10 Jun 2022
Our IT security - The foundation for safe people counting
ndivd's safe people counting system - based on Data Protection by Design - is not just about our patented anonymisation method.
It's also about how we ensure integrity, availability, persistence and confidentiality in our systems. How we encrypt sensitive information, perform backups, and continuously test our infrastructure.
Achieving and maintaining a high level of quality is vital to us. That's why ISO certification has been a natural endeavour for us from the start.
In this article, we explain how we work with continuous evaluation and improvement of safety and security relating to our people counters, our customers, and our customers' customers.
Our patented anonymisation method ensures safe and secure people counting. It is an irreversible action, making it impossible (or extremely impractical) to identify natural persons.
In the context of people counters, this means that simply erasing the image and saving random, hashed or salted data for a customer is not enough. This data is still personal data which, in combination with location data for the store/mall, time data relating to when the processing took place and external data such as mobile phone data, easily can be used to identify a unique natural person.
Anonymisation requires it to practically be impossible to identify the person, which can be tested with available data. If the data can be traced to a natural person, then the activity is pseudonymisation, rather than anonymisation. This means that the data has been processed but that it is still personal data. Data about a natural person that can not be identified.
We use data anonymisation in other parts of our infrastructure as well. This ensures a high level of confidentiality and strengthens the integrity of our systems.
We comply with our internal policies and use secure login methods to our critical systems, meaning sensitive information - as well as our systems as a whole - are protected.
Where appropriate, we use symmetrical and asymmetrical encryption and we put much focus into helping our customers achieve a high level of security in their shops and sites.
We use several different approaches to ensure a high level of confidentiality in our systems. This includes PAM authentication and, further, a design of our infrastructure that enables separate processing of different types of information used for different purposes. We also use access techniques that prevent people from accessing information they are not authorised to access.
We follow our Data Breach Response Policy in the event an incident occurs, meaning problems are fixed as quickly and comprehensively as possible.
All our processes follow our Data Classification Policy, which enables and ensures a high level of integrity in our systems.
We further provide security guidelines to personal data controllers to support them in establishing strong integrity in the local environment. We always use secure ways to transfer data and apply technical and organisational protection for authorisations, logs, protocol analysis, audits, automatic exclusion protocols, etc.
To ensure a high level of accessibility, all our data is protected and secured should an incident occur.
Our infrastructure is designed to be resilient and keep carrying out its mission even when faced with temporary or constant high loads.
Our infrastructure is using secure and reliable European cloud-based systems which safeguards our documented backup concept.
Penetration risk analysis and testing
We carry out penetration risk tests of our systems on a regular basis and in collaboration with experts. These penetration risk tests are conducted based on routines and standards, as described in our internal policies, with the aim to minimise the risk of incidents.
We also carry out regular risk analyses to ensure a risk-conscious culture with minimum incidents.
Our latest risk analysis, carried out by market-leading experts, showed no evidence of high risks in our infrastructure.