Data protection
At FirstAgenda we take IT and data security very seriously. On this page you can read more about how we comply with IT security and data management and ensure that your information is not misused by third parties. FirstAgenda therefore complies with applicable data protection legislation
GDPR Compliance
At FirstAgenda , we obtain an ISAE3000 statement annually.
The statement is drawn up by an independent third party regarding FirstAgenda's compliance with the General Data Protection Regulation, data protection provisions in other EU or Member State law and the content of the data processing agreement.
Historical statements
Download ISAE3000 statement June 2020/2021 (Prepare)
Download ISAE3402 statement June 2020/2021 (Live, Management, Publication )
Applicable for AWS infrastructure:
Download ISAE3000 statement June 2021/2022 (Prepare)
Applicable for Binero infrastructure:
Download ISAE3000 statement June 2021/2022 (Entire meeting suite)
Applicable for both Binero and AWS infrastructure:
Download ISAE3000 statement June 2022/2023 (Entire meeting suite)
Download deviations to declaration (22/23)
Download ISAE3000 statement June 2023/2024 (Full meeting suite)
GDPR Compliance
Data processing agreement
In any customer relationship, we process personal data on behalf of our customers. In this relationship, our customers are data controllers and we are data processors.
This means that both we and our customers are obliged to enter into a data processing agreement, the content of which must meet the requirements of the GDPR.
FirstAgenda uses the Danish Data Protection Agency's standard contractual clauses as a data processing agreement. This has the advantage that we fulfill our joint obligation to enter into a valid data processing agreement.
Data processing agreement - AWS
You can access our data processing agreements here
NOTE: You do not automatically sign the data processing agreement when you access it.
Data processing agreement
You can access our data processing agreements here
NOTE: You do not automatically sign the data processing agreement when you access it.
Data processing agreement
You can access our data processing agreements here
NOTE: You do not automatically sign the data processing agreement when you access it.
Data processing agreement
You can access our data processing agreements here
NOTE: You do not automatically sign the data processing agreement when you access it.
Data processing agreement - Binero
You can access our data processing agreements here
NOTE: You do not automatically sign the data processing agreement when you access it.
You can read our sub-processor agreement here
Streaming
Aventia Media AS provides streaming that integrates with FirstAgenda Live to support digital meeting platforms with high-quality real-time streaming. Aventia's streaming service ensures a stable and secure transfer of audio and video to meeting participants, enabling a seamless and user-friendly experience.
Processing takes place in the EU/EEA, where the data processor's solution is hosted in accordance with a separate sub-processor agreement.
Note: Aventia AS is an active sub-processor option if you want to use streaming via FirstAgenda.
Sub-processor agreement
Safety measures
Suppliers
Using recognized vendors that are ISO 27001:2013, 27017:2015, 27018:2014 and ISO 9001:2015 certified for platform hosting within the vendor's EU/EEA data regions.
Backup and anti-malware
Daily backup and updated anti-malware and anti-virus on systems and devices.
Using Multi Factor Authentication login
Multi Factor Authentication login option for the platform and production environment.
Physically secure locations with individual access key fobs and codes and monitor facilities.
Physical security of sites
Procedures
Procedures for accessing the production environment and accessing customer data.
Hardware
Hardware reuse is only done by restoring factory settings and hardware destruction is done according to the market standard for this, so data recovery is not possible.
Full TLS and HTTPS encryption of data in transit.
Encryption
Segmented and encrypted network and connection to Security Operation Center (SOC) via hosting provider.
Networking
Full redundancy at the main hosting and operations provider to ensure access and continuous operation of the platform.
Redundancy
Logging
Logging access and actions in the platform and systems.
Background check
Background checks for employees.
Continuous platform check
Full redundancy at the main hosting and operations provider to ensure access
and continuous operation of the platform.
FAQ
Here you can find answers to some of the questions we are most frequently asked about GDPR.
-
A data processing agreement is a legally binding document that regulates the data processor's processing of personal data on behalf of the data controller. FirstAgenda is a data processor in connection with the delivery of its solutions and you as customers are data controllers.
To ensure compliance with the GDPR, it is necessary to enter into a contract that regulates the scope and duration of the processing. Please note that you as the data controller have the overall responsibility.
-
FirstAgenda provides the solutions Prepare, Publication, Live, Management and LetDialog.
Please note that it is necessary that the data processing agreement is concluded at product level, as the processing activity varies from one solution to another.
If your organization uses multiple solutions, you will need to enter into a corresponding number of data processing agreements. For example, it will be necessary to enter into two data processing agreements if your organization uses both Prepare and Publication.
-
When using FirstAgenda Publication there is a processing of personal data as defined in GDPR art. 4. In this processing of personal data, you as a data controller must be aware that the processing activity is different from FirstAgenda Prepare , which is why we, as a data processor, are obliged under GDPR art. 28 to receive instructions and purposes for exercising these processing activities in our provision of FirstAgenda Publication
-
Formalized procedures are in place to ensure that FirstAgenda conducts a risk assessment to achieve appropriate security. The risk assessment performed is up to date and covers the current processing of personal data. FirstAgenda has implemented the technical measures to ensure appropriate security in accordance with the risk assessment.
We obtain an annual ISAE3000 statement from an independent auditor, which, among other things, tests that risk assessments have been carried out. The declarations are made available on the website and serve as documentation of our compliance with the GDPR and the provisions of the data processing agreement.
-
Data is stored in accordance with a data processing agreement. We perform ongoing screening and control of our sub-processors to ensure appropriate processing security.
We have implemented appropriate organizational and technical security measures to ensure that there are no unintentional third-country transfers, including but not limited to encryption measures in accordance with the EDPB's recommendations in this regard.
-
At FirstAgenda we have purchased it as a service that AWS is obliged to process data within the data region EU-WEST (Ireland), and thus within the EU/EEA.
FirstAgenda has, in continuation of the above, taken additional measures to ensure that the personal data is subject to adequate security and therefore cannot be accessed by unintended third parties. Encryption measures have been taken in accordance with the EDPB recommendations for this, ensuring the storage of the encryption key separately, so that even AWS does not have the possibility to decrypt
FirstAgenda's dataset. As a security measure, we do not want to publish the exact location where the encryption key is stored, as this could be exploited.
Please note that on July 10, 2023, the European Commission adopted an adequacy decision that opens up for the transfer of personal data to the United States without the use of other transfer bases. However, this requires that the recipient is certified under the new EU-U.S. Data Privacy Framework by the U.S. Department of Commerce, which AWS is. https://www.dataprivacyframework.gov/s/participant-search
-
As a security measure, we do not want to publish the exact location where the encryption keys are stored, as this could be exploited with negative consequences. The encryption keys are stored separately in locations that even AWS does not know about.
-
Binero is headquartered in Sweden, which is why all hosting is done at locations in Sweden. With Binero, you get a European setup where you are also assured of a high level of security, which is reflected in their certifications and declarations.
AWS is obligated under their standard sub-processor agreement to perform data processing within the EU-WEST (Ireland) data region. AWS has a state-of-the-art setup, which is reflected in their many certifications and declarations.
-
We have addressed the comments in our latest ISAE3000 statement. This is further elaborated below:
Deviations in ISAE3000 declaration
-
As a data processor, we offer solutions for you as a data controller. It is the data controller who must comply with GDPR articles 12, 13 and 14. In some of our solutions, we offer you as a data controller to comply with the duty of disclosure, in particular by supporting a subpage where you have the opportunity to provide the statutory information.
-
As a customer, you must be aware of who must comply with what in which role. This means that when you access FirstAgenda website(s), these websites have nothing to do with the delivery of the solutions and thus FirstAgenda is the data controller for the processing of personal data that takes place on the websites.
No cookie technologies are used in the solutions themselves.