To safeguard the privacy of your data and protect your personal information, Acture applies various measures. The General Data Protection Regulation (GDPR) forms the foundation of our information security policy. Acture complies with Dutch and European privacy laws and guidelines related to the processing of personal data.
The GDPR designates Acture as a data controller. This means that Acture independently makes decisions regarding the processing of personal data and determines how this data is handled. In other words: Acture determines the purpose and (essential aspects of the) means of processing.
The GDPR imposes the following requirements on Acture as a data controller:
A privacy impact assessment has been prepared.
As part of ISO9001 and ISO27001, annual awareness sessions are organized regarding information security and the GDPR. These sessions are mandatory for all employees. Additional awareness sessions are also held for new employees during the onboarding process.
Multiple system backups are created daily to ensure all data remains secure. These backups allow information to be restored in the event of an incident. If such an incident occurs, the most recent backup will be used to restore the system.
Acture maintains a code of conduct focused on confidentiality, integrity, and availability of information to ensure optimal protection. Each employee is required to sign this code of conduct.
An internal privacy audit is conducted annually. During this audit, the privacy policy, procedures, and compliance controls are reviewed. Interviews with stakeholders are also conducted. GDPR compliance is assessed considering privacy legislation. A report is then prepared, outlining conclusions, recommendations, and priorities.
Acture has certified its information security management systems in accordance with international ISO standards for quality and assurance. This demonstrates compliance with ISO27001, ISO27701, and ISO9001, and reflects Acture’s commitment to continuous improvement.
A penetration test is conducted annually using both black box and grey box methodologies.
Black box testing: Ethical hackers evaluate the web portals and infrastructure with minimal prior information and without login credentials. Vulnerability scans are performed at both webserver and web application level.
Grey box testing: Ethical hackers are provided with test credentials such as usernames and passwords. This allows assessment of whether authorization processes are correctly enforced and whether functional security controls operate as intended.
Acture offers training and courses through an Online Academy. The GDPR Security Awareness and GDPR Privacy Awareness training sessions are mandatory during onboarding, including a final test that must be passed. The annual “Privacy & Security Awareness Acture” refresher course is mandatory for all employees.
Acture adheres strictly to the Dutch Data Protection Authority’s guidelines regarding "the ill employee".
User authorizations are configured in such a way that individuals who are not permitted to process certain (medical) data are also unable to view it. Access for systems and applications is always role-based.
To protect data, a distinction is made between medical and non-medical data domains. Additional security measures are in place to comply with Dutch regulations on medical data.
Data is hosted in the Netherlands, or within the EEA.
Acture takes data security very seriously and actively monitors its systems. If you identify any vulnerabilities, contact us immediately at privacy@acture.nl. Reports sent to this address are handled immediately.
You can only access your data in our systems with a valid username and password. System users must meet various password requirements. Acture also uses cryptographic measures such as two-factor authentication, encryption, and secure SSL connections to protect sensitive and confidential information.
The security of your data is actively monitored. User authorizations are configured such that individuals who should not process specific (medical) data cannot view it.
Acture is protected against malware, and virus protection ensures that systems do not become infected. We rely on your own systems having adequate virus and malware protection to safeguard your personal data.
Acture performs an annual supplier assessment regarding GDPR compliance. All suppliers that process personal data are thoroughly evaluated using a risk analysis covering availability, confidentiality, and integrity. Processor agreements are established where necessary.
We do not use your identifiable customer data for purposes other than the delivery of our services. The types of personal data we process vary depending on the services you purchase and the agreement with Acture.
If the agreement with Acture is terminated, Acture cannot delete your data due to statutory retention obligations.
All data is stored within Acture in accordance with ISO27001 standards. Related measures comply with the Dutch Data Protection Authority’s guidelines on the protection of personal data.
The change management procedure for (database) changes must be documented and includes at minimum: