Q) Who in Playable is responsible for the day-to-day security?
A) Marianne Pharsen, Co-CEO and COO
Q) Does Playable process personal data?
A) Yes, in most cases. The Playable platform is a tool to create marketing campaigns with gamification. This can be quizzes, tests, games etc. The platform gives the possibility to collect data from the persons engaging in the game/test. Data collection is done by inserting a registration form and consent in the Game flow. This is data such as; name, email, age, zip code, but can include other variables. Data in relation to the answers in quizzes/tests can also be personal data, depending on how the quiz is formed.
Q) Which kind of data does Playable process?
A) This will be defined by the Data Controller (Customer) that uses the Playable platform to create a campaign. Playable also process IP-addresses when the campaign contains a consent form.
Playable states in the Data Processing Agreement that no sensitive data are processed. But it is the Customers responsibility to not setup fields that would contain sensitive data.
Q) Does Playable transfer personal data provided to any countries outside of the EEA, e.g. when you are using external Data Centers or Cloud Systems?
A) No – Playable uses Amazon Web Services as hosting provider with data only hosted in Ireland.
Q) Do Playable comply with all applicable laws and regulations when dealing with an individual’s personal identifiable information, in particular those relating to the General Data Protection Regulation (“the GDPR”) and Data Protection Act 2018 (“the DPA”)?
A) Yes
Q) Please provide details of the background checks your organization carries out on potential staff.
A) Playable obtains criminal records and do personality tests prior to the employment of new Danish employees. For foreign employee’s personality tests are done and references are taken from former Employers and coworkers.
Q) What steps do Playable take to check the previous employment history and experience of candidates for vacancies within Playable, including resolving any gaps, discrepancies or anomalies in their employment history?
A) Playable has an extensive recruitment process in place to ensure we recruit and retain the right people for internal roles. The recruitment process includes collecting relevant references, two or more interviews, relevant testing based on the position and an evaluation procedure.
Q) Please state whether your organization has adopted an Information Security and IT guidelines (including IT assets) and whether this forms part of an employee’s terms of employment.
A) Yes, as a part of the new employee introduction the employee is presented with the information security and IT guidelines and confirm in writing that the guidelines has been read and understood.
Q) Please provide details of the mandatory information security or data protection training Playable provides to staff and the frequency this is required to be refreshed.
A) All staff undertake mandatory training for IT Security and GDPR (Data Protection) at least twice a year.
Q) Is the site protected by 24-hour security? If so, please state the particulars of this (E.g. CCTV, guard services etc.).
A) Yes, the site for hosting, Amazon Web Services, offers high level of security including the use of measures including (but not limited to) access control, CCTV and 24-hour security guards.
The Danish office location has relevant security measures, such as locked door at all times with access by key chip, visitor registration and alarm systems.
Q) Are all persons required to wear and display ID at all times, whilst on Playable premises?
A) All visitors are required to wear ID badge when visiting our office locations.
Q) Describe how data is protected between any and all end user devices and the service.
A) Access to customer data is restricted to authorized users of the Playable platform. All users are authenticated with username/password with logins with the possibility to enable 2FA.
All data is encrypted to 256-AES at rest, including backups. Access to the server requires use of VPN, personal passwords and 2FA.
Q) Where is the data physically stored and backed up?
A) Amazon Web Services, Ireland
Q) Please outline which recognized security standards Playable complies with.
A) ISO27001 certification
Q) Please outline which recognized security standards the data storage facility/data center complies with.
A) ISO 27001 certification, ISO 27017 certification, ISO 27018 certification. Furthermore SOC 1, 2 and 3 reports are issued yearly and reviewed by Playable.
Q) Does Playable have a Clear Screen Policy enforced through automatic user session suspension (e.g. automatic screensaver lock) after a fixed period of inactivity?
A) Yes, automatic screen lock is set at 1 minute for all employees.
Q) Please describe how separation between service consumers is achieved.
A) All customer data within the Playable platform is logically, rather than physically separated.
Q) Describe how data is protected internally within the service.
A)
The technical system-based control environment is supported by a number of manual procedures and access controls to the physical work environment, including:
Q) How is data protected when being transferred to the customer?
A) Data is transferred via the customers own API or Webhook. The security concerning the transfer will be as high as the customers API allows. It is also possible to manually export data from the platform. Logs on exportation of data is kept for all times.
Q) Has Playable been subject to any external audit? If yes, please describe the audit process and any recommendations/actions arising from the most recent audit.
A) Audit is done by an external auditor who will have access to all relevant material and conduct interviews with staff. There have been no remarks in the latest ISAE3000 report, which can be shared on request.
Q) Please describe how data is disposed of when it reaches the end of its life.
A) As default all customer data is deleted 30 days after end campaign. The default can be changed to 60 or 90 days in the settings in the platform controlled by the customer. Furthermore, the GDPR-interface in the Playable platform makes it possible to delete data on specific data subjects (e.g. if a data subject wants to enforce the right to be forgotten).
Q) What is Playable’s backup procedure?
A) Data from the whole production system is backed up every night at a separate server on our service provider Amazon. In the event of a disaster, a maximum of one day of data is lost. Currently, backups of personal data are kept for 2 weeks.
Q) Are there any logs available?
A) Logs on login activity on the Playable platform account is kept for 8 weeks and is visible in the Playable platform. Logs on whom has exported data is available in the Playable platform and is kept indefinitely.
Q) What measures do you take to protect the service against malware?
A) Antivirus and malware protection programs are installed at all endpoints.
Q) What measures are in place to ensure effective protective monitoring of the service?
A) CloudWatch – monitors all metrics
Q) Please describe how the development of software or services in your organization complies with any security standards.
A) All development is done in accordance with the established processes. Testing is done in a separate test environment with dummy data.
Q) Please describe how your organization manages risk from third party suppliers and delivery partners.
A) Playable evaluates all suppliers in regard to risks and general security. The evaluation is based on a predefined questionnaire and process for supplier approval.
Q) How are users authenticated to the service (as defined) to prevent unauthorized access?
A) Access to the system is for authorized users with a secure username and password.
Q) How are user credentials protected? For example, Encryption, hashing etc.
A) All passwords are stored in hashed form in the database. Passwords are never stored in plain text.
Q) How are user identities verified?
A) Users are identified by username and password – it is possible to enable 2FA via settings in the Playable platform.
Q) What is the password policy for the service provided by Playable?
A) Minimum 8 characters. The password format for the Playable system requires a combination of uppercase, lowercase, numbers and special sign. All passwords are held in hashed form and not plain text and changed every 6 months.
Q) Are all external interfaces subject to penetration testing?
A) Yes, penetration test is done once a year and vulnerability scan twice a year by external partners.
Q) Please describe your security incident management processes.
A) A system is in place to handle non-conformity reports. All non-conformity reports are handled by the day-to-day security responsible and will always be included in the agenda for the weekly management meetings.
Q) Please describe how you ensure duties are segregated between staff.
A) The areas of responsibility and the duties in connection hereto has been identified and assigned to the responsible staff in a clear and visible manner via the Playable Information Security Management System.
Q) Please describe how you ensure staff and users only have access to the data they need.
A) Playable regularly reviews employee access and evaluates if the access is needed in order to perform his/her duties (need to have basis-access). Customer access is granted by Playable to the initial users of the Playable platform and thereafter, the customer can add new users up to the number of seats that has been agreed. The customer is therefore able to validate the user. Different roles of users can be applied in order to restrict access to all features, for example restrict access to export of data.
Q) Please describe whether business recovery plans are documented and reviewed on a regular basis.
A) Yes, the last review of our BCP was in October 2023.
Q) In case of disruption, how long will it take before data can be accessed?
A) An evaluation of Playable’s recovery plan has shown that data will be accessible again within 24 hours.
Q) Please detail the number and length of any outages in the service within the last 24 months.
A) We have had no significant (unplanned) outages of the service within the last 24 months.