ANNEX 2: Service Level Agreement

Terms of Service - AssessFluence

Security Overview

ANNEX 1: Data Processing Agreement - AssessFluence

Sub-processors AssessFluence

GDPR

Data Security and Privacy Controls

Access Management, Encryption & Endpoint Security

Network Security & System Monitoring

Penetration Testing & Vulnerability Management

Application Security

Security Awareness

Reliability, Disaster Recovery & Incident Response

Data Privacy

Enhanced Security & Support

Security Governance

<h3><strong>We are Cloud Security Alliance - Star Level 1 compliant</strong></h3><p><a href="https://cloudsecurityalliance.org/star/registry/nextfluent-bv" target="_blank" rel="noopener noreferrer"><img class="image_resized" style="width:13.35%;" src="https://cloudsecurityalliance.org/assets/star/registry/STAR-Level-1-badge-f572686709b8f897f07df08ad760e0fe05f6fd523aff965a5b283e19d60247fa.svg"></a></p><h3><strong>1. Availability</strong></h3><h4>Will NextFluent AssessFluence be available all the time?</h4><p>NextFluent strives to maintain an uptime of 99.9%, and we use several services to monitor uptime and site availability. In case of downtime or emergency, our team receives real-time notifications, allowing us to act swiftly.</p><h4>What if something isn’t working?</h4><p>In the rare case that issues do arise, we’ll keep you updated at all times via email. We’ll do everything within our power to resolve the issue as soon as we can.</p><h3><strong>2. Security measures</strong></h3><h4><strong>Encrypting data in transit</strong></h4><p>All traffic to NextFluent AssessFluence passes through an SSL-encrypted connection, and we only accept traffic through port 443.<br>During a first web application visit, NextFluent AssessFluence sends a Strict Transport Security Header (HSTS) to the user agent, ensuring that all future requests will be made via HTTPS. Even if a link to NextFluent AssessFluence is specified as HTTP.</p><h4><strong>Encrypting data at rest</strong></h4><p>All data stored on NextFluent’s systems is encrypted at rest. Information stored in our database systems or on our file systems is encrypted using the industry standard AES-256 encryption algorithm. Google Cloud stores and manages data cryptography keys in its redundant and globally distributed Key Management Service.<br>This means that even if an intruder were ever able to access any of the physical storage devices, the data contained therein would still be impossible to decrypt without the keys, rendering the information useless.</p><p><strong>Google Cloud security practices</strong><br>NextFluent AssessFluence uses Google Cloud (GCP) to store user data. These servers undergo recurring assessment to ensure compliance with the latest industry standards, and continually manage risk. By using GCP as our data center, our infrastructure is accredited by:</p><ul><li>ISO 27001</li><li>SOC 1 and SOC 2/SSAE 16/ISAE 3402 (Previously SAS 70 Type II)</li><li>PCI Level 1</li><li>FedRAMP</li><li>HIPAA</li></ul><p>More information about Google Cloud security can be found <a href="https://cloud.google.com/trust-center?hl=en">here</a>.</p><h4><strong>Password policy and storage</strong></h4><p>To access NextFluent AssessFluence, you need to provide a strong password of at least 6 characters. We do not store these user passwords in plain text, we only store one-way encrypted password hashes, including a per-user-random-salt. This protects users against rainbow table attacks and encrypted password matching.<br>If users enter incorrect passwords multiple times in a row, the account will be temporarily locked to prevent brute-force attacks.</p><h4><strong>Request throttling and tracking</strong></h4><p>We block requests originating from known, vulnerable IP addresses or ranges.<br>Requests that originate from the same IP are throttled and rate-limited to avoid potential misuse.</p><h4><strong>XSS and CSRF Protection</strong></h4><p>To block Cross-Site Scripting Attacks (XSS), all output is escaped by default in our back-end application before hitting the browser potentially causing XSS attacks. We avoid using returning raw data, as this could potentially cause unwanted data to be sent to the browser.</p><p>Our application blocks requests that do not originate from our own domain(s), to help reduce the risk of Cross Site Request Forgery (CSRF) attacks; For important actions, we also use CSRF-tokens.</p><p>Lastly, we’ve implemented the Content Security Policy (CSP) HTTP header, which whitelists which assets (javascripts, images, stylesheets, etc.) the user’s browser should allow to load and execute. A correctly implemented CSP header eliminates any malicious javascript (XSS attacks), crafted files disguised as images, and similar attacks based on the browser’s trust of the assets served.</p><h4><strong>Organization</strong></h4><p>Our team uses strong, unique passwords for NextFluent AssessFluence accounts and has set up Two-Factor Authentication for each device and service they use. All NextFluent employees are encouraged to use password manager software (1Password, …) to generate and store strong passwords.<br>We also make sure to encrypt local hard drives and enable automatic screen locking. All access to application admin functionalities is restricted to a select group of people.</p><h3><strong>3. Quality assurance</strong></h3><h4><strong>Code review</strong></h4><p>We introduced strict code reviews for any change to our code base, to ensure development best practices are used across all our code pushes.<br>Vulnerability disclosure<br>Since the launch of NextFluent AssessFluence, we’ve invited everyone to notify us of issues they find in our application, to continuously make our platform more secure and reliable. All vulnerability report submissions are read, handled and responded to in the shortest possible time frame.</p><h2>Do you need more information</h2><p>If you or your prospects require additional information about NextFluent's Security, we recommend submitting a support ticket (<a href="https://nextfluent.atlassian.net/servicedesk/customer/portal/1" target="_blank" rel="noopener noreferrer">log a ticket here</a>). Once your request has been reviewed, our support desk will provide you with access to the comprehensive Trust Center documents. These include detailed policies, recent penetration test reports, and extended summaries outlining the various security measures we have implemented to ensure your data's safety and compliance.</p>

<figure class="table"><table style=";"><thead><tr><th style="background-color:rgb(245, 245, 245) !important;border-bottom-color:initial;border-bottom-width:0px !important;border-top-color:initial;border-top-width:0px !important;height:0px !important;padding:0px !important 8px;" colspan="1" rowspan="1"><strong>Legal entity (parent company)</strong></th><th style="background-color:rgb(245, 245, 245) !important;border-bottom-color:initial;border-bottom-width:0px !important;border-top-color:initial;border-top-width:0px !important;height:0px !important;padding:0px !important 8px;" colspan="1" rowspan="1"><strong>Purpose</strong></th><th style="background-color:rgb(245, 245, 245) !important;border-bottom-color:initial;border-bottom-width:0px !important;border-top-color:initial;border-top-width:0px !important;height:0px !important;padding:0px !important 8px;" colspan="1" rowspan="1"><strong>Hosting location</strong></th><th style="background-color:rgb(245, 245, 245) !important;border-bottom-color:initial;border-bottom-width:0px !important;border-top-color:initial;border-top-width:0px !important;height:0px !important;padding:0px !important 8px;" colspan="1" rowspan="1"><strong>Address</strong></th><th style="background-color:rgb(245, 245, 245) !important;border-bottom-color:initial;border-bottom-width:0px !important;border-top-color:initial;border-top-width:0px !important;height:0px !important;padding:0px !important 8px;" colspan="1" rowspan="1"><strong>Website</strong></th></tr></thead><tbody><tr><td style="border-bottom-style:none;border-left-style:none;border-right-style:none;border-top:1px solid rgb(221, 221, 221);padding:8px;vertical-align:top;">Google Cloud Services d/b/a GCP</td><td style="border-bottom-style:none;border-left-style:none;border-right-style:none;border-top:1px solid rgb(221, 221, 221);padding:8px;vertical-align:top;">Infrastructure &amp; Hosting: Cloud infrastructure: hosting and storage</td><td style="border-bottom-style:none;border-left-style:none;border-right-style:none;border-top:1px solid rgb(221, 221, 221);padding:8px;vertical-align:top;">EU (Belgium)</td><td style="border-bottom-style:none;border-left-style:none;border-right-style:none;border-top:1px solid rgb(221, 221, 221);padding:8px;vertical-align:top;">Chaussee d’Etterbeek 180 1040 Brussels Belgium</td><td style="border-bottom-style:none;border-left-style:none;border-right-style:none;border-top:1px solid rgb(221, 221, 221);padding:8px;vertical-align:top;"><a href="https://cloud.google.com/" target="_blank" rel="noopener noreferrer">Link</a></td></tr><tr><td style="border-bottom-style:none;border-left-style:none;border-right-style:none;border-top:1px solid rgb(221, 221, 221);padding:8px;vertical-align:top;">Functional Software, Inc. d/b/a Sentry</td><td style="border-bottom-style:none;border-left-style:none;border-right-style:none;border-top:1px solid rgb(221, 221, 221);padding:8px;vertical-align:top;">Infrastructure &amp; Hosting: Error monitoring</td><td style="border-bottom-style:none;border-left-style:none;border-right-style:none;border-top:1px solid rgb(221, 221, 221);padding:8px;vertical-align:top;">USA</td><td style="border-bottom-style:none;border-left-style:none;border-right-style:none;border-top:1px solid rgb(221, 221, 221);padding:8px;vertical-align:top;">1 Baker Street, Suite 5B, San Francisco, CA 94117, United States</td><td style="border-bottom-style:none;border-left-style:none;border-right-style:none;border-top:1px solid rgb(221, 221, 221);padding:8px;vertical-align:top;"><a href="https://sentry.io/" target="_blank" rel="noopener noreferrer">Link</a></td></tr><tr><td style="border-bottom-style:none;border-left-style:none;border-right-style:none;border-top:1px solid rgb(221, 221, 221);padding:8px;vertical-align:top;">SendGrid, Inc. (Twilio, Inc.)</td><td style="border-bottom-style:none;border-left-style:none;border-right-style:none;border-top:1px solid rgb(221, 221, 221);padding:8px;vertical-align:top;">Functionality: Email and notification services</td><td style="border-bottom-style:none;border-left-style:none;border-right-style:none;border-top:1px solid rgb(221, 221, 221);padding:8px;vertical-align:top;">USA</td><td style="border-bottom-style:none;border-left-style:none;border-right-style:none;border-top:1px solid rgb(221, 221, 221);padding:8px;vertical-align:top;">1801 California Street, Suite 500 Denver, Colorado 80202, United States</td><td style="border-bottom-style:none;border-left-style:none;border-right-style:none;border-top:1px solid rgb(221, 221, 221);padding:8px;vertical-align:top;"><a href="https://sendgrid.com/" target="_blank" rel="noopener noreferrer">Link</a></td></tr><tr><td style="border-bottom-style:none;border-left-style:none;border-right-style:none;border-top:1px solid rgb(221, 221, 221);padding:8px;vertical-align:top;">Atlassian, Inc.</td><td style="border-bottom-style:none;border-left-style:none;border-right-style:none;border-top:1px solid rgb(221, 221, 221);padding:8px;vertical-align:top;">Customer support: Handling support tickets</td><td style="border-bottom-style:none;border-left-style:none;border-right-style:none;border-top:1px solid rgb(221, 221, 221);padding:8px;vertical-align:top;">EU</td><td style="border-bottom-style:none;border-left-style:none;border-right-style:none;border-top:1px solid rgb(221, 221, 221);padding:8px;vertical-align:top;">Singel 236 1016 AB Amsterdam, Netherlands</td><td style="border-bottom-style:none;border-left-style:none;border-right-style:none;border-top:1px solid rgb(221, 221, 221);padding:8px;vertical-align:top;"><a href="https://www.atlassian.com/" target="_blank" rel="noopener noreferrer">Link</a></td></tr></tbody></table></figure><p><i>Please note that the above overview doesn’t include the entities which offer optional integrations, even though we might share some of the data in your account with them at your request when you make use of the integration. It is your responsibility to obtain the necessary data protection assurances from the relevant software provider before activating the integration.</i></p>

<h2><strong>1. Important concepts</strong></h2><p>To understand how we deal with the GDPR at NextFluent, it is important that you are familiar with the following terms:</p><h3><strong>1.1 Personal data</strong></h3><p>Any data that can be used to identify a person. This is a very broad concept, not just limited to names, addresses and contact details. For instance, in some cases, IP addresses can be considered personal data.</p><h3><strong>1.2 Data processing</strong></h3><p>Anything you do with personal data: collect it, store it, manage it, analyze it, consult it, share it, sell it. You name it.</p><h3><strong>1.3 Data subject</strong></h3><p>The person whose personal data is being processed. In other words, the person who can be identified using the data one has about them.</p><h3><strong>1.4 Data controller &amp; data processor</strong></h3><p>The GDPR makes a clear distinction between two roles:</p><ol><li>The ‘data controller’: determines which personal data is processed and for which purposes the personal data is used (<i>deciding</i>);</li><li>The ‘data processor’: processes certain personal data on behalf of the data controller (<i>facilitating</i>).</li></ol><p>A party’s responsibilities regarding personal data are different depending on its role.<br>It is possible for one party to act as a data controller in some cases and as a data processor in others. This is the case for us.</p><h2><strong>2. Customer as controller and NextFluent as processor</strong></h2><h3><strong>2.1 Customer as controller</strong></h3><p>When using our assessment software, you enter personal data (e.g. name, email address, etc.) of third parties into your account. These third parties can be your company’s or organization’s customers, leads, business partners, etc. (“contacts”). Basically anyone whose personal data you’ve collected for your own purposes, e.g. to provide your services. You are the data controller in relation to their personal data.</p><h3><strong>2.2 NextFluent as processor</strong></h3><p>We facilitate the management of your contacts’ data through our software. By entering their personal data into your account, you are sharing this data with us. Our job is to keep this data, for which you are the controller, available and safe on your behalf. That makes us the data processor here.</p><p>Wherever possible, we provide tools and assistance enabling you to meet your obligations under the GDPR. Even though we make reasonable efforts to help you with GDPR compliance, it remains your final responsibility as data controller to meet your obligations under GDPR.</p><figure class="table"><table style=";"><thead><tr><th style="background-color:rgb(245, 245, 245) !important;border-bottom-color:initial;border-bottom-width:0px !important;border-top-color:initial;border-top-width:0px !important;height:0px !important;padding:0px !important 8px;" colspan="1" rowspan="1"><strong>Contact of NextFluent customer the Data subject (a respondent, user, partner,…)</strong></th><th style="background-color:rgb(245, 245, 245) !important;border-bottom-color:initial;border-bottom-width:0px !important;border-top-color:initial;border-top-width:0px !important;height:0px !important;padding:0px !important 8px;" colspan="1" rowspan="1"><strong>NextFluent AssessFluence application customer, the Data controller</strong></th><th style="background-color:rgb(245, 245, 245) !important;border-bottom-color:initial;border-bottom-width:0px !important;border-top-color:initial;border-top-width:0px !important;height:0px !important;padding:0px !important 8px;" colspan="1" rowspan="1"><strong>NextFluent the Data processor</strong></th><th style="background-color:rgb(245, 245, 245) !important;border-bottom-color:initial;border-bottom-width:0px !important;border-top-color:initial;border-top-width:0px !important;height:0px !important;padding:0px !important 8px;" colspan="1" rowspan="1"><strong>Sub-processors (Hosting, IT infrastructure, Standard integrations)</strong></th></tr></thead><tbody><tr><td style="border-bottom-style:none;border-left-style:none;border-right-style:none;border-top:1px solid rgb(221, 221, 221);padding:8px;vertical-align:top;">Shares personal data with the NextFluent AssessFluence application</td><td style="border-bottom-style:none;border-left-style:none;border-right-style:none;border-top:1px solid rgb(221, 221, 221);padding:8px;vertical-align:top;">Collects personal data from the Contact of NextFluent customerEnters personal data of its contacts into the software if NextFluent</td><td style="border-bottom-style:none;border-left-style:none;border-right-style:none;border-top:1px solid rgb(221, 221, 221);padding:8px;vertical-align:top;">Securely processes personal data on behalf of the NextFluent AssessFluence application customerShares personal data with other service providers for the purpose of Hosting, IT infrastructure, and Standard integrations</td><td style="border-bottom-style:none;border-left-style:none;border-right-style:none;border-top:1px solid rgb(221, 221, 221);padding:8px;vertical-align:top;">Securely process personal data under instructions of NextFluent</td></tr></tbody></table></figure><h3><strong>2.3 The Data Processing Agreement (DPA)</strong></h3><p>To clearly define the respective GDPR responsibilities of us (as processor) and you (as controller) we have made sure that there is a DPA in place.<br>In the DPA, we list the different technical and organizational measures we take to safeguard the security of your data and the reliability of our software. The DPA also sets out a clear and well-defined procedure in case of a data breach.<br>In addition, the DPA includes a general overview of the personal data which we expect to process on your behalf.<br>Read the DPA for more information: <a href="https://nextfluent.com/project/assessfluence-dpa">NextFluent AssessFluence DPA</a></p><h3><strong>2.4 Sub-processors</strong></h3><p>As a processor, we engage a limited number of sub-processors. These parties can process some parts of the personal data, for which you are the controller, for specific purposes.<br>We rely on these trusted sub-processors for three main reasons:</p><ol><li>to host our applications for you and to make sure they run smoothly;</li><li>to offer certain built-in functionalities (“standard integrations”); and</li><li>to provide customer support.</li></ol><p>All of these sub-processors were carefully selected because of their strict data protection policies and thorough security measures. We have made the necessary contractual arrangements with each of them to make sure that they meet the same high standards set forth in our DPA with you.<br>See the full list of sub-processors: <a href="https://nextfluent.com/project/assessfluence-sub-processors">For NextFluent AssessFluence</a></p><h3><strong>2.5 Hosting location</strong></h3><p>All customer data is hosted on servers located in the EU:<br>For NextFluent AssessFluence: Google Cloud servers in Belgium (EU-WEST-1 region)</p><h3><strong>2.6 Data deletion</strong></h3><p>As long as you are a customer with us, we keep the data in your account. You are of course free to delete any data from your account, e.g. to meet your own obligations as a controller regarding data minimization and storage limitation.</p><p>When your contract with us ends, you will have the possibility to export the data from your account. We permanently delete the personal data in your account within a short period of time after your contract with us has ended:<br>For NextFluent AssessFluence: 3 months</p><p>The reason we keep the data temporarily after the end of the contract is to be able to restore your account should you wish to do so. You can always ask for the data to be deleted earlier. Once the deletion is done, we can no longer restore your account or provide you with an export of your data.</p><p>By deleting the personal data in your account, we effectively anonymise the data. In other words, we no longer have a way to identify your contacts using the data that is left. We retain the remaining anonymized data for research, training, educational, statistical and commercial purposes. This is also clearly stipulated in our terms of service. Anonymous data is not covered by the GDPR and can be used freely.</p><h2><strong>3. NextFluent as controller</strong></h2><p>We are a data controller when we decide to collect and use your personal data for our own commercial purposes. We mainly do this to provide and improve our services.<br>Read our Privacy Statement to learn more about why we collect certain personal data about you, how long we store this data, which privacy rights you have, etc.</p><p>As a data controller, we engage several service providers which we instruct to process your personal data on our behalf for various purposes, e.g. to send you our newsletter or to collect feedback from you. We have DPAs in place with all these processors to ensure that they apply the same high standards of data protection as we do.</p><figure class="table"><table style=";"><thead><tr><th style="background-color:rgb(245, 245, 245) !important;border-bottom-color:initial;border-bottom-width:0px !important;border-top-color:initial;border-top-width:0px !important;height:0px !important;padding:0px !important 8px;" colspan="1" rowspan="1"><strong>NextFluent customer (Data subject)</strong></th><th style="background-color:rgb(245, 245, 245) !important;border-bottom-color:initial;border-bottom-width:0px !important;border-top-color:initial;border-top-width:0px !important;height:0px !important;padding:0px !important 8px;" colspan="1" rowspan="1"><strong>NextFluent (Data controller)</strong></th><th style="background-color:rgb(245, 245, 245) !important;border-bottom-color:initial;border-bottom-width:0px !important;border-top-color:initial;border-top-width:0px !important;height:0px !important;padding:0px !important 8px;" colspan="1" rowspan="1"><strong>Other service providers – e.g. Customer feedback (Data processor)</strong></th></tr></thead><tbody><tr><td style="border-bottom-style:none;border-left-style:none;border-right-style:none;border-top:1px solid rgb(221, 221, 221);padding:8px;vertical-align:top;">Shares personal data with NextFluent</td><td style="border-bottom-style:none;border-left-style:none;border-right-style:none;border-top:1px solid rgb(221, 221, 221);padding:8px;vertical-align:top;">Collects personal data from the NextFluent customerShares personal data with other service providers for the purpose of Customer feedback</td><td style="border-bottom-style:none;border-left-style:none;border-right-style:none;border-top:1px solid rgb(221, 221, 221);padding:8px;vertical-align:top;">Securely process personal data on behalf of NextFluent</td></tr></tbody></table></figure><h2><strong>4. Best practices</strong></h2><p>Next to everything mentioned above, we have some strict internal policies and procedures in place to carefully handle all personal data. As an example, in a limited number of well-defined cases, colleagues from our Development, Support and Customer Success teams can access the data in your account. Access rights are restricted to authorized personnel only, based on the principle of least privilege. All actions in the account are duly logged. These audit logs are regularly reviewed to prevent abuse.<br>We also organize recurring awareness initiatives to ensure that data protection remains top-of-mind with our colleagues at all times.<br>Ensuring the security of your data and complying with data protection legislation is an important part of our mission. We continue to invest effort and resources to make improvements in this area.</p><h2><strong>5. We are here to help</strong></h2><p>If you have a question or feedback regarding our privacy practices feel free to contact our security team via <a href="mailto:security@nextfluent.com" target="_blank" rel="noopener noreferrer">security@nextfluent.com</a></p>

Home

Was this article helpful?

You recently requested to reset your password for your account. Use the button below to reset it. This password reset is only valid for the next 24 hours.

If you’re having trouble with the button above, copy and paste the URL below into your web browser.

Please check your email for instructions to reset your password.

Check your email

Enter your email address and we will send you instructions to reset your password.

Please enter a new password below.

Set your password