RESPONSIBLE DISCLOSURE & PRIVACY STATEMENT

Bij DESAN beschouwen we de beveiliging van onze systemen als van het grootste belang. Ondanks onze beste inspanningen om onze systemen te beveiligen, kunnen er toch kwetsbaarheden bestaan. Als u een beveiligingszwakte ontdekt in een van onze systemen, moedigen wij u aan om dit onmiddellijk aan ons te melden. Deze samenwerking helpt ons om onze klanten en systemen effectief te beschermen.

We kindly request that you:

1. Share your findings with us.

2. Refrain from exploiting the issue, such as downloading more data than necessary to demonstrate the vulnerability, or accessing, modifying, or deleting third-party data.

3. Avoid disclosing the issue to others until it has been resolved. We also ask that you promptly delete any confidential data obtained once the vulnerability is fixed.

4. Do not engage in physical security attacks, social engineering, distributed denial of service attacks, spam, or attacks on third-party applications.

5. Provide sufficient information to reproduce the problem, allowing us to address it as quickly as possible. Typically, the IP address or URL of the affected system, along with a description of the vulnerability, is adequate. However, for more complex vulnerabilities, additional information may be necessary.

 

In return, we promise:

1. To respond to your report within 5 days, providing an assessment and an expected resolution date.

2. Not to pursue legal action against you if you adhere to the above conditions.

3. To treat your report confidentially and not share your personal information with third parties without your consent unless required by law. You are welcome to report under a pseudonym.

4. To keep you informed about the progress of resolving the issue. If you wish, we will mention your name as the discoverer in our communications about the problem.

5. To strive for swift resolution of all reported issues. We are also open to collaboration on any public disclosure of the problem after it has been resolved.

Information for Respondents

We are a market research company and process your personal data for the purpose of conducting market research. We operate on behalf of our clients, and often they have provided us with your data and requested us to invite you for market research. When we invite you for research, we will inform you about the purpose of the research and, upon request, about who our client is. This allows you to verify with them at any time whether they had permission to share your data with us. Our clients are responsible for the lawful processing of your data. The General Data Protection Regulation (GDPR) allows for your data to be used for statistical purposes, even if it was collected for another purpose. Therefore, we may use your data for market research even if you have not explicitly given consent for this. Participation in our surveys is entirely voluntary. You decide whether you wish to participate.


We use your personal data when processing your responses for statistical purposes. For example, to determine if young people have different opinions than older individuals or to analyze differences between city residents and those living outside the city. We do not collect more data than strictly necessary for the purpose of the survey. We do not process your data in an identifiable form for longer than necessary to conduct the study. We never report on you as an individual with identifiable data unless you have given us unequivocal consent to do so. When we request such consent, we will inform you to whom and for what purpose we transfer the data. We have implemented extensive technical and organizational measures to prevent unauthorized use of your data. Your responses and personal data are solely used for research activities and are not used for commercial purposes or to send you marketing material. Upon completion of the research, your personal data will be deleted as soon as possible, but no later than within a period of six months.

 

Information for Customers

We process your personal data for our own marketing purposes. Marketing activities falling under this purpose include commercial and informative email messages such as newsletters, whitepapers, invitations to events we organize, and information about products and services offered by us that you may be interested in. We only collect the data necessary to achieve the above purpose. When collecting your data, you agree to our terms and conditions and grant us permission to use it for the aforementioned purpose. We collect the data directly from you, the data subject, or you authorize us to receive it. The data we process from you is not such that further pseudonymization or anonymization is possible without preventing its use for the aforementioned purpose. We do not apply automated decision-making or profiling to your data. Your data will be stored and used for the above-mentioned purpose until you indicate that we may no longer use your data for this purpose. You can use the unsubscribe option in the emails we send or contact us via the email address below to do so. We use marketing automation software and store your data in data centers within the Netherlands. You have the right to access and correct the data we process about you. You can do this by sending an email to AVG@desan.nl. You also have the right to request that we delete your data.

 

When the company you work for purchases products or services from us in which you are a participating party, we process your personal data as part of the performance of an agreement. In this case, the processing of your personal data is necessary to provide the products or services. We store your personal data in our project administration system with data centers within the Netherlands and use it for the above purpose as long as the agreement continues. You have the right to access and correct the data we process about you. You also have the right to request that we delete your data.

Our Data Breach Reporting Procedure can be found below. It is a requirement to report data breaches to the Dutch Data Protection Authority (Autoriteit Persoonsgegevens) within 72 hours of discovery.

What is a data incident, and what is a data breach?
A data breach is a security breach that has resulted in the accidental or unlawful destruction, loss, alteration, unauthorized disclosure, or access to personal data that has been transmitted, stored, or otherwise processed.

A data incident is a suspected data breach or an event in which personal data may have been lost.

Personal data includes all information related to an identified or identifiable living person, such as name, address, date of birth, cookies, IP addresses, identification data, videos, financial data, and sensitive personal data.

If you believe there is a data incident or data breach, please follow the immediate steps:

  1. Notify DESAN’s Data Protection Officer at AVG@desan.nl, making sure to clearly indicate in the subject that it is a data incident or data breach.
  2. Do not provide additional details beyond what is known about the potential incident, but do provide as much complete information as possible about the incident.”

Click here to find our PGP-key

Top Researcher: N/A