SpeedAdmin ApS€¦ · SpeedAdmin ApS has made a risk assessment of potential threats to the system and data security. The threats have been assessed, based on the probability of

REVI-IT A/S state authorised public accounting firmJens Kofods Gade 1 DK-1268 Copenhagen K Phone 3311 8100 [email protected] revi-it.dk CVR-no. 3098 8531

Independent service auditor’s assurance report

Assurance engagement in relation to compliance with the EUGeneral Data Protection Regulation (GDPR) and associated Dan-ish Data Protection Act in the role as data processor for the pe-

riod 21-06-2019 to 31-05-2020

ISAE 3000

SpeedAdmin ApSCVR-no.: 34 59 01 76

June 2020

SpeedAdmin ApS

REVI-IT A/S

Table of contents

Section 1: SpeedAdmin ApS’ statement ...................................................................................................1

Section 2: SpeedAdmin ApS’ control description ISAE 3000.....................................................................3

Section 3: Independent service auditor’s assurance report on compliance with the EU General DataProtection Regulation (GDPR) and associated Danish Data Protection Act in the role of dataprocessor, 21-06-2019 to 31-05-2020 ......................................................................................8

Section 4: Control objectives, controls, tests, and related test controls.................................................10

SpeedAdmin ApS

REVI-IT A/S Page 1 of 23

Section 1: SpeedAdmin ApS’ statementThe enclosed description is prepared for use by data controllers, who have used services and who have suf-ficient understanding to evaluate the description together with other information, including information ofcontrols, which the controllers themselves performed by assessing whether the requirements of the EU’Regulation about the protection of natural persons with regard to the processing of personal data and onthe free movement of such data, (hereafter referred to as “General Data Protection Regulation”)

SpeedAdmin confirms that:

a) The accompanying control description page gives a true and fair description of the services, which hasprocessed personal data for data controllers covered by the data protection regulation throughout theperiod from 26-10-2019 to 31-03-2020. The criteria used to make this opinion were that the accompa-nying description:

(i) Describe, how SpeedAdmin was designed and implemented, including:

• The types of services provided, including the type of processed personal data• The processes in both IT and manual systems used to initiate, register, process

and, if necessary, correct, delete, and restrict the processing of personal data• The processes used to ensure that the data processing has been carried out in

accordance with a contract, instruction, or agreement with the data controller.• The processes used to ensure, that the persons, authorised to process personal

data, have committed themselves to a non-disclosure agreement or are subjectto adequate statutory professional confidentiality.

• The processes that, upon discontinuation of data processing, ensure that at thediscretion of the data controller, all personal data is deleted or returned to thedata controller, unless law or regulation provides for the retention of personaldata.

• The processes that, in the event of a breach of the personal data security, sup-port that the data controller can report to the regulator and notify the data sub-jects

• The processes that ensure appropriate technical and organizational safeguardsfor the processing of personal data, taking into account the risks of processing, inparticular through accidental or unlawful destruction, loss, alteration, unauthor-ized disclosure or access to personal data transmitted right, stored or otherwiseprocessed

• Controls that we have provided, with reference to SpeedAdmin, the delimitationof the data controllers and, if necessary, to achieve the control objectives thatare listed in the specification, are identified in the specification

• Other aspects of our control environment, risk assessment process, informationsystem (including the associated business processes) and communications, con-trol activities and monitoring controls that have been relevant to the processingof personal data.

SpeedAdmin ApS


(ii) Contains relevant information about changes in the data processor’s SpeedAdmin for pro-cessing of personal information, made during the period 21-06-2019 to 31-05-2020

(iii) Does not omit or distort information relevant to the scope of the described SpeedAdmin forprocessing personal data, taking into account that the description has been prepared tomeet the general needs of a wide circle of data controllers and therefore cannot includeevery aspect of SpeedAdmin, which the individual data controller must consider importantaccording to their particular circumstances

b) The controls relating to the control objectives set out in the accompanying description were appropri-ately designed and effective throughout the period from 21-06-2019 to 31-05-2020. The criteria usedto make this opinion were that:

(i) The risks that threatened the achievement of the control objectives set out in thespecification were identified

(ii) The checks identified, if performed as described, would provide a high degree of assurance thatthe risks in question did not impede the achievement of the stated control objectives; and

(iii) The controls were used consistently as designed, including manual checks carried out by per-sons of appropriate competence and authority throughout the period from 21-06-2019to 31-05-2020

c) Appropriate technical and organizational measures have been established and maintained to fulfillingthe agreements with data controllers, good data processing practices and relevant data processing re-quirements under the Data Protection Regulation.

Sønderborg, 29 June 2020

SpeedAdmin ApS


Section 2: SpeedAdmin ApS’ control description ISAE 3000The purpose of the data processor’s processing of personal data on behalf of the data controller is: To sup-ply the administration system SpeedAdmin to schools of music and culture.

It is the schools of music and culture, who are responsible for supplying the data they need to be able toperform the daily administrative operational tasks in SpeedAdmin. This makes the schools of music and cul-ture data controllers in relation to the data subjects.

The processing of personal data is performed according to the general agreement (license agreement) be-tween SpeedAdmin and the schools of music and culture, which is signed in the beginning of the consign-ment.

The system is a 100% web based and need therefore not be retrieved or downloaded to the PC used. It is,however, an option to download the SpeedAdmin App to smartphones and tablets, to be used by teachers,students, and guardians.

Description of processing

The processors’ processing of personal data on behalf of the controller is solely performed according tocontroller’s instructions. Processor does not use personal data for other purposes, that then ones describedin the controller’s instructions.

Personal data

- CPR-number (DK) and ”personnummer” (NO and SE)

- Data of birth (UK and DE)

- Address, postal code

- Full name

- E-mail

- Mobile- and telephone number

Categories of data subjects included in the data processor agreement:

- Schools of music and culture’s employees

- Students

- Guardians

- If required, schools of music and culture’s partner’s liaison officers.

Practical measures

The management of SpeedAdmin has approved all measures, internal standards, individual yearly audits,performed internally within SpeedAdmin.

SpeedAdmin ApS


Every SpeedAdmin employee has been informed about personal data and information security. Annually,an internal security awareness training is being held, reviewing internal standards and information con-nected to GDPR and IT-security. All standards are accessible to all employees. In case of major changes instandards, all employees are being informed.

The system performs automatic logs. Among other things, all logins to the system, included failed logins arebeing logged. Changes made to students, guardians and teachers are being logged. Furthermore, searchesfor specific data subjects are also being logged.

Development of the system, which can have an impact on the rights of the data subjects are being regis-tered in a log and SpeedAdmin’s DPO is involved in the process. Potential security incidents and the han-dling of the are being registered. Annually, this log will be reviewed, focusing on the way the security inci-dents were handled.

Risk assessment

SpeedAdmin ApS has made a risk assessment of potential threats to the system and data security. Thethreats have been assessed, based on the probability of the threat occurring and how big an impact thethreat would have, if real.

This risk assessment is reviewed minimum once a year. This review is focusing on, whether new threatshave appeared since last review. Furthermore, the risk assessment is being adjusted, if measurements havebeen realized of if new possible solutions have been suggested.

Changes in the risk assessment will always be approved and signed by one of SpeedAdmin’s managers.

Processing - instructions

In the data processor agreement, we have with our customers, the customers’ instructions are described inconnection with the data processing. We exclusively process data, based on these instructions.

We have a standard of, how we handle unlawful instructions, if such is received from a customer. All em-ployees are familiar with this standard, and are able to act accordingly, in case they receive an unlawful in-struction from a customer.

We also keep an article 30-record of the different processing of personal data performed by us – both in therole as data processor (on behalf of our customers) and as data controller (for our sub-suppliers). This rec-ord is also available to the employees, enabling them to keep informed. The article 30-record is reviewed atleast once a year, in the beginning of the new year, or when needed. Reminders have been set up for thoseresponsible, sending them a reminder of the review.

Apart from the article 30-record, we also manage user accesses for all employees. We have a list of all em-ployees’ user accesses, which will be updated whenever changes occur.

SpeedAdmin ApS


Procedure review

Once a year, or when needed, all internal standards are being reviewed. Additionally, various lists and logsare being examined and reviewed. This way we can form a general view of the general handling of the ac-tual cases and decide whether changes to one or more standards are needed. At our yearly security aware-ness training day, all employees are asked to delete emails and other documents containing personal data.

Procedures – access management

SpeedAdmin’s management is in charge of decisions and the administration of which user accesses the indi-vidual employee should have.

All accesses are being recorded in a document. This document is being updated with every change made inconnection with accesses.

Personal access codes exist for both the employees’ computer and the system itself.

All Speed Admin’s employees have access to the office in Sønderborg. Everybody has received a key cardwith individual access codes, required for access during off-hours. Every key card is marked with a number,recorded in the access document for each employee.

Upon termination of an employee, the going standard must be complied with, in connection with return ofkey card and termination of the different accesses held by the individual.

Users are grouped by rights in the system. This means that not everybody has the same rights in the sys-tem, since the groups determines, which functions should be available to the individual. Apart from thegroups in the system, all actions and by whom, are logged in the system.

Procedures – development

The internal standard including development of new or existing features, which can or will influence therights of the data subjects and/or personal data, must be complied with. The procedure states, that the de-velopers working on the individual cases, must record all in an internal log.

In addition to logging the developing, the DPO must also be involved before the development is being de-ployed (implemented into the system). DPO must be part of ensuring that the data subjects are protectedin the best way possible and in accordance to the general data protection regulation.

Procedures – managing personal data requests

SpeedAdmin is not allowed to process personal data requests from data subjects. Since we are “only” theprocessor and therefore not data controller, we are not authorised to process these requests.It is the role of the data controller – our customers, who are authorised to process personal data requests.

Therefore, we hardly ever receive similar orders. Since this however, is no guarantee that we won’t get one,our standard includes a paragraph about the rights of the data subjects.

SpeedAdmin ApS


In case we receive a personal data request from a data subject, we refer the concerned to the relevantschool. In addition, we log the request, that also will be reviewed when needed or at least once a year, inorder for us to determine whether any part of the standard need to change.

Procedures – security incidents

SpeedAdmin ApS is logging security incidents according to the internal standard about security incidents.Amon other things, it is important that the DPO is included as soon as a security incident has been discov-ered.

In case of a security incident occurring, this must be logged, including information about, how the matterhas been handled. This must be updated regularly – from the detection of the incident, until the case hasbeen completed.

This log is reviewed annually. The review focuses on the management of last years’ incidents, during thisreview, focus is among other things on the handling of the incident and on whether the standard need to beadjusted. If the standard is being adjusted, every employee will be notified.

Sub-processors

We have chosen to use sub-processors, since it is our opinion, that they contribute to the best combinedsolution for our customers.

The sub-processors are required – at any given time – to have adequate protection against electronical orphysical unlawful access, malicious damage, theft, hacking, computer virus, denial of service attacks orother similar security incidents. Additionally, they must be protected from the risk of fire, storm, waterdamage or other similar circumstances, which can compromise SpeedAdmin’s ability to fulfil contract re-quirements.

The sub-processors are reviewed once a year. We obtain the IT audit report if any is available. Failing this,we forward an annual questionnaire, describing their methods and procedures in securing a high degree ofIT-security.

All non-confidential documents can, upon request, be forwarded to the data controller in connection withour review.

Third countriesIt has been decided that SpeedAdmin neither store nor transfer data to third countries. Therefore, this isalso an issue for inspection, before SpeedAdmin decides to employ a new sub-processor.

Employees

Upon onboarding a new employee, the IT-security policy and the internal standards are being reviewed.Apart from this the employee must sign a statement, which is included in our IT-security policy. The stand-ard will be followed upon termination of employment.

SpeedAdmin ApS


Significant changes during the period

We have migrated from Gmail to Microsoft Outlook Apart from that, no significant changes have beenmade during the period.

Complementary controls

- Data controller is responsible for deleting the log- Superusers are the only ones authorized to anonymize users in the system- In case the controller downloads Excel spreadsheets from SpeedAdmin, the controller is responsi-

ble for deleting it- The controller must pay attention to the mails being sent by the system about locked users

The controllers themselves have duty of disclosure to the data subjects in SpeedAdmin – we of course assistwith information about the processing.

SpeedAdmin ApS


Section 3: Independent service auditor’s assurance report on compliance withthe EU General Data Protection Regulation (GDPR) and associatedDanish Data Protection Act in the role of data processor, 21-06-2019to 31-05-2020

To SpeedAdmin ApS, the company’s customers, and their auditors.

As agreed, we have reviewed SpeedAdmin ApS’ services in relation to their compliance with the EU GeneralData Protection Regulation (GDPR) and associated Danish Data Protection Act for the period of 21-06-2019to 31-05-2020.

The assurance report is intended solely for the use of SpeedAdmin ApS, their customers, and their auditorsfor assessing the existing procedures and must not be used for other purposes.

Management’s responsibility

Speed Admin’s management is responsible for implementing and ensuring the maintenance of proceduresin connection with their services as required by the EU General Data Protection Regulation (GDPR) and as-sociated Danish Data Protection Act.

Service auditor’s responsibility

On the basis of the conducted work, it is our responsibility to express an opinion on whether the company’sdelivery in relation to Lessor Group’s services complies with the requirements stated in the EU General DataProtection Regulation (GDPR) and associated Danish Data Protection Act.

We have conducted our work in accordance with ISAE 3000, Assurance engagements other than audits orreviews of historical financial information and additional requirements under Danish audit regulation in or-der to obtain reasonable assurance for our opinion.

REVI-IT A/S applies International Standard on Quality Control 1 and accordingly maintains a comprehensivesystem of quality control including documented policies and procedures regarding compliance with ethicalrequirements, professional standards, and applicable legal and regulatory requirements.

We have complied with the independence and other ethical requirements of the Code of Ethics for profes-sional Accountants issued by the International Ethics Standards Board for Accountants, which is founded onfundamental principles of integrity, objectivity, professional competence and due care, confidentiality andprofessional behaviour.

Our work comprised enquiries, observations as well as assessments and examination in spot checks of theinformation we have been provided.

Due to limitations in all control systems, errors or fraud may occur, which might not be uncovered by ourwork. Also, the projection of our opinion on transactions in subsequent periods is subject to the risk ofchanges to systems or controls, changes to the requirements in relation to the processing of data or to thecompany’s compliance with the described policies and procedures, whereby our opinion may not be appli-cable anymore.

SpeedAdmin ApS


Limitations in controls at a data processor

SpeedAdmin’s description has been prepared to meet the common needs at a broad range of data control-lers and may not, therefore, include every aspect of the services provided by SpeedAdmin, that each indi-vidual data controller may consider for important according to their specific circumstances. Also, because oftheir nature, controls at a processor may not prevent or detect all personal data breaches. Also, the projec-tion of any evaluation of effectiveness to future periods is subject to the risk that controls at a controllermay become inadequate or fail.

Opinion

This opinion is formed on the basis of the understanding of the criteria accounted for in the assurance re-port’s introductory section, and which are based on the requirements in the EU General Data ProtectionRegulation (GDPR) and associated Danish Data Protection Act.

It is our opinion, that SpeedAdmin ApS, in all material respects has met the criteria mentioned for the pe-riod 21-06-2019 to 31-05-2020

Description of tests of controls

The specific controls tested, and the nature, timing and results of these tests are listed in the subsequentmain section.

Intended users and purpose

This assurance report is intended only for customers who have used SpeedAdmin’s services, and their audi-tors, who have a sufficient understanding to consider the description along with other information, includ-ing information about controls operated by customers themselves. This information serves to obtain an un-derstanding of the customers’ information systems, which are relevant for compliance in the role as dataprocessor in relation to EU General Data Protection Regulation (GDPR) and associated Danish Data Protec-tion Act.

København, 29 June 2020

REVI-IT A/SState authorised public accounting firm

Henrik Paaske Basel Rimon ObariState authorised auditor IT-revisor, CISA, CISM, Partner

SpeedAdmin ApS


Section 4: Control objectives, controls, tests, and related test controlsThe following overview is provided to facilitate an understanding of the effectiveness of the controls imple-mented by SpeedAdmin ApS in the delivery of their services according to compliance with the EU GeneralData Protection Regulation (GDPR) and associated Danish Data Protection Act. Our testing of functionalitycomprised the controls that we considered necessary to provide reasonable assurance for compliance inthe period for 21-06-2019 to 31-05-2020.

The requirements evident directly from the EU General Data Protection Regulation (GDPR) or the DanishData Protection Act cannot be derogated from. However, it can be adjusted how the security is imple-mented, as the security requirements in GDPR in several respects are of more general and overall characterthat i.e. must consider purpose, nature of processing, category of personal data etc. In addition, there maybe specific requirements in each customer contract that may have a scope extending beyond the generalrequirements of the Data Protection Act. If this is the case, these are not covered by the following.

Moreover, our assurance report does not apply to any controls performed at SpeedAdmin’s customers, asthe customers’ own auditors should perform this review and assessment.

We performed our tests of controls at SpeedAdmin by taking the following actions:

Method General description

Inspection Review and evaluation of policies, procedures and documentation con-cerning the performance of controls. This includes reading and assess-ment of reports and documents in order to evaluate whether the spe-cific controls are designed in such a way, that they can be expected tobe efficient when implemented.

Observation Observing how controls are performed.

Inquiries Interview with appropriate personnel at Lessor Group regarding con-trols.

Re-performance Re-performance of controls in order to verify that the control is workingas assumed.

SpeedAdmin ApS

REVI-IT A/S Side 11 af 23

Control objective A – Instruction regarding the processing of personal dataProcedures and controls are observed that ensure that instruction regarding the processing of personaldata is complied with in accordance with the entered processor agreement.

No. Processor’s control activity REVI-IT’s performed test Test result

A.1 There are written procedures con-taining requirements that pro-cessing of personal data may onlyoccur on the basis of an instruction.

Regularly – and at least annually –an assessment is made of whetherthe procedures should be updated.

We have inspected the informationsecurity policy, and ensured thatdecisions have been made, to en-sure that the processing of per-sonal data only is performed in ac-cordance with instructions.

We have inspected, that proce-dures have been updated duringthe audit period.

We have, by sample test, inspectednew data processor agreements,and ensured that the requirementsfor instructions have been de-scribed.

No deviations noted.

A.2 The processor only performs theprocessing of personal data evidentfrom the instruction from the con-troller.

We have, by sample test, inspecteddata processor agreements, andensured that the processor com-plies with the instructions.


A.3 The processor immediately notifiesthe controller if an instruction ac-cording to the processor is contraryto the General Data Protection Reg-ulation or data protection provi-sions in other EU law or the Mem-ber States’ national legislation.

We have inquired into, whether un-lawful instructions have occurredduring the audit period.

We have been informed, that nounlawful instructions have oc-curred during the audit period,wherefore we are not able to testthe efficiency of the control.

No further deviations noted.

SpeedAdmin ApS


Control objective B – Technical measuresProcedures and controls are observed that ensure that the processor has implemented technical measuresfor ensuring relevant security of data processing


B.1 There are written procedures con-taining requirements on the estab-lishment of agreed securitymeasures for the processing of per-sonal data in accordance with theagreement with the controller.

We have inquired about infor-mation security policy and ensuredthat decisions have been made toestablish agreed security measuresto protect personal data pro-cessing.

We have, by sample test of 4 dataprocessor agreements, ensuredthat the agreed security measureshave been established.


B.2 The processor has performed a riskassessment and on the basis ofthis, has implemented the technicalmeasures assessed to be relevantin order to achieve adequate secu-rity, including establishing the secu-rity measures agreed with the con-troller.

We have inspected the risk assess-ment and ensured that it is basedon the rights of the data subjects.

We have inspected the risk assess-ment and ensured that it has beenupdated during the audit period.


B.3 Antivirus is installed on the systemsand databases that are used for theprocessing of personal data, andthe antivirus is updated regularly.

We have, by sample test, inspectedthe implementation of protectionagainst malware, and we have en-sured the these have been properlyconfigured and are regularly up-dated.


B.4 External access to systems and da-tabases used for the processing ofpersonal data occurs through a se-cured firewall.

We have, by sample test, inspectedthe implementation of firewall, in-cluding the rules for in-/outboundrules.

We have inspected statement fromoperations supplier and ensuredthat firewalls have been installed.


SpeedAdmin ApS



B.5 Internal networks are segregated inorder to ensure restriction of ac-cess to systems and databases usedfor the processing of personal data.

We have inspected the list of net-works and ensured that environ-ments are segregated.

We have inspected statement fromoperations supplier and ensuredthat the network is adequately seg-regated.


B.6 Access to personal data is isolatedto users with a work-related needfor this.

We have inspected, that formalizedprocedures for limiting user accessto personal data, have been estab-lished.

We have, by sample test, inspectedthe access rights of new employeesduring the audit period and en-sured, that these are based on awork-related need.


B.7 System monitoring with alarminghas been established for the sys-tems and databases used for theprocessing of personal data.

We have, by sample test inspectedmonitoring of system capacity, andensured that this is done regularly.


B.8 Effective cryptography is used atthe transmission of confidentialand sensitive personal data via theInternet and via email.

We have inspected the policy forencryption and ensured that thisaddresses the transmission of per-sonal data.

We have, by sample test, inspectedSSL Certificates and ensured thatthese have been appropriately con-figured.


B.9 Logging has been established insystems, databases, and networks.

Log information is protectedagainst manipulation and technicalerrors and is reviewed regularly.

We have inspected the policy forlogging and ensured that decisionshave been made to protect per-sonal data.

We have, by sample test, inspectedthe set-up of systems logging andwe have ensured that this complieswith the policy.

We have, by sample test, inspectedaccess to logfiles, and ensured thataccess is limited to a work-relatedneed.


B.10 Personal information used for de-velopment, test or similar, are al-ways in pseudonymised or anony-mised form. Usage is only in orderto perform the controller’s purposeaccording to agreement and on itsbehalf.

We have, by sample test, inspectedthe development server and en-sured that the data set is anony-mized.


SpeedAdmin ApS



B.11 The established technical measuresare regularly tested by means ofvulnerability scans and penetrationtests.

We have inquired about formalizedprocedures for regular testing oftechnical measures.

We have inspected statement fromoperations supplier and ensuredthat regular patching of the operat-ing system is performed.


B.12 Changes to systems, databases,and networks are made in accord-ance with established proceduresthat ensure maintenance by meansof relevant updates and patches,including security patches.

We have inspected the procedurefor changes and ensured that therights of the data subjects are be-ing taken into account.

We have, by sample test, inspectedchanges during the audit period,and ensured that this have beenperformed according to the proce-dure.


B.13 There is a formal procedure for al-locating and revoking user accessesto personal data.

Users’ accesses are regularly re-viewed, including that rights stillcan be justified by a work-relatedneed.

We have inspected that formalizedprocedures are available for allo-cating and revoking of user accessto systems and databases, used toprocess personal data.

We have by sample test, inspectedaccesses, and ensured that newemployees have been allocated ac-cording to the procedure.

We have, by sample test, inspectedaccesses and ensured that termi-nated employees’ access rightshave been revoked according tothe procedure.

We have inspected that documen-tation is available of regular – andminimum once a year – review andapproval of allocated user accesses.


B.14 Access to systems and databases,in which personal data is pro-cessed, which entails a high risk forthe data subjects, occurs as a mini-mum by means of two factor au-thentication.

We have inquired about whetherthe company uses two factor au-thentication.

We have been informed, thatSpeedAdmin is not processingsensitive personal data, where-fore SpeedAdmin has decided notto use two factor authentifica-tion.

We have ensured, that VPN is be-ing used when connecting to in-ternal networks.


B.15 Physical access security has beenestablished such that only author-ised persons can gain physical ac-cess to premises and data centresin which personal data are storedand processed.

We have inspected the policy ofphysical security and ensured thatphysical security has been decidedupon.

We have inspected statement fromoperations supplier and ensuredthat physical securing of servershave been established.


SpeedAdmin ApS


Control objective C – Organisational measuresProcedures and controls are observed that ensure that the processor has implemented organisationalmeasures for ensuring relevant security of data processing.


C.1 The processor’s management hasapproved a written information se-curity policy, which has been com-municated to all relevant stake-holders, including the processor’semployees. The information secu-rity policy is based on the per-formed risk assessment.

Regularly – and at least annually –an assessment is made of whetherthe information security policyshould be updated.

We have inspected that infor-mation security policy is available,reviewed and approved by man-agement within the audit period.

We have ensured, that the infor-mation security policy is availableto the employees.

We have inspected the control ofinformation security policy and en-sured that this is regularly as-sessed.


C.2 The processor’s management hasensured that the information secu-rity policy is not contrary to en-tered processor agreements.

We have, by sample test, inspecteddata processor agreements, andensured that the information secu-rity policy complies with the agree-ments.


C.3 The processor’s employees arechecked in connection with em-ployment.

We have, by sample test, inspectednew employments and ensuredthat the employment has followedthe procedure for employments.


C.4 At employment, employees sign aconfidentiality agreement. In addi-tion, the employee is introduced tothe information security and proce-dures regarding data processing aswell as other relevant informationin connection with the employee’sprocessing of personal data.

We have, by sample test, inspectedemployment contracts of new em-ployees during the audit period,and ensured that they have com-mitted themselves to a confidenti-ality agreement.

We have, by sample test, in-spected statements, signed by newemployees during the audit period,and ensured that they have con-firmed having read the companypolicies and procedures.


SpeedAdmin ApS



C.5 At the termination of employment,a procedure has been implementedat the processor ensuring that theuser’s rights are deactivated or ter-minated, including that assets arereturned.

We have inspected procedures toensure that offboarding employ-ees’ access rights are deactivatedor expires upon termination, andthat assets such as key cards, PC,mobile phones etc. are being re-turned.

We have, by sample test, inspectedthe termination of access and re-turn of assets from former employ-ees and ensured that this has beenperformed according to the proce-dure.


C.6 At termination of employment theemployee is informed that thesigned confidentiality agreementstill is applicable, and that the em-ployee is subject to a general dutyof non-disclosure in relation to theprocessing of personal data thatthe processor performs for the con-trollers.

We have, by sample test, inspectedconfidentiality agreements, and en-sured that these still are applicableafter termination of employment.


C.7 There is periodic awareness train-ing of the processor’s employees inrelation to information security ingeneral as well as security of dataprocessing in relation to personaldata.

We have, by sample test, inspectedmaterial from awareness trainingduring the audit period, and wehave ensured that this training isrelated to IT-security.


C.8 The processor has assessed theneed for a DPO and has ensuredthat the DPO has the adequate pro-fessional competence to performtheir tasks and are involved in rele-vant areas.

We have, by sample test, inspectedcontrols and procedures and en-sured that the DPO has been in-volved.


SpeedAdmin ApS


Control objective D – Return and deletion of personal dataProcedures and controls are observed, that ensure that personal data can be deleted or returned if agreedwith the controller.


D.1 There are written procedures con-taining requirements that storageand deletion of personal data oc-curs in accordance with the agree-ment with the controller.

We have inspected the informationsecurity policy and ensured thatdecisions have been made, how de-letion is being performed accordingto agreements.

We have inspected the procedurefor deletion and ensured that thishas been updated during the auditperiod.

We have inspected the control ofthe procedure and ensured thatthe procedure is being regularly up-dated.


D.2 Specific requirements to the pro-cessor’s storage period and dele-tion routines have been agreed.

We have, by sample test, inspectednew data processor agreements,and ensured that decisions havebeen made about storage periodsand deletion routines.


D.3 At the end of the processing of per-sonal data for the controller, data isaccording to the agreement withthe controller:

Returned to the controller,and/or

Deleted, where not in conflictwith other legislation

We have inspected that formalizedprocedures are available, describ-ing the processing of the datasub-jects’ data upon termination of per-sonal data processing.

We have, by sample test of onedata processing terminated duringthe period, ensured that documen-tation of deletion or return of data,is available.


SpeedAdmin ApS


Control objective E – Storage of personal dataProcedures and controls are observed that ensure, that the processor only stores personal data in accord-ance with the agreement with the controller.


E.1 There are written procedures con-taining requirements that storageof personal data only occurs in ac-cordance with the agreement withthe controller.

Regularly – and at least once a year- assessment is made of whetherthe procedures need to be up-dated.

We have inspected the informationsecurity policy, and we have en-sured that decisions have beenmade about storage of data.

We have inspected the policy andensured that this has been updatedduring the audit period.


E.2 The processor’s processing includ-ing storage must only take place atthe locations, in the countries, orthe territories approved by thecontroller.

We have inspected the data pro-cessor agreements and ensuredthat the storage location is accord-ing to the agreements.

We have, by sample test, inspectedthe list of backups during the auditperiod and by sample test, ensuredthat these have been correctly con-figured.

We have observed that backuphas not been configured accord-ing to the data processor’s policyduring the audit period. We havesubsequently received documen-tation that this has been cor-rected.


SpeedAdmin ApS


Control objective F – Use of sub-processorsProcedures and controls are observed that ensure, that only approved sub-processors are used and thatthe processor when following up on their technical and organisational measures for protection of therights of the data subjects and the processing of personal data ensures adequate security of data pro-cessing.


F.1 There are written procedures con-taining requirements to the proces-sor at the use of sub-processors, in-cluding requirements on sub-pro-cessor agreements and instruction

Regularly – and at least once a year– an assessment is made, whetherthe procedures need to be up-dated.

We have inspected the policy of re-quirements of sub-processors andensured that decisions have beenmade about sub-processor agree-ments.

We have inspected that the policyhas been updated during the auditperiod.


F.2 The processor solely uses sub-pro-cessors for the use of processing ofpersonal data that are specificallyor generally approved by the con-troller.

We have, by sample test, inspectednew data processor agreementsduring the audit period, and en-sured that the processor either hasa general or a specific authorizationto use sub-processors.


F.3 In case of changes to the use ofgenerally approved sub-processors,the controller is informed in atimely manner in order to be ableto raise objections and/or with-draw personal data from the pro-cessor. In case of changes to theuse of specifically approved sub-processors, this is approved by thecontroller.

We have inquired about changes ofsub-processors during the audit pe-riod, and we have, by sample test,inspected that data controllershave been informed.


F.4 The processor has subjected thesub-processor to the same dataprotection obligations as thosestated in the processor agreementor the like with the controller.

We have inspected data processoragreements with new sub-proces-sors and ensured that the sub-pro-cessor is committed to same orsimilar data protection obligationsas the controller.


SpeedAdmin ApS



F.5 The processor has a list of ap-proved sub-processors.

We have inspected the list of sub-processors and ensured that all rel-evant sub-processors are stated inthe list.


F.6 On the basis of an updated risk as-sessment of each sub-processorand the activity taking place at thissub-processor, the processor per-forms periodic follow-up on this atmeetings, inspections, review of as-surance report, or similar.

We have, by sample test, inspectedthat regular review of sub-proces-sors has been performed, and en-sured that it has been done accord-ing to the procedure.


Control objective G – Transfer of personal data to third countriesProcedures and controls are observed that ensure, that the processor only transfers personal data to thirdcountries or international organisations in accordance with the agreement with the controller on the basisof a valid ground for transfer.


G.1 There are written procedures con-taining requirements that the pro-cessor only transfers personal datato third countries or internationalorganisations in accordance withthe agreement with the controlleron the basis of a valid ground fortransfer.


We have inspected written proce-dure containing requirements thatpersonal data cannot be trans-ferred to third countries, withoutinstructions from data controller.

We have inspected documentationthat the procedure has been up-dated during the audit period.

We have been informed and hasobserved that data are not trans-ferred to third countries, where-fore the control is not regardedto be relevant.


G.2 The processor can only transferpersonal data to third countries orinternational organizations, basedon the controller’s instructions.

We have, by sample test, inspecteddata processor agreements withnew controllers during the auditperiod for instructions of transferto third countries and we have en-sured that decisions have beenmade about transfers to thirdcountries.


G.3 In connection with transfers of per-sonal data to third countries or in-ternational organizations, the dataprocessor has assessed and docu-mented, that transfers are basedon valid grounds.

We have, by sample test, inspecteddata processor agreements withnew data controllers during the au-dit period, for instructions abouttransfer to third countries.

We have been informed and hasobserved that data are not trans-ferred to third countries, where-fore the control is not regardedto be relevant.


SpeedAdmin ApS


Control objective H – Rights of the data subjectsProcedures and controls are observed that ensure, that the processor can assist the controller with hand-ing over, correcting, erasing, or the restriction of, and providing information about, the processing of per-sonal data to the data subject.


H.1 There are written procedures con-taining requirements that the pro-cessor must assist the controller inrelation to the rights of the datasubjects.


We have inspected the procedurefor managing requests and ensuredthat decisions have been madeabout assisting the data controller.

We have inspected the procedureand ensured that this has been up-dated during the audit period.


H.2 The processor has established pro-cedures that to the extent agreedpermits timely assistance to thecontroller in relation to handingover, correcting, erasing, or the re-striction of and providing infor-mation about the processing ofpersonal data to the data subject

We have, by sample test, inspectedrequests during the audit period,and we have ensured that thesehave been handled according tothe procedure.


SpeedAdmin ApS


Control objective I – Managing personal data breachesProcedures and controls are observed that ensure, that any personal data breaches can be managed in ac-cordance with the entered processor agreement.


I.1 There are written procedures con-taining requirements that the pro-cessor must inform the controllerin case of personal data breaches.


We have inspected the procedurefor personal data breaches and en-sured that decisions have beenmade about informing the control-ler in case of personal databreaches.

We have inspected the procedureand ensured that this has been up-dated during the period.

We have inspected controls andensured that security breaches arebeing reviewed regularly.


I.2 The processor has established thecontrols for identification of anypersonal data breaches.

We have inspected, that the pro-cessor is offering awareness train-ing to the employees in relation tothe identification of potential per-sonal data breaches.


I.3 In case of a personal data breachthe processor has informed thecontroller without undue delay af-ter finding out that the personaldata breach has occurred at theprocessor or a sub-processor.

We have inspected the log of per-sonal data breaches during the au-dit period.

We have observed that no per-sonal data breaches have beendetected during the audit period,wherefore we have not been ableto test the efficiency of the pro-cedure.


I.4 The processor has established pro-cedures for assisting the controllerwhen filling a report with the Dan-ish Data Protection Agency.

We have inspected the procedureand ensured that assistance to thecontroller has been established.

We have observed that no per-sonal data breaches have beendetected during the audit period,wherefore we have not been ableto test the efficiency of the pro-cedures.


SpeedAdmin ApS


Control objective J – Conditions for consent and duty of disclosure

Procedures and controls are observed that ensure that the data subjects have given written consent to theprocessing of personal data, and in which it is ensured that the data subject has received the controller’scontact information, information on the purpose of the processing of the personal data, as well as otherinformation that is necessary for observing the duty of disclosure.


J.1 There are written procedures forthe obtaining of written consentfor the processing of personal data.

We have inquired about the han-dling of consent and duty of disclo-sure.

We have been informed that thecompany is not obtaining consentfrom the data subjects in connec-tion with revised services, where-fore this point is not relevant.


Control objective K – Record of processing activitiesProcedures and controls are observed that ensure that the processor maintains a record of categories ofprocessing activities performed on behalf of the controller.


K.1 The processor keeps a record ofcategories of processing activitiesfor each controller.

We have inspected the record andensured that it complies with therequirements of the statutory regu-lation.


K.2 Regularly – and at least annually –an assessment is made of whetherthe record of categories of pro-cessing activities for each controllershould be updated.

We have inspected the record andensured that it has been updatedduring the audit period.


K.3 Management has ensured that therecord of categories of processingactivities for each controller is ade-quate, updated, and correct.

We have inspected the record andensured that management has ap-proved the record.


Documents

SpeedAdmin ApS€¦ · SpeedAdmin ApS has made a risk assessment of potential threats to the system and data security. The threats have been assessed, based on the probability of