Data Security

Technical and organisational security measures

This page gives a high-level overview of the technical and organisational security measures that Master International A/S has put in place to protect personal data and to ensure the ongoing confidentiality, integrity and availability of our platform, products and services.

Master International A/S is registered with The Danish Data Protection Agency as a data controller, handling information related to employee administration. Further information regarding The Danish Data Protection Agency can be found at https://www.datatilsynet.dk/english/

Master International A/S is committed to continuously monitoring the effectiveness of its information safeguards and to a yearly compliance audit by an independent third party. This provides assurance that the measures and controls in place meet the requirements of Article 32 of the GDPR. The independent auditor’s ISAE 3000 report on the design and implementation of selected controls applicable to the EU General Data Protection Regulation is available on request.

Master International A/S takes the following technical and organisational security measures to protect personal data:

1. Master International A/S acts either as a Data Controller, a Data or a Data Sub-Processor for customers, depending on the individual case and contract. In all cases the same security measures apply, so that we comply with GDPR.
2. Employees at Master International A/S receive appropriate training and instructions, ensuring that they work actively at all times to protect personal data and information about test takers and customers.
3. Master International A/S restricts physical access to offices and to any area where personal data is processed, using access control mechanisms. All access through these mechanisms is fully audited.
4. Master International A/S restricts access rights to systems that contain personal data. Access control systems ensure that only employees with relevant work-related roles are granted access.
5. Master International A/S has a formal change-management procedure for changes to its procedures, practices and services, in compliance with applicable law and the agreement with the Customers.
6. Master International A/S implements an IT architecture that ensures full separation of personal data and data collected from online tests. Data is stored using two separate technical platforms, logical structures and authentication processes minimising the severity of a single security breach. During usage, the combined data is pseudonymised in the application, but the collected data is anonymous on its own.
7. When acting as a Data Processor or Data Sub-Processor, Master International A/S delivers a software platform containing personal data on behalf of customers. In compliance with GDPR, we protect this data from both unauthorised and unintended employee access.
8. Master International A/S ensures that all communication uses appropriate encryption technologies and certificates issued by a trusted provider.
9. All access to the software platform uses 2FA and is audited.
10. Master International A/S has processes for handling data security breaches.
11. Master International A/S has processes and systems that ensure the availability of both systems and data.
12. Master International A/S ensures that development, testing and production environments are kept separate.
13. Master International A/S has the necessary tools and processes to ensure that data is securely wiped before any equipment is handed over to third parties or disposed of.
14. Master International A/S ensures that all its Sub-Processors have documented and appropriate protection of personal data they process on our behalf.