Privacy and security
It is a legal obligation for organizations and companies carefully to deal with the data they have available. A good and responsible handling of personal data is an essential element of a relationship of trust between the customer and the organization. By means of information systems, extra attention was given to measures which effectively privacyverhogende careful and responsible use of personal data is technically enforced.
Purpose of processing personal data
The objective of 24ID Check is capturing and controlling an identity for the purpose of entering into an agreement and/or a transaction for the period that the agreement or a transaction lasts. No copies of roaming ID proofs but a digital file where the individual inspection and management has about his or her own personal data. In addition, a limited access to the personal data for staff members of the organizations and/or companies where the personal data to be provided to be provided
Handle personal data
By 24ID Check processes personal data only if the relevant person there, directly or indirectly, has given permission for. Is the person, directly or indirectly, informed in advance as to the purpose of the processing of personal data. 24ID Check will only for the purpose for which the personal data was collected, record, store and manage. Biometric personal data will not be saved. The Responsible organisation and/or company with which the agreement or transaction was made has notified the Dutch Data Protection Authority as meant in article 27 of the Personal Data Protection Act.
Personal data will only be processed when this is consistent with the purpose for which they are collected. 24ID Check processed under other the following particulars:
Date of birth
Address and place of residence
Land of birth
Number and type of ID
Telephone and email data
After digitization of ID card finds a place authentication. The BSN-number is controlled and shielded, not saved. The obtained data can be verified and enriched with external data sources Data traffic using Web services over a secure VPN connection. All images and information is encrypted and stored separated. Data storage by means of certified information security ISO 27001. Limited general account information visible in transactions.
Access and correct
Every person is through personal login manage and access to his or her personal data. A person believes that a given him factually incorrect, for the purpose of registration is irrelevant, unfinished, in contravention of this regulation or the data protection act is laid down, at 24ID Check be submitted a request for modification or deletion.
24ID Check gives only access to a complete dossier in case of:Non-Payment
Unlawful entry into
Request of investigative authorities and insurance company
Applicable privacy laws
The applicable privacy laws, the European Directive 95/46/EC of 24 October 1995, on the protection of individuals with regard to the processing of personal data and on the free movement of such data ("the directive") and the personal data protection act of 6 July 2000, laying down the rules for the protection of personal data ("the WBP").
Processing of data
Any act or set of acts related to personal information as described in art. 1 sub b WBP.
24ID Check processes personal data for organisations or companies, in accordance with his instructions and under his responsibility. 24ID Check will extract the files to process personal data including the this data in accordance with applicable guidelines to check and save. Files will by 24ID Check not be used for commercial purposes. 24ID Check has no control over the purpose and means of the processing of personal data. The responsible company or organization is responsible for the use of the data, the provision to third parties and the duration of the storage of the data. 24ID Check may disclose that personal data as a result of 24ID Check a legal obligation should be announced or by order of a court or administrative authority, provided that 24ID Check Responsible shall inform in writing as soon as possible.
(a) of the existence of this obligation
(b) of all the procedures that implement or expected to be started and that can lead to such an order and
(c) of the receipt of such an order, but in each case for the actual publication under such an order or legal obligation, to enable Responsible all the necessary measures to prevent the publication under such an order or legal obligation to prevent or limit.
Secure connections SSL
Authentication / Login
Users authenticate themselves by means of their e-mail address and a password.
Before to provide data to the user to authenticate themselves must in all cases.
The passwords of users are stored encrypted by means of a 24 1-way hashing in combination with salts, so to verify the login data only, and never to lead back to their original value.
Storage privacy-sensitive information
The application provides a setting that allows for screening the BSN number by standard.
Images by ID proofs are provided with a 24ID Check watermark.
The module that contains images of prove ID is only visible to users who are entitled on the basis of their role assigned to gain access to the requested data.
All access and actions relating to the 24ID Check accounts is stored in an audit log.
Access to the data in the backend will be given only 24ID Check via web interfaces.
Only users who have enough rights granted on the basis of their role, will gain access to the requested data.
Safety web application
The application is protected in areas of cross-site vulnerabilities such as XSS and CSRF.
All user input is explicitly filtered as protection against vulnerabilities like SQL injection.
Session cookies are encrypted to protect against session hijacking and marked.
Safety terminal client
All document data provided by the 24ID Check software on the terminal/workplace are collected, after forwarding to the 24ID Check backend destroyed.
All communication with the backend a VPN exclusively over 24ID Check specifically designed for the 24ID Check software.
Security measures with respect to the application
24ID Check has the following technical measures taken to ensure the security and confidentiality of data which is housed in the 24 ID Check application.
Only employees of the client and 24ID Check have access to the data which is stored on the systems of 24ID Check. Through a client users and rights-based system (in the form of the appropriate and competent contributor), releasing and withdrawing access rights requests on specific parts.
Employees of 24ID Check do not have access to data from the client, unless they by virtue of their function, these need access to answer questions of the client or the appropriate systems to manage serve.
Access to the system is only possible with a combination of username and password.
Full administrative privileges of the systems are issued only to three people.
Access to data without logging in is not possible, as well as inspection of data which does not belong to the accounts of the client.
The servers are housed in data centers of 24ID Check performing extended access control implemented, whereby only authorized persons have physical access to the server-areas.
This server-spaces are 24 x 7 monitored and only authorized persons get (after identification with fingerprints) access to these spaces
All passwords are stored encrypted systems through 128-bit AES (Rijndael) encryption.
Employees do not have access to this key.
The password management system has an extensive access control list.
Only employees who, by virtue of their function, management need access to network devices and physical servers can see the passwords.
All passwords of accounts of the management systems are at least 20 random characters and are stored encrypted.
Access is to operate as a kerberos authentication and access control list the previously discussed. Access is only possible from the office location(employees in the Office) or via VPN (employees in the field).
Access is limited to only within Office hours where possible.
24ID Check's servers within the server rooms housed in closed 19-inch racks. In these racks is only equipment of 24ID Check.
No colocation racks for third parties access to the activities promoted.
A limited number of employees of 24ID Check has access to the server racks, where it is necessary, by virtue of their function, have physical access to the systems.
The Executive Board of 24ID Check may at any time decide to deny someone access directly and confirm this by means of a simple act.
All systems are separated from the Internet by means of a hardware firewall.
The management of the firewall is limited to senior level employees.
Backup are stored backup servers which are not linked directly to the internet.
All backup through an encrypted connection geographically dispersed across multiple data centers.