Data Privacy Policy

Last revision: 02.06.2020.

Data Security Policy in Brief

This Data Security Policy specifies details about how Myworkout handles customer data, employee PII, intellectual property and other sensitive information.
Our data centers, managed by Amazon Web Services (“AWS”), are SAS 70 Type II Certified, SSAE16 (“SOC 2”)/HIPAA/HITRUST Compliant, and feature proximity security badge access and digital security video surveillance. All of our customers private data is stored within our Virtual Private Cloud. All access to our web services are secured over HTTPS using at least TLSv1.2 cryptographic protocols with AES128/AES-256 and personal data is encrypted at rest using AES-256. We perform annual OWASP audits and employ security practices in a continuous process for development.

Data Center and Hardware

All Myworkout application and database servers are physically managed by AWS in secure data centers in the “eu-west-1” region. Our security procedures utilize industry best practices from sources including The Center for Internet Security , Microsoft, Red Hat and more. All data center facilities are certified SOC 2/HIPAA/HITRUST Compliant and have 24/7 physical security of data centers and Network Operations Center monitoring. A complete listing of compliances can be found here: https://aws.amazon.com/compliance/programs/.

Physical Security

AWS manages the physical access to the data centers. They control both at the perimeter and at building ingress points by professional security staff utilizing video surveillance, intrusion detection systems, and other electronic means. Myworkout employees do not have access to physical server hardware that holds PII.

Data Access and Server Management Security

Myworkout has a combination of firewall and authentication rules for accessing our hosting environment. All data access is through encrypted channels and server access on public networks requires a VPN connection to our main office. Only select Myworkout employees are able to directly access our servers.

Environmental Safeguards

All AWS data centers are equipped with automatic fire detection and suppression (either wet-pipe, double-interlocked pre-action, or gaseous sprinkler systems), climate and temperature controls, fully redundant uninterruptible power supplies , and generators to provide back-up power for each physical site.

Data Storage and Backups

All User Data stored in our Myworkout GO system is encrypted at rest using AES-256 encryption. Any identifiable data within the Myworkout GO system is stored in a separate and secured database (managed through AWS RDS) or on AWS S3. Myworkout maintains numerous full backups of all User Data. These backups are stored in a geographically and logically separated environment.

User Data Policies

User data includes data stored by Users in Myworkout applications, information about a User’s usage of the application, data instances in the Customer Relationship Management system to which we have access, or data that the User has supplied to us for support or implementation. When managing User Data, we take into account the following considerations:

User Data is not to be disclosed outside of Myworkout, except to the User who owns the data or to a partner who has been contracted by the User to manage or support their account.
User Data should only be shared using secure transmission methods and protocols. Approved transmission methods include the Myworkout Support Portal, emailing of encrypted files, or use of a User-provided secure transfer method.
User Data must never be stored outside of the Myworkout system unless required for a specific need and with executive level approval. If there is a need to archive User Data (for example, data provided by a User during implementation or training), the data should be stored on a central file server in a secure manner and deleted from any personal computers immediately. This need includes report exports, contact lists, presentations that contain User information, and User agreements.
User Data should only be accessed on a need-to-know basis. Specifically, a User’s account should only be accessed to provide support, troubleshoot a problem with that account, or for supporting the system as a whole.
User Data should never be changed without the explicit permission of the User, except for the need to address and repair data quality issues.

Destruction of Server Data

User data is deleted, anonymised or de-identified within 14 days after the user has requested to delete the account. Our data backup policies adhere to this requirements and our data backups are kept for 14 days before those backups are automatically destroyed.

Disposal of Computers and Other Data

Old computers and servers used to store or access Client information receive a 7-pass erase that meets the NIST 800-88 standard for erasing magnetic media; the devices are then recycled or resold. Paper information containing personal data in the office is discarded using a document shredder. Myworkout also adheres to a clear desk/clear screen policy.

Incident Response

Myworkout security administrators will be immediately and automatically notified via e-mail or Slack if implemented security protocols detect an incident. All other suspected intrusions, suspicious activity, or system unexplained erratic behavior discovered by administrators, users, or computer security personnel must be reported to a security administrator within one (1) hour.

Once an incident is reported, security administrators will immediately begin verifying that an incident occurred and the nature of the incident with the following goals:

Maintain or restore business continuity
Reduce the incident impact
Determine how the attack was performed or the incident happened
Develop a plan to improve security and prevent future attacks or incidents
Keep management informed of the situation and prosecute any illegal activity

Determining the Extent of an Incident

Security administrators will use forensic techniques, including reviewing system logs, looking for gaps in logs, reviewing intrusion detection logs, interviewing witnesses and interviewing the incident victim to determine how the incident was caused. Only authorized personnel will perform interviews or examine evidence, and the authorized personnel may vary by situation.

Notifying Clients of an Incident

Clients will be notified via email within 24 hours upon detection and confirmation of any incident that compromises access to the service, compromises data, or otherwise affects Users. Clients will receive a status update upon incident resolution.

Application Security

All data transfer and access to Myworkout applications will occur only on Port 443 over an HTTPS connection using at least TLSv1.2 cryptographic protocols with preferred AES-256 encryption. In order to ensure client compatibility we allow for AES-128 to be used for systems where AES-256 is not available.
We annually audit and review our SSL certificate configuration by a service from SSL Labs to make sure our configurations reach a minimum of grade A.
Our software architecture is container-based which ensures that our applications runs in isolation. This effectively limits the attack surface if one application is compromised.

System Updates and Security Patches

As a hosted SaaS solution, we regularly improve our system and update security patches. Since our services are container-based, it’s easy to upgrade our systems to the latest versions and security patches on an OS and application server level. Non-critical system updates will be installed at predetermined times. Critical application updates are performed ad hoc using rolling deployment to maximize system performance and minimize disruption. All updates and patches will be evaluated in a virtual production environment before implementing.

Vulnerability and Security Testing

Myworkout practices data privacy by design and default and security tests are part of our automated test-suites. In addition we perform annual OWASP audits and perform AWS Inspector Vulnerability Assessments of our server environment bi-weekly. Code that is added to our applications and services are manually reviewed by other colleagues and automatically analyzed from third party code quality testing software.

User Login and Session Security

Users are not able to directly login to Myworkout’s application. All Users logins and sessions are authenticated via a secure OAuth 2.0 access token.

Application Password Management

All Myworkout employees get training in password security and we use vetted password security software that manages passwords and helps ensure that they are unique and rotated when needed (e.g. using 1Password WatchTower to detect reused or compromised sites/passwords). For our Myworkout GO system we require all users passwords to be minimum 8 characters long and the password is checked against lists of common and leaked passwords (and rejected if found to be insecure).

Personal Data Risk Handling

All Myworkout staff members are made aware of relevant external regulations as part of their onboarding and training process. Confidentiality agreements are entered into with all employees.
We restrict Myworkout employee access to personal data based on the assessed risk level and a need to know basis.

Where anonymization is not possible (e.g. for technical reasons, where a product problem can only be recreated using PHI, such as investigating a problem on a User’s device), access to the data is restricted and the data is destroyed or returned to the User as soon as it is no longer needed. Under no circumstances should identified data be added to the company dataset library. Any identifiable data within the Myworkout GO system is stored in a separate and secured database.

The processing of personal data is limited to the minimum required to deliver the service to our customers. We conduct DPIAs for each processing purpose that is likely to entail high risk, especially data that falls under special categories of data according to GDPR.

Myworkout expects a high standard of professional integrity from our collaborators, clients, and partners and requires that they process personal data according to GDPR or applicable privacy framework such as EU-US Privacy Shield.

This Data Security Policy was last updated on June 2, 2020.

Cookie	Varighet	Beskrivelse
cookielawinfo-checbox-analytics	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Analytics".
cookielawinfo-checbox-functional	11 months	The cookie is set by GDPR cookie consent to record the user consent for the cookies in the category "Functional".
cookielawinfo-checbox-others	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Other.
cookielawinfo-checkbox-marketing	1 year	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Marketing".
cookielawinfo-checkbox-necessary	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookies is used to store the user consent for the cookies in the category "Necessary".
cookielawinfo-checkbox-necessary	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookies is used to store the user consent for the cookies in the category "Necessary".
cookielawinfo-checkbox-non-necessary	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookies is used to store the user consent for the cookies in the category "Non Necessary".
PHPSESSID	session	This cookie is native to PHP applications. The cookie is used to store and identify a users' unique session ID for the purpose of managing user session on the website. The cookie is a session cookies and is deleted when all the browser windows are closed.
viewed_cookie_policy	11 months	The cookie is set by the GDPR Cookie Consent plugin and is used to store whether or not user has consented to the use of cookies. It does not store any personal data.

Cookie	Varighet	Beskrivelse
bcookie	2 years	This cookie is set by linkedIn. The purpose of the cookie is to enable LinkedIn functionalities on the page.
CONSENT	16 years 7 months 2 days 4 hours	Used by Google Ads Optimization to store cookie consent preferences.
lang	1 year	This cookie is used to store the language preferences of a user to serve up content in that stored language the next time user visit the website.
pll_language	1 year	This cookie is set by Polylang plugin for WordPress powered websites. The cookie stores the language code of the last browsed page.
test_cookie	15 minutes	This cookie is set by doubleclick.net. The purpose of the cookie is to determine if the user's browser supports cookies.
VISITOR_INFO1_LIVE	5 months 27 days	This cookie is set by Youtube. Used to track the information of the embedded YouTube videos on a website.
vuid	2 years	The cookie is used by Vimeo to store the user's usage history.
YSC	session	This cookies is set by Youtube and is used to track the views of embedded videos.

Cookie	Varighet	Beskrivelse
_ga	2 years	This cookie is installed by Google Analytics. The cookie is used to calculate visitor, session, camapign data and keep track of site usage for the site's analytics report. The cookies store information anonymously and assigns a randoly generated number to identify unique visitors.
_gat	1 minute	This cookies is installed by Google Universal Analytics to throttle the request rate to limit the colllection of data on high traffic sites.
_gid	1 day	This cookie is installed by Google Analytics. The cookie is used to store information of how visitors use a website and helps in creating an analytics report of how the website is doing. The data collected including the number visitors, the source where they have come from, and the pages visited in an anonymous form.
_vwo_uuid_v2	1 year	This cookie is set by Visual Website Optimiser and is used to measure the performance of different versions of web pages.