Security matters a lot
especially in digital health care
That's why we offer this security statement in more than 1 language:
Or just continue if English is your preferred language.
1. Purpose and Scope
This Security Statement covers activities undertaken by Mind District Holding B.V. and the related entities Minddistrict B.V., Minddistrict Development B.V., Minddistrict GmbH, and Minddistrict Ltd. all of which will hereinafter be referred to as “Minddistrict”.
Minddistrict is a leader in ehealth solutions. Because many of our customers provide medical care, we take our customers and their clients security and privacy concerns very seriously. We see data protection as the foundation of building trust towards our customers and clients.
We strive to ensure that confidential and (sensitive) personal data is handled securely and in line with the relevant regulations and information security standards. Minddistrict uses advanced technology and other state-of-the-art measures to ensure a level of security that is appropriate for the types of data and information we process.
The general set of technical and organisation security measures we have implemented to protect the (sensitive) personal data of our customers and their clients is agreed upon in the relevant data processing agreements that are in place. We work in accordance with ISO 27001:2017, NEN 7510:2017, NEN 7512:2022, NEN 7513:2018, and KBV certification. Minddistrict is full scope ISO 27001 and NEN 7510 certified.
We can provide a summary of our Information Security Management System (hereinafter “ISMS”) or insights into our certificates on request. Such requests can be submitted to the Minddistrict Compliance Department at firstname.lastname@example.org.
Below we have documented a set of our most important organisational and technical security measures we have in place. Please note the set is not complete so is only providing an overview.
3. Platform User Security
Authentication: user data on our database is logically segregated by account-based access rules. User accounts have unique usernames and passwords that must be entered each time a user logs on. Minddistrict issues a session cookie only to record encrypted authentication information for the duration of a specific session. The session cookie does not include the password of the user.
Passwords: user application passwords have specific complexity requirements such as use of a minimum number of characters (12) and use of special characters. Passwords are stored encrypted.
Data Portability and Preservation: Minddistrict enables customers to export personal data from our system, in accordance with a procedure to prevent misuse or unauthorised.
Privacy: information related to privacy and processing personal data can be found in the Privacy Statement.
Data Residency: all Platform data including personal (health) data of users is stored on servers located in secure databases in the European Economic Area (hereinafter “EEA”). The EEA requires a high level of privacy. For customers in the United Kingdom all platform data including personal (health) data of users is stored in a separate location in the United Kingdom. For more information on Minddistrict sub-processors please refer to our Privacy Statement.
4. Physical Security
All platform / production server data including personal (health) data of users is stored at our hosting provider Intermax B.V. in secured data centers. These data centers include all the necessary physical security controls you would expect in a state-of-the-art data center (24×7 monitoring, cameras, visitor logs, entry requirements). Our hosting provider Intermax has certifications for ISO 27001, ISAE 3402 Type II and ISO 14001.
5. Network Security
Testing & development: system functionality and design changes are verified in an separate test environment and subject to automatic and manual tests prior to deployment to our active production systems.
Firewalls: Minddistrict uses a multilayered firewall solution to restrict access to permitted users and controlled processes.
Access Control: access to personal data is strictly regulated. This means that only employees with certain roles/responsibilities have access to personal data when it is necessary. Minddistrict has an internal policy in place which contains guidelines about the various levels of access both within Minddistrict and within the customer’s organisation.
Logging and Auditing: central logging systems capture and archive internal systems access including authentication attempts.
Encryption in Transit: by default, Minddistrict has Transport Layer Security (TLS) enabled to encrypt traffic between the user and the Minddistrict e-health Platform. All communications with our domains (minddistrict.com, minddistrict.com/nl-nl, and minddistrict.com/de-de) are sent over TLS connections, which protects communications by using both server authentication and data encryption. This ensures that user data in transit is safe, secure, and only available to intended recipients.
6. Vulnerability Management
Patching: we ensure critical security patches are applied to our systems, applications, and network infrastructure to mitigate exposure to vulnerabilities.
Third Party Scans: our environments are continuously scanned using best-of-breed security tools. These tools are configured to perform application and network vulnerability assessments, which test for patch status and basic misconfigurations of systems and sites.
Penetration Testing: external organisations are hired to perform penetration tests (on an annual basis as a minimal). We select skilled and recognised suppliers to ensure a high level of security and comprehensive reporting of findings.
7. Organisational & Administrative Security
Information Security: we work in accordance with ISO 27001:2017, NEN 7510:2017, NEN 7512:2022, NEN 7513:2018, and KBV certification. Minddistrict is full scope ISO 27001 and NEN 7510 certified.
Employee Screening & Training: we perform background screening on employees using recognised systems in the jurisdictions where we operate. All of our employees have signed a confidentiality agreement and are provided information security training at onboarding and thereafter at regular intervals.
Service Suppliers: we apply a supplier assessment procedure to screen our service suppliers to ensure they conform with the necessary confidentiality and security obligations as may be required.
Access: access controls to personal data in our databases, systems, and environments are set on a need-to-know / least privilege necessary basis, in accordance with our policy.
8. Software Development Practices
Compatibility: we make every effort to keep the Minddistrict product compatible with various operating systems such as Windows, Android and iOS. Minddistrict also participates actively in various compatibility projects such as Koppeltaal, to facilitate customers integrations.
Coding Practices: our engineers use best practices and industry-standard secure coding guidelines which align with the OWASP Top 10.
Deployment: we deploy code on a regular basis, giving us the ability to react quickly in the event a bug or vulnerability is discovered within our code.
9. Handling of Security Breaches
Despite best efforts, no method of transmission over the internet and no method of electronic storage is 100% secure. We cannot guarantee absolute security. However, if Minddistrict becomes aware of a security breach, we will notify affected customers as soon as possible so that they can take appropriate protective steps, following applicable EU legislation on privacy and data breach notification. Detailed information about handling security breaches will be agreed on in the processing agreement with customers.
10. Your Responsibilities
Keeping data secure cannot be done by Minddistrict alone. Security depends on all parties, including both customers and users. Users are required to maintain the security of their accounts by responsible use of passwords and trusted networks. User devices and software should be updated to keep up with industry standards, as this is known to reduce the risk of being compromised. Customers should ensure they take appropriate measures to maintain a sufficient level of security for the data involved.
Upon request we can offer advice regarding the use of the Minddistrict Platform, but it is the responsibility of the Data Controller, to ensure that personal data is processed in a safe, responsible and legitimate manner.
11. Changes to this Security Statement
We may adjust or change this Security Statement from time to time as we see fit. If we make changes, we will amend the revision date stated below and the amended or changed version applies to you from the date of revision. We recommend that you regularly read this Security Statement so that you are always aware of the way in which we protect your data.
This Security Statement was last updated on 10-11-2023.
12. Contact information
If you have a question or would like to have more information regarding our privacy and security, please feel free to contact our Compliance Department by sending an email to email@example.com.
We will make sure your request is handled with due care and will respond as soon as possible.
12.1 English Version Controls
Non-English translations of this statement are provided for convenience only. In the event of any ambiguity or conflict between translations, the English version is authoritative and controls.