The safety of our program is a key issue for our customers and therefore it has to be for us as well.
One of OpenHR's focuses is directly situated on the importance of privacy as a substantial priority within companies, individuals and government institutions.
Therefore, data security is a very important issue among our procedures, becoming an ethical responsibility that we have acquired. Defending our clients' programs, data and communications when they connect to OpenHR is one of the foundations of our tasks
We comply with Articles 28(1), 32(1) and 32(2), as we have implemented "appropriate technical and organisational measures so that the treatment complies with the requirements of the Regulation'. The measures implemented include, the following:
● All data are encrypted both on the servers and in transmission;
● All access to the system is monitored and recorded.
● All changes to personal data are recorded and stored in a system audit.
● Personal connection data are stored directly in OpenHR, with our own programs and are perfectly secured by us. We are not dependent on other companies with the uncertainty of not knowing what servers are used for storing connections.
● Our dedicated servers are located in areas where their location is required by law, depending on each country. The programs, databases and backups of clients are located in these locations.
● We have several data centers that have dedicated servers only for OpenHR clients. We do not share servers with any other company so our clients have their own database and software instances. This way, we are fully capable of ensuring your privacy and security.
● The ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident is guaranteed by an appropriate backup/recovery procedure, which is periodically checked, using our own automatic resources.
● All security measures are periodically reviewed by our staff.
We also comply with other aspects of the GDPR, such as
● We have procedures in place to monitor incoming and outgoing information.
● We are open to security audits of our programs
● OpenHR staff are fully certified to handle client data and all comply with data protection laws. Furthermore, all have signed a very strict confidentiality contract for their activities.
● Clients can download their data at any time from OpenHR and include it in their own systems. And by contract, we delete their data once they are no longer OpenHR clients.
The basic characteristics of the data communication system, as in sending or transferring the data to the servers where it will be hosted, are:
● The communication system is based on the SSL secure protocols, with HTTP with Strict Transport Security.
● The communications to transfer documents from the client to the system is based on the VPN-SSL security standards
● The entire website is certified to the latest standards with an SHA-256 fingerprint.
● To access OpenHR, the user will enter their user name and password. You can authenticate directly with OpenHR, through our authentication program, or through an approved Single Sign-On (SSO) provider.
● Passwords are protected by OpenHR on our system, without relying on third party software.
● In addition to the OpenHR authentication system, we can authenticate with Google, Azure, Linkedin etc. Authentication with third party platforms is done through our own third party programs and we do not use programs from other companies, to ensure proper GDPR compliance.
● If the user would like to authenticate through the above mentioned platforms, it is the user who consents to their use for all purposes.
● In addition to the above platforms, OpenHR can authenticate to the client's own systems. Through LDAP, active Directory, or any other SSO that the client has and authorizes.
● OpenHR supports mixed systems, where users who have their passwords in the company's internal systems can authenticate themselves there, and others who are not in these systems can do so through external providers. You can always use OpenHR's own system in case of a crash or restructuring of the external systems.
● Passwords are protected by sophisticated hashing and salting techniques, including password reminder systems .
● Companies management can block the access of the users or generate new passwords that will be sent to the user's e-mail. The user can always request to restore their password and have it sent to their email at any time, both from the browser and from their mobile device.