Data protection

At FirstAgenda we take IT and data security very seriously. On this page you can read more about how we comply with IT security and data management and ensure that your information is not misused by third parties. FirstAgenda therefore complies with applicable data protection legislation

GDPR Compliance

At FirstAgenda , we obtain an ISAE3000 statement annually.

The statement is drawn up by an independent third party regarding FirstAgenda's compliance with the General Data Protection Regulation, data protection provisions in other EU or Member State law and the content of the data processing agreement.

Historical statements

GDPR Compliance

Data processing agreement

In any customer relationship, we process personal data on behalf of our customers. In this relationship, our customers are data controllers and we are data processors.

This means that both we and our customers are obliged to enter into a data processing agreement, the content of which must meet the requirements of the GDPR.

FirstAgenda uses the Danish Data Protection Agency's standard contractual clauses as a data processing agreement. This has the advantage that we fulfill our joint obligation to enter into a valid data processing agreement.

FirstAgenda Prepare logo

Data processing agreement - AWS

You can access our data processing agreements here

NOTE: You do not automatically sign the data processing agreement when you access it.

Read more about our use of sub-processors here

FirstAgenda Publication logo

Data processing agreement

You can access our data processing agreements here

NOTE: You do not automatically sign the data processing agreement when you access it.

Read more about our use of sub-processors here

FirstAgenda Management logo

Data processing agreement

You can access our data processing agreements here

NOTE: You do not automatically sign the data processing agreement when you access it.

Read more about our use of sub-processors here

FirstAgenda Live logo

Data processing agreement

You can access our data processing agreements here

NOTE: You do not automatically sign the data processing agreement when you access it.

Read more about our use of sub-processors here

FirstAgenda Prepare logo

Data processing agreement - Binero

You can access our data processing agreements here

NOTE: You do not automatically sign the data processing agreement when you access it.

Read more about our use of sub-processors here

You can read our sub-processor agreement here

Streaming

Aventia Media AS provides streaming that integrates with FirstAgenda Live to support digital meeting platforms with high-quality real-time streaming. Aventia's streaming service ensures a stable and secure transfer of audio and video to meeting participants, enabling a seamless and user-friendly experience.

Processing takes place in the EU/EEA, where the data processor's solution is hosted in accordance with a separate sub-processor agreement.

Note: Aventia AS is an active sub-processor option if you want to use streaming via FirstAgenda.

Sub-processor agreement

Safety measures

Suppliers

Using recognized vendors that are ISO 27001:2013, 27017:2015, 27018:2014 and ISO 9001:2015 certified for platform hosting within the vendor's EU/EEA data regions.

Icon with an envelope and a red plus icon

Backup and anti-malware

Daily backup and updated anti-malware and anti-virus on systems and devices.

Icon with a cloud and a red arrow

Using Multi Factor Authentication login

Icon with a padlock and a red keyhole

Multi Factor Authentication login option for the platform and production environment.

Physically secure locations with individual access key fobs and codes and monitor facilities.

Icon with a door and a red keyhole

Physical security of sites

Procedures

Procedures for accessing the production environment and accessing customer data.

Checklist with a red check mark

Hardware

Hardware reuse is only done by restoring factory settings and hardware destruction is done according to the market standard for this, so data recovery is not possible.

Icon with a laptop and a red heart

Full TLS and HTTPS encryption of data in transit. 

Icon with a row of numbers and a red keyhole

Encryption

Segmented and encrypted network and connection to Security Operation Center (SOC) via hosting provider.

Icon with a globe and a red shield

Networking

Full redundancy at the main hosting and operations provider to ensure access and continuous operation of the platform.

Icon with a square and a red checkmark

Redundancy

Logging

Logging access and actions in the platform and systems.

Icon with two stars and a red pencil

Background check

Icon with a magnifying glass and a red star

Background checks for employees.

Continuous platform check

Full redundancy at the main hosting and operations provider to ensure access
and continuous operation of the platform.

Document with two checkmarks and a red pencil

FAQ

Here you can find answers to some of the questions we are most frequently asked about GDPR.

  • A data processing agreement is a legally binding document that regulates the data processor's processing of personal data on behalf of the data controller. FirstAgenda is a data processor in connection with the delivery of its solutions and you as customers are data controllers.

    To ensure compliance with the GDPR, it is necessary to enter into a contract that regulates the scope and duration of the processing. Please note that you as the data controller have the overall responsibility.

  • FirstAgenda provides the solutions Prepare, Publication, Live, Management and LetDialog.

    Please note that it is necessary that the data processing agreement is concluded at product level, as the processing activity varies from one solution to another.

    If your organization uses multiple solutions, you will need to enter into a corresponding number of data processing agreements. For example, it will be necessary to enter into two data processing agreements if your organization uses both Prepare and Publication.

  • When using FirstAgenda Publication there is a processing of personal data as defined in GDPR art. 4. In this processing of personal data, you as a data controller must be aware that the processing activity is different from FirstAgenda Prepare , which is why we, as a data processor, are obliged under GDPR art. 28 to receive instructions and purposes for exercising these processing activities in our provision of FirstAgenda Publication

  • Formalized procedures are in place to ensure that FirstAgenda conducts a risk assessment to achieve appropriate security. The risk assessment performed is up to date and covers the current processing of personal data. FirstAgenda has implemented the technical measures to ensure appropriate security in accordance with the risk assessment.

    We obtain an annual ISAE3000 statement from an independent auditor, which, among other things, tests that risk assessments have been carried out. The declarations are made available on the website and serve as documentation of our compliance with the GDPR and the provisions of the data processing agreement.

  • Data is stored in accordance with a data processing agreement. We perform ongoing screening and control of our sub-processors to ensure appropriate processing security.

    We have implemented appropriate organizational and technical security measures to ensure that there are no unintentional third-country transfers, including but not limited to encryption measures in accordance with the EDPB's recommendations in this regard.

  • At FirstAgenda we have purchased it as a service that AWS is obliged to process data within the data region EU-WEST (Ireland), and thus within the EU/EEA.

    FirstAgenda has, in continuation of the above, taken additional measures to ensure that the personal data is subject to adequate security and therefore cannot be accessed by unintended third parties. Encryption measures have been taken in accordance with the EDPB recommendations for this, ensuring the storage of the encryption key separately, so that even AWS does not have the possibility to decrypt

    FirstAgenda's dataset. As a security measure, we do not want to publish the exact location where the encryption key is stored, as this could be exploited.

    Please note that on July 10, 2023, the European Commission adopted an adequacy decision that opens up for the transfer of personal data to the United States without the use of other transfer bases. However, this requires that the recipient is certified under the new EU-U.S. Data Privacy Framework by the U.S. Department of Commerce, which AWS is. https://www.dataprivacyframework.gov/s/participant-search

  • As a security measure, we do not want to publish the exact location where the encryption keys are stored, as this could be exploited with negative consequences. The encryption keys are stored separately in locations that even AWS does not know about.

  • Binero is headquartered in Sweden, which is why all hosting is done at locations in Sweden. With Binero, you get a European setup where you are also assured of a high level of security, which is reflected in their certifications and declarations.

    AWS is obligated under their standard sub-processor agreement to perform data processing within the EU-WEST (Ireland) data region. AWS has a state-of-the-art setup, which is reflected in their many certifications and declarations.

  • We have addressed the comments in our latest ISAE3000 statement. This is further elaborated below:

    Deviations in ISAE3000 declaration

  • As a data processor, we offer solutions for you as a data controller. It is the data controller who must comply with GDPR articles 12, 13 and 14. In some of our solutions, we offer you as a data controller to comply with the duty of disclosure, in particular by supporting a subpage where you have the opportunity to provide the statutory information.

  • As a customer, you must be aware of who must comply with what in which role. This means that when you access FirstAgenda website(s), these websites have nothing to do with the delivery of the solutions and thus FirstAgenda is the data controller for the processing of personal data that takes place on the websites.

    No cookie technologies are used in the solutions themselves.

Read more about FirstAgenda Prepare

We develop digital solutions that make life easier.