Updated November 2023
Data protection
Garuda complies with applicable data protection legislation.
At Garuda, we take IT and data security very seriously.
On this page you can read more about how we comply with IT security and data management and ensure that your information is not misused by third parties.
Auditor’s report
At Garuda, we obtain an annual ISAE3000 statement.
The statement is prepared by an independent third party regarding Garuda’s compliance with the General Data Protection Regulation, data protection provisions in other EU law or Member States’ national law and the content of the data processing agreement. ISAE 3000 declaration (September 2021) ISAE 3000 type II declaration, high security (November 2022) ISAE 3000 type II declaration, high security (November 2023)
FAQ – ISAE3000 declaration
If you have questions about our ISAE3000 statement or general questions about our data processing, we recommend you take a look at our FAQ. Find answers to the most common questions quickly and easily.
Data processing agreement
In any customer relationship, we process personal data on behalf of our customers.
In this relationship, our customers are data controllers and we are data processors.
This means that both we and our customers are obliged to enter into a data processing agreement, the content of which must meet the requirements of the GDPR.
Garuda uses the Danish Data Protection Agency’s standard contractual clauses as the data processing agreement.
This has the advantage that we fulfill our joint obligation to enter into a valid data processing agreement. You can view and sign our data processing agreements here (updated August 2023) As stated in the data processing agreement, we use sub-processors to deliver our solution to you in accordance with the subscription agreement between us and you.
In addition to ensuring our own handling of personal data, it is also important to us that our business partners as sub-processors do the same.
Therefore, Garuda only uses leading sub-processors that comply with data processing security requirements.
Garuda generally has two types of sub-processors: (1) our provider of hosting and IT operations services, Solarwinds, and (2) other providers of secondary operational functions.
In addition to using its own servers, Solarwinds is the sub-processor that processes the primary data that customers add to the solution.
The other sub-processors provide secondary operational functions, and they will typically only process limited personal data such as username, e-mail address, IP address and telephone number, as well as any other personal data that you choose to add through your active use of the secondary operational functions.
Below is a schematic of all our sub-processors, including a description of their respective processing, transfer basis and link to the binding agreements we have entered into with each of them:
| Name of country | Country name | Description of treatment |
|---|---|---|
| OnlineCity ApS CVR: 27364276 | Denmark, Denmark | OnlineCity.io is used as a service for sending SMS. OnlineCity ApS processes SMS sent via the solution and thus the phone numbers of the data subjects. The SMS may contain names and e-mail addresses. This processing of data is done according to their standard sub-processor agreement. |
| Solarwinds MSP CVR: 817292813 | Germany, Germany | Solarwinds is used for hosting and remote backup of the solution, including storage and processing of data. Solarwind may process names, e-mail addresses, gender, age and documents that may be transferred from the data subjects. This processing of data is done according to their standard sub-processor agreement. |
| AWS SES CVR: LU26888617 | Germany, Germany | AWS SES is used as a service for sending emails. AWS SES processes email content, attachments and email addresses. This processing of data is done according to their standard sub-processor agreement. |
If an agreement has been entered into regarding the delivery of a license for the tool, JobSpot, the following sub-processors are used:
| Name of country | Country name | Description of treatment |
|---|---|---|
| Solarwinds MSP CVR: 817292813 | Germany, Germany | Solarwinds is used for hosting and remote backup of the solution, including storage and processing of data. Solarwind may process names, e-mail addresses, gender, age and documents that may be transferred from the data subjects. This processing of data is done according to their standard sub-processor agreement. |
| A Bigger Boat CVR: 38684906 | Germany, Germany | A Bigger Boat is used for the generation of video spots. A Bigger Boat processes the photos and videos that the data controller wants to be included in the video. This processing of data is done according to their standard sub-processor agreement. |
| AWS SES CVR: LU26888617 | Germany, Germany | AWS SES is used as a service for sending emails. AWS SES processes email content, attachments and email addresses. This processing of data is done according to their standard sub-processor agreement. |
Over time, there may be changes in the use of sub-processors used to provide our services.
As a data controller, you will be notified to the extent required by the applicable data processing agreement, and changes will also appear on this page.
If desired and actively selected, OpenAI can be used as a sub-processor for the Garuda AI solution in JobSpots.
This sub-processor will not automatically be used when signing the Subscriber or Data Processing Agreement, which is why an addendum must be signed.
Hereafter it will be used:
| Name of country | Country name | Description of treatment |
|---|---|---|
| Open AI LLC | USA, 3180 18th St., San Francisco, CA 94110 | When JobSpot’s artificial intelligence features (Garuda AI) are activated separately, OpenAI’s language models are used to scan publicly available job ads based on user input in the form of links or text. Garuda AI then extracts relevant content from the public link using OpenAI’s language models. The content can then be activated by the user in the current JobSpots, including text, contact information and images. This processing of data is done according to their standard sub-processor agreement. The supplementary agreement can be signed here… |
Security measures: Data processing is an integral part of Garuda that we make available to our customers.
Therefore, our customers’ trust and confidence that we can deliver our service in a secure and confidential manner is also crucial to our business foundation.
We therefore take security very seriously and have a continuous focus on it.
If you have any questions about Garuda and GDPR, please contact us at: datasikkerhed@garuda.dk
| Supplier | Backup and anti-malware |
|---|---|
| Use of recognized vendors certified for platform hosting within the vendor’s EU/EEA data regions. | Daily backup and updated anti-malware and virus on systems and devices. |
| Encryption | Continuous platform checks |
|---|---|
| Full encryption of data in transit. | Continuous checking of platform and systems for OWASP top 10 vulnerabilities. |
| Physically securing locations | Logging |
|---|---|
| Physically securing premises with individual access key fobs and codes and monitoring facilities. | Logging access and actions in the platform and systems. |
| Procedures | Hardware |
|---|---|
| Procedures for accessing the production environment and accessing customer data. | Hardware reuse is only done by restoring factory settings and hardware destruction is done according to market standard. |
