Myworkout security administrators will be immediately and automatically notified via e-mail or Slack if implemented security protocols detect an incident. All other suspected intrusions, suspicious activity, or system unexplained erratic behavior discovered by administrators, users, or computer security personnel must be reported to a security administrator within one (1) hour.
Once an incident is reported, security administrators will immediately begin verifying that an incident occurred and the nature of the incident with the following goals:
All Myworkout staff members are made aware of relevant external regulations as part of their onboarding and training process. Confidentiality agreements are entered into with all employees.
We restrict Myworkout employee access to personal data based on the assessed risk level and a need to know basis.
Where anonymization is not possible (e.g. for technical reasons, where a product problem can only be recreated using PHI, such as investigating a problem on a User’s device), access to the data is restricted and the data is destroyed or returned to the User as soon as it is no longer needed. Under no circumstances should identified data be added to the company dataset library. Any identifiable data within the Myworkout GO system is stored in a separate and secured database.
The processing of personal data is limited to the minimum required to deliver the service to our customers. We conduct DPIAs for each processing purpose that is likely to entail high risk, especially data that falls under special categories of data according to GDPR.
Myworkout expects a high standard of professional integrity from our collaborators, clients, and partners and requires that they process personal data according to GDPR or applicable privacy framework such as EU-US Privacy Shield.
This Data Security Policy was last updated on June 2, 2020.