Privacy and security

It is a legal obligation for organizations and companies carefully to deal with the data they have available. A good and responsible handling of personal data is an essential element of a relationship of trust between the customer and the organization. By means of information systems, extra attention was given to measures which effectively privacyverhogende careful and responsible use of personal data is technically enforced.

 

 

Purpose of processing personal data

The objective of 24ID Check is capturing and controlling an identity for the purpose of entering into an agreement and/or a transaction for the period that the agreement or a transaction lasts. No copies of roaming ID proofs but a digital file where the individual inspection and management has about his or her own personal data. In addition, a limited access to the personal data for staff members of the organizations and/or companies where the personal data to be provided  to be provided

 

Handle personal data

By 24ID Check processes personal data only if the relevant person there, directly or indirectly, has given permission for. Is the person, directly or indirectly, informed in advance as to the purpose of the processing of personal data. 24ID Check will only for the purpose for which the personal data was collected, record, store and manage. Biometric personal data will not be saved. The Responsible organisation and/or company with which the agreement or transaction was made has notified the Dutch Data Protection Authority as meant in article 27 of the Personal Data Protection Act.


Captured data

Personal data will only be processed when this is consistent with the purpose for which they are collected. 24ID Check processed under other the following particulars:

Name
dot  Date of birth
dot  Address and place of residence
dot  Land of birth
dot  Number and type of ID
dot  Gender
dot  Nationality
dot  Telephone and email data

4IDCheck, documentenscanner, privacy, veiligheid

The Process

After digitization of ID card finds a place authentication. The BSN-number is controlled and shielded, not saved. The obtained data can be verified and enriched with external data sources Data traffic using Web services over a secure VPN connection. All images and information is encrypted and stored separated. Data storage by means of certified information security ISO 27001. Limited general account information visible in transactions.

Access and correct

Every person is through personal login manage and access to his or her personal data. A person believes that a given him factually incorrect, for the purpose of registration is irrelevant, unfinished, in contravention of this regulation or the data protection act is laid down, at 24ID Check be submitted a request for modification or deletion.

Access

24ID Check gives only access to a complete dossier in case of:

dot  Non-Payment
dot  Damage
dot  Fraud
dot  Theft
dot  Unlawful entry into
dot  Identity Theft
dot  Identity Fraud
dot  Request of investigative authorities and insurance company

vastgelegde gegevens, 24IDCheck, privacy, veiligheid

Applicable privacy laws

The applicable privacy laws, the European Directive 95/46/EC of 24 October 1995, on the protection of individuals with regard to the processing of personal data and on the free movement of such data ("the directive") and the personal data protection act of 6 July 2000, laying down the rules for the protection of personal data ("the WBP").

Processing of data

Any act or set of acts related to personal information as described in art. 1 sub b WBP.

Responsibility

24ID Check processes personal data for organisations or companies, in accordance with his instructions and under his responsibility. 24ID Check will extract the files to process personal data including the this data in accordance with applicable guidelines to check and save. Files will by 24ID Check not be used for commercial purposes. 24ID Check has no control over the purpose and means of the processing of personal data. The responsible company or  organization is responsible for the use of the data, the provision to third parties and the duration of the storage of the data. 24ID Check  may disclose that personal data as a result of 24ID Check a legal obligation should be announced or by order of a court or administrative authority, provided that 24ID Check Responsible shall inform in writing as soon as possible.

(a) of the existence of this obligation
(b) of all the procedures that implement or expected to be started and that can lead to such an order and
(c) of the receipt of such an order, but in each case for the actual publication under such an order or legal obligation, to enable Responsible all the necessary measures to prevent the publication under such an order or legal obligation to prevent or limit.


Secure connections SSL

All traffic between 24ID Check terminal/work area and the 24ID Check application will by SSL are encrypted, so no sensitive network traffic from possibly bugged information revealed can be.

Authentication / Login

Users authenticate themselves by means of their e-mail address and a password.
Before to provide data to the user to authenticate themselves must in all cases.
The passwords of users are stored encrypted by means of a 24 1-way hashing in combination with salts, so to verify the login data only, and never to lead back to their original value.

Storage privacy-sensitive information

The application provides a setting that allows for screening the BSN number by standard.
Images by ID proofs are provided with a 24ID Check watermark.
The module that contains images of prove ID is only visible to users who are entitled on the basis of their role assigned to gain access to the requested data.
All access and actions relating to the 24ID Check accounts is stored in an audit log.

Authorization

Access to the data in the backend will be given only 24ID Check via web interfaces.
Only users who have enough rights granted on the basis of their role, will gain access to the requested data.

Safety web application

The application is protected in areas of cross-site vulnerabilities such as XSS and CSRF.
All user input is explicitly filtered as protection against vulnerabilities like SQL injection.
Session cookies are encrypted to protect against session hijacking and marked.

Safety terminal client

All document data provided by the 24ID Check software on the terminal/workplace are collected, after forwarding to the 24ID Check backend destroyed.
All communication with the backend a VPN exclusively over 24ID Check specifically designed for the 24ID Check software.

Security measures with respect to the application

24ID Check has the following technical measures taken to ensure the security and confidentiality of data which is housed in the 24 ID Check application.

Organizational

Only employees of the client and 24ID Check have access to the data which is stored on the systems of 24ID Check. Through a client users and rights-based system (in the form of the appropriate and competent contributor), releasing and withdrawing access rights requests on specific parts.
Employees of 24ID Check do not have access to data from the client, unless they by virtue of their function, these need access to answer questions of the client or the appropriate systems to manage serve.


Technical

Access

Access to the system is only possible with a combination of username and password.
Full administrative privileges of the systems are issued only to three people. 
Access to data without logging in is not possible, as well as inspection of data which does not belong to the accounts of the client.
The servers are housed in data centers of 24ID Check performing extended access control implemented, whereby only authorized persons have physical access to the server-areas. 
This server-spaces are 24 x 7 monitored and only authorized persons get (after identification with fingerprints) access to these spaces

Employees

All passwords are stored encrypted systems through 128-bit AES (Rijndael) encryption. 
Employees do not have access to this key.
The password management system has an extensive access control list. 
Only employees who, by virtue of their function, management need access to network devices and physical servers can see the passwords.
All passwords of accounts of the management systems are at least 20 random characters and are stored encrypted. 
Access is to operate as a kerberos authentication and access control list the previously discussed. Access is only possible from the office location(employees in the Office) or via VPN (employees in the field). 
Access is limited to only within Office hours where possible.

Servers

 24ID Check's servers within the server rooms housed in closed 19-inch racks. In these racks is only equipment of 24ID Check. 
No colocation racks for third parties access to the activities promoted.
A limited number of employees of 24ID Check has access to the server racks, where it is necessary, by virtue of their function, have physical access to the systems. 
The Executive Board of 24ID Check may at any time decide to deny someone access directly and confirm this by means of a simple act.

Firewall

All systems are separated from the Internet by means of a hardware firewall. 
The management of the firewall is limited to senior level employees.
Backup are stored backup servers which are not linked directly to the internet.
All backup through an encrypted connection geographically dispersed across multiple data centers.