unauthorized downloads, store or share personal data, copyrighted or intellectual property material, or install or run unauthorized, untested, or unlicensed software without prior approval from our Director of Privacy.
After use, our devices and other hardware are recycled. Our IT team collects and dismantles everything, including wiping hard drives.
As a general rule, we don’t use removable digital media such as USBs, DVDs, or portable hard drives to store personal or confidential information. In special situations where we cannot avoid doing so, we require it done under the supervision of our IT team who ensure that the media is appropriately wiped before and after use.
Our office cannot be accessed directly from the street and entry into our office requires access to a keycard or similar.
We maintain a paper-free environment and documents are not printed unless necessary. We do not unnecessarily retain paper documents.
When disposed of, all paper documents containing personal data are shredded.
We have a clean desk policy and data is not stored on on-premise media.
Openli ApS was established in 2018 by our three founders, and is located in Copenhagen. Our company registration number is 39587408.
If you have any questions or concerns about our privacy or security practices, you’re welcome to send an email to our Director of Privacy at privacy@openli.com.