Mintra Data Protection

According to Article 4 of the GDPR a Data Controller is defined as the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data; where the purposes and means of such processing are determined by Union or Member State law, the controller or the specific criteria for its nomination may be provided for by Union or Member State law.

According to Article 4 of the GDPR a Data Processor is defined as a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller.

As a first line of defence, Mintra Group does not publicise detailed security configuration information about our products, but this can be obtained by customers on request, by contacting gdpr@mintra.com.

The purpose of the products supplied by Mintra Group are primarily focused on the management of personnel records, including performance, competence, and financial data. As such, Mintra Group classifies all data as personal data. Extensive measures are taken to ensure the security and integrity of this data.

A range of protection measures are employed to ensure the safety of information stored, including scheduled security patching, anti-virus technologies, firewall technologies, and vulnerability assessments. Systems are designed to provide maximum protection for data layers through the use of segregated private networks.

All Mintra Group products are hosted in EU data centres which fully comply with GDPR and relevant standards. Databases are segregated from public networks and protected by access controls and firewalls. Backups are held within the same EU data centres and replicated over encrypted paths to Mintra Group premises within the EU for disaster recovery purposes. Backup sets are protected by security controls ensuring only authorised personnel have access.

All Mintra Group products utilise differentiated access allowing customers to define the scope of access for each end-user within their organisational account. Customer data is segregated either physically or logically to ensure data privacy. Active Directory integration, SSO, and multi-factor authentication can be employed to further enhance the access control mechanisms.

Mintra Group has completed an extensive project to ensure that all routines and procedures meet the requirements in GDPR. Part of this work involves reviewing intra-group data transfers and signing data processing agreements. Transfers to countries outside the EU/EEA will be governed by EU Standard Contract 2010/87/EU. Internal access to customer data is strictly controlled and utilises access control lists and private authentication mechanisms to ensure only authorised personnel have sufficient privileges.

Controlled access is available to a limited number of hosting and technology partners for specific tasks related to product management and development. Data Protection Agreements are set up with all Sub-Processors establishing the policies for data processing on behalf of Mintra Group. Where applicable, transfers to countries outside the EU/EEA will be governed by EU Standard Contract 2010/87/EU and appropriate safeguards shall be put in place.

The software products delivered by Mintra Group utilise SSL certificates to encrypt traffic between the server and the end-user. Mintra Group also provides a secure file transfer facility for the exchange of file-based data, which also utilises SSL encryption.

Deleted records are removed from databases immediately and reside only in backup sets.

Backup sets are retained for a maximum of 30 days and destroyed immediately after the retention period expires.

Currently, there is no formal certification process for GDPR, but organisations are obliged to ensure their processes and products adhere to the regulation. Mintra Group has completed an extensive review of internal processes and our software products which has resulted in security enhancements, product changes and process improvements.

A standard data processing agreement document can be obtained by all Mintra Group customers by following this link: Mintra Group Data protection

Please send a request to the following address: gdpr@mintra.com