Security Statement ROI Institute Europe
ROI Institute Europe is an independent research company specialized in measuring behavior and performance of people and organizations. The services ROI Institute Europe offer encompass the design, management and support for evaluation of learning impact, performance (competencies), learning outcomes and reactions on development or change programs. Among our services is an evaluation-application called NavigatorWeb. The application makes use of various IT-components such as hardware, operating software and networks.
In line with the core-activities of ROI Institute Europe and the applied technologies, services are delivered in a networked organizational structure. With ROI Institute Europe as the prime responsible and service manager for agreed contracts, development and maintenance of the application and management of the technical infrastructure are outsourced to respectively:
- Sogyo B.V. (Utrechtseweg 301, 3731 GA De Bilt, tel: 030 220 2216; sogyo.nl).
- NDI ICT Solutions (Strawinskylaan 203, 1077 XX Amsterdam, tel. 088-0884310; ndi.nl)
Ever since the design, development and deployment of the application, the “Code voor Informatiebeveiliging” (the Dutch version of the British Standards 7799, later evolved as ISO/IEC 17799) was adopted by ROI Institute Europe as the guiding principles for information security. The “Code voor Informatiebeveiliging” consists of two parts nowadays: a norm (NEN ISO 27001 and a ‘code of practice’ (NEN ISO 27002). In this respect, all elements of business continuity were taken care of, partially covered by Service level Agreement with suppliers, completed with security checks by the vtSPN (formerly the IT division of the KLPD – Dutch Police).
We take our users’ security and privacy concerns seriously and strive to ensure that user data is handled securely. This Security Statement is aimed at being transparent about our security infrastructure and practices, to help reassure you that your data is appropriately protected. Visit our Privacy Satement for more information on data handling.
- User data on our database is logically segregated by account-based access rules. User accounts have unique usernames and passwords that must be entered each time a user logs on;
- Participants and respondents on surveys receive e-mails with unique links to their personal survey;
- Personal reports with results are directly sent to participants. Only when permission is given by participants, the report can also be sent to the supervisor;
- Organizations will only get insight into (anonymized) average results of groups of employees
- All ROI Institute Europe user data, is stored on servers located in the Netherlands;
- The datacenter where the physical infrastructure is hosted has been SOC2 audited by EY and holds certificates for ISO/IEC 27001 Information Security Management & ISO 22301 Business Continuity Management;
- ROI Institute Europe uses Transport Layer Security (TLS) encryption (also known as HTTPS) for all transmitted data. Our services are hosted by trusted data centers that are independently audited using the industry standard SSAE-16 method.
Organizational & Administrative Security
- ROI Institute Europe has adopted and applied the “Code voor Informatiebeveiliging” since the design, development and deployment of the application (early 2005);
- ROI Institute Europe conforms to and is bound to the NIP-code (code of professional standards for psychologists issued by the Nederlands Instituut van Psychologen (NIP);
- Every employee and contractor signs for and is held to a ‘statement of confidentiality’ indicating the prohibition to share confidential information other than agreed with the customer;
- ROI Institute Europe contracts suppliers (i.e. Sogyo and NDI) based on Service Level Agreements containing arrangements referring to incident handling, continuity, contingency, resilience and confidentiality;
- On the level of technical infrastructure the security performance indicators are recorded in the Service Level Agreement with NDI and are monthly monitored as part of the maintenance report cycle. This maintenance report includes several indicators for the health and manageability of the system including operating system, database and network and also some operational forecasting concerning indicators like disk usage and performance. The maintenance report includes ticketing information about incidents and problems as well as change requests.
Handling of Security Breaches
Despite our best efforts, no method of transmission over the Internet and no method of electronic storage is perfectly secure. We cannot guarantee absolute security. However, if ROI Institute Europe learns of a security breach, we will notify the affected users so that they can take appropriate protective steps. Our breach notification procedures are consistent with our obligations under various state and federal laws and regulation, as well as any industry rules or standards that we adhere to. Notification procedures include providing e-mail notices or posting a notice on our website if a breach occurs.
Keeping your data secure also depends on you ensuring that you maintain the security of your e-mail. You should ensure that you have sufficient security on your own systems, to keep any survey data and reports you receive by email away from prying eyes.
Questions regarding this statement may be sent to our helpdesk: firstname.lastname@example.org.
Klaas Toes, Groenekan, January 19, 2018