It is Attensi's customers who are data controllers for the information collected through the use of Attensi's platform. Attensi's customers use the platform for the purpose of performing internal training of own employees or customers, suppliers or other relevant third parties. Thus, the customer determines the purpose and means of the processing – which is the definition of data controller.
Attensi is a data processor. Attensi will, in order to run the platform, have access to end users' personal data. Attensi will only process the end users' information on behalf of the customer and in compliance with its lawful instructions and the processing agreement entered into with the customer.
What information Attensi collects from end users will vary based on customer needs and the relevant platform. In general, the Attensi platform will require the following information:
Yes, all personal data is encrypted both in transit (using HTTPS and SSL/TLS) and at rest (using AES-256).
Attensi's processing of end user's personal data is based on a data processing agreement with the Attensi Customer. The customer is responsible for ensuring that the processing of end user's personal data has sufficient legal basis.
The purposes of the processing will depend on the customer's needs and requests. In general, Attensi assume that the following purposes and legal basis' may be relevant for Attensi's processing on behalf of the customer:
|To enable use of the platform||
|To respond to questions or inquiries||
|To improve the platform, the content of the platform and the user experience||
|To identify and provide content that is relevant to any particular user or group of users (if requested by the customer)||
|To send email, push or SMS notices that the end user has signed up for (if requested by the customer)||
|To enable investigations, prevention and protection against violations of rules related to the use of the platform, fraud or other potential threats to the customer or third parties´ rights||
|To comply with all applicable rules and regulations||
|For any other purposes, permitted by consent or as permitted or required by law, rule, regulation or any other legal process||
As a general rule, the data controller – i.e. the customer – is responsible for securing consent for the processing of information in relation to use of the Attensi platform. Attensi will however generally offer an opt-in solution in all platforms, where the end user must confirm that they are aware of, and agree to, processing of certain personal data in relation to the use of the platform.
End users have the right to cancel their registration with the platform at any time. The request to cancel the registration and withdraw consent for processing, shall be directed to the Attensi customer, who shall forward this information to Attensi. The end user's shall be made aware that the use of the platform is dependent on processing of certain information regarding the end user, and that a withdrawal of consent may lead to full of partial loss of the platform's functionality.
The end users have the right to information about what personal data that is registered in the platform, to change or update the stored data, correct any errors in that data and to request that unnecessary data is erased. All requests related to registered information about the end user, shall be directed to the customer who shall forward such requests to Attensi.
The end user is also entitled to:
All such requests shall be directed to the customer, who shall provide the requested information to the end user, and – if necessary - forward any request of restriction of processing or data portability to Attensi.
Employees and data processors engaged by Attensi may have access to the personal data processed in relation to the platform, depending on their roles and tasks.
Attensi has established internal access routines, ensuring that employees only access personal data on a need to know-basis, meaning that only employees that who require access in order to perform their duties shall have access to end user's personal data.
Attensi enters into data processing agreements with their data processor, limiting their use and access to personal data to the purpose of fulfilling their obligations towards Attensi. Attensi's current data processor(s) only provide hosting services and should not access and use personal data stored in the platform.
Which information that will be included in the reports provided by the platform, will depend on the purpose of the relevant platform and the customers's choice. In general, the Attensi platform provides reports containing playthrough data for the individual end user resulting from training sessions on the platform. The customer will receive reports on an aggregate level, e.g. confirming which end users that have completed which tests, the associated scoring, achievements, feedback etc. The customer will decide which individuals in the organisation that will receive reports and what level of information the reports shall contain.
Attensi, as data processor, shall notify the controller without undue delay after becoming aware of a personal data breach.
Attensi has internal routines for frequent review of security systems, virus protection etc. that allows Attensi to detect any unauthorised access, disclosure, modification etc. to the personal data stored in relation to the platform.
Attensi will retain the end user's personal data for as long as it is necessary to fulfil the purposes for processing as defined above, and will as a main rule, delete all personal data upon an end user's request for cancellation or withdrawal of consent, or upon the customer's termination of the service agreement.
Continued storage will only occur in case legal obligations requires such storage, e.g. statutory rules related to storage for accounting purposes. Continued storage may also occur where such storage is necessary for the purposes of legitimate interests pursued by the customer, Attensi or third parties, including, but not limited to the establishment, exercise or defence of legal claims.
Attensi has routines for deletion, and will frequently delete personal data that are no longer necessary to fulfil the above purposes, or for end users who has cancelled the registration on the platform.
Attensi currently uses Amazon Web Services for hosting services. The data from the platform are stored at redundant databases at Amazon's servers placed in Frankfurt.
Yes, Attensi uses data processors. List of approved sub-processors can be found here: [link]
Attensi does currently not store or transfer personal data outside the EU/EEA. Attensi uses Amazon Web Services and Microsoft Azure as sub-processors. Under the current agreements, Amazon and Microsoft are not entitled to store or transfer any personal data outside EU/EEA. If transfer or storage outside the EU/EEA becomes necessary, Attensi will take all reasonable precautions to ensure an adequate level of protection for the personal data.
Attensi has taken reasonable and proportionate steps to protect the user's privacy, including physical, technical and organisational measures, to prevent loss, alterations, theft and unauthorized access to information stored and otherwise processed in relation to the platform.
Please refer to the separate document ("Security attachment") containing a general description of technical and organisational measures implemented by Attensi to ensure an appropriate level of security.
Any questions to this FAQ-document can be directed to Attensi's dedicated privacy email: firstname.lastname@example.org