.svg)
.svg){kind=icon}
Is Sympa's HR Service GDPR compliant?
Yes. Sympa's HR Service is fully GDPR compliant.
Does Sympa enter into Data Processing Agreement (DPA) with its customers?
Yes, Sympa enters into DPA with our customers as required by the General Data Protection Regulation (GDPR). Typically our customer signs Sympa’s DPA as part of the process of signing Sympa's HR service agreement.
Where can I find Sympa's Service Agreement and Data Processing Agreement?
Please be in contact with one of our sales representatives.
Does Sympa transfer personal data outside of European Union or the European Economic Area?
Please see Cross-border data transfers for information about personal data transfers.
Does Sympa use sub-processors for the processing of customers’ personal data?
Yes. We use trusted service providers and subcontractors to operate our business efficiently and to provide you with high quality and secure service. These service providers are for example data security services and cloud services hosting and maintaining personal data on our behalf and are acting as Sympa’s sub-processors when we provide our service to our customers. All Sympa’s sub-processors are contractually obliged to process personal data only as instructed by Sympa and to ensure the same level of security of personal data as Sympa.
Does Sympa share customer’s personal data to third parties?
Sympa does not disclose any personal data of its customers to any 3rd party, unless required to do so based on applicable legislation – or if requested by the customer and the validity and lawfulness of such disclosure shall be evaluated by customer as data controller.
Does Sympa Oy and its subsidiaries have an intra-group Data Processing Agreement in place concerning the processing of customer’s personal data?
Yes. Sympa Oy has signed a Data Processing Agreement with those Sympa group companies that may have access to customer’s personal data. In such case, Sympa group companies will process customer’s personal data solely for providing services in accordance with the service agreement between Sympa and the customer.
How does Sympa secure personal data?
See Sympa's data protection practices page.
How to contact Sympa’s Data Protection Officer?
Sympa’s Data Protection Officer can be reached via email at dpo@sympa.com.
Does Sympa act as a data controller in certain situations?
Yes, Sympa acts as a data controller when it processes personal data of contact persons of Sympa’s customers and prospect customers, website visitors or other stakeholders such as Sympa’s suppliers. Please see Sympa’s Privacy Notice for further information about Sympa as a data controller.
In certain cases, Sympa may process personal data received from the customer as a controller, for example concerning the Customer’s contact persons (support services, invoicing matters, etc.). In those cases Sympa processes personal data for its own purposes.
Does Sympa seek personnel security clearance vetting of new employees?
Sympa does not seek personnel security clearance vetting of new employees from The Finnish Security and Intelligence Service, because Sympa does not employ roles that would be in the scope the Finnish national Security Clearance Act. However, Sympa does conduct security vetting measures during recruiting process to assess possible security risks related to job candidates.
Have there been any prior lawsuits (in the last five years) to which Sympa was a party that involved allegations of privacy breaches, data breaches, or violations of laws governing data protection?
No.
Are there any current or pending lawsuits (including any complaints received that may eventually develop into litigation) to which Sympa is a party that involve allegations of privacy breaches, data breaches or violations of laws governing data protection?
No.
Is Sympa's HR Service ISO27001 certified?
Yes. Sympa was first granted ISO27001 certification for excellence in information security in 2014 and has been continually certified since then. The certification covers all operations and locations related to customer data.
You can find the certification here.
Is Sympa's HR Service ISO9001 certified?
Yes, you can find the certification here.
Does Sympa follow some internal policies related to data protection?
Yes. Sympa has implemented necessary policies and procedures to ensure compliance will applicable laws and regulations. Sympa’s internal data protection policy defines how data protection requirements and practices are applied at Sympa. Sympa’s information security policy sets out guidelines that adhere to requirements for data security defined in the GDPR. An internal review of these policies is conducted at least annually, and the results of such reviews are reported to the company’s governing body/management committee.
Are all Sympa employees, sub-contractors and temporary workers with access to customer’s personal data bound to confidentiality?
Yes.
Are all Sympa employees, sub-contractors and temporary workers with access to customer’s personal data, bound by the company’s Information Security Procedures?
Yes.
Is personal data in Sympa's HR Service encrypted?
Yes. Sympa has implemented a strong encryption policy. All personal data in transit and at rest is encrypted, and the encryption keys to customers’ personal data are created, held and controlled by Sympa.
Does Sympa have a cyber insurance?
Yes.
Does Sympa conducts regular third party reviews?
Yes. Sympa has penetration testing conducted yearly by a specialised partner.
Are information risks defined and reviewed regularly?
Yes. Sympa has implemented a risk based approach and risks are reviewed yearly, at least.
Are assets classified and protected according to their information criticality?
Yes. Sympa’s assets are assigned a classification level matching their business criticality and adequate measures are applied to protect them.
Does Sympa maintain awareness of information security risks?
Yes. Sympa has a mandatory information security awareness program which includes monthly activities for all.
Are endpoints equipped with specific protections?
Yes. Sympa’s endpoint, including workstations are equipped with an anti-malware solution.
Is Sympa’s network protected at the edges?
Yes. Sympa’s network is protected with firewalls at the edges.
Is segregation of duty implemented at Sympa?
Yes. Sympa’s processes are designed to ensure that design, implementation and publication of changes mandatorily require approval from several responsible roles.
Does Sympa enforce a strict password policy?
Yes. Sympa’s password policy imposes at least 14 characters including symbols, upper and lower case characters as well as numbers.
Does Sympa provide data protection training to its employees?
Sympa provides data protection awareness training during employee onboarding and to all of its employees on a regular basis. Sympa also offers more in-depth training for certain teams (e.g. product and development teams).
.svg)
