Trust Centre HumanCapitalCare

You are the data controller for your own data. This means that, as an employer, you determine which data is processed and for what purpose, for example in the context of case management. If you use this absence portal, you have appointed IT&Care as a processor. In introducing the new absence portal, IT&Care is using the software and services of BlueVi B.V. (the supplier of the absence portal) as a sub-processor. A sub-processor agreement has been concluded with BlueVi B.V., which stipulates that they may only process your data in accordance with the instructions of the controller and that they must take appropriate security measures. IT&Care and BlueVi B.V. therefore work together to keep your data secure and confidential, each within their own role and responsibility.

All data processed in the HumanCapitalCare Absence Portal is stored in the Microsoft Azure cloud environment. These cloud servers are located physically in the Netherlands, which means that your data remains within the Netherlands and the European Economic Area (EEA). Microsoft Azure meets strict requirements for data residency and compliance. The Azure data centres offer a robust, modern infrastructure with high availability, security and disaster recovery capabilities. The Azure environment for IT&Care is designed in such a way that only authorised parties (IT&Care and BlueVi B.V.) have access. This guarantees that your customer data is securely hosted under the supervision of IT&Care in the Dutch Azure region, in accordance with all relevant laws and regulations.

Both IT&Care and BlueVi B.V. have leading certifications that demonstrate their compliance with high standards for information security and privacy:

IT&Care B.V.: ISO/IEC 27001 and NEN 7510 certified. This means that IT&Care meets the highest requirements for process control and protection of medical and personal data. IT&Care is also registered with the Personal Data Authority as a processor. Click here for our certifications.

BlueVi B.V.: ISO/IEC 27001 and NEN 7510 certified for the HumanCapitalCare Absence Portal. In addition, BlueVi B.V. has an ISAE 3000 Type II assurance statement, in which the most important privacy controls are independently assessed on an annual basis. 
These certifications are verified annually by external auditors, confirming that all parties continuously work according to strict security standards and legislation.

Here are the links to our certifications:
Statement of applicability ISO 27001 (version 4.0)
Statement of applicability NEN 7510 (version 3.1)
.ISO 27001 certificate expiry date 16 November 2028
ISO 27001 certificate expiry date 16 November 2028
NEN 7510 certificate expiry date 19 February 2027
NEN 7510 certificate expiry date 19 February 2027

Access to your data is strictly limited to authorised persons and is done on a need-to-know basis. In practice, this means that only authorised users can access your data:

IT administrators (IT&Care): A limited number of IT administrators at IT&Care have access to the systems for maintenance and support. This access is strictly regulated and logged in accordance with the NEN 7510 and NEN 7513 standards. These IT&Care employees treat all personal data, including medical data, as confidential. These IT&Care employees have signed a confidentiality agreement.

BlueVi B.V. support: Employees of BlueVi B.V. do not have standard access to customer data. In exceptional cases, such as for technical support or incident handling, temporary access may be required. This only happens with the consent of IT&Care and under strict conditions in accordance with the processing agreement.

No external party or unauthorised person can access your data. The roles and rights within the HumanCapitalCare Absence Portal are designed so that each user only sees the information relevant to his/her role. This ensures that privacy and confidentiality are maintained.

IT&Care and its partners are fully compliant with the General Data Protection Regulation, known internationally as the GDPR. This includes:

Processing agreements: Legally binding agreements have been concluded between IT&Care and BlueVi B.V., in which the agreements regarding data processing, confidentiality and security are stipulated in accordance with the GDPR. 

Purpose limitation and minimal data: Your personal data will only be processed for the specific purpose for which it was collected (e.g. guidance in the event of absence). Moreover, no more data is collected than is necessary.

Rights of data subjects: IT&Care places great importance on the protection of personal data and respects the privacy rights of your employees. This means that employees always have the right to access their data, the right to have incorrect data amended, and the right to have data deleted when justified. According to the GDPR, a data subject must exercise his or her rights with the controller. In the case of employee administration in the absence portal, you yourself, as the employer, are the controller. If your employee wishes to exercise his or her rights, IT&Care will provide all reasonable assistance to ensure that you, as an employer, are able to comply with the obligations associated with your requests. The manner in which your employee can exercise his or her rights with you must be included in your own applicable privacy regulations. Your employees can read about this division of roles in our privacy regulations:

Supervision by the data protection officer: Within HumanTotalCare, of which IT&Care is a part, a data protection officer (DPO) has been appointed to supervise compliance with privacy laws and regulations. The DPO's contact details are included in the privacy regulations.

Annual privacy audit: The most important privacy measures from BlueVi B.V. are independently assessed annually as part of an ISAE 3000 Type II audit. IT&Care is also periodically audited for its GDPR compliance. This demonstrates that the processing of personal data complies with laws and regulations.

Both IT&Care and BlueVi have clear procedures for incident and data breach management. Safety and transparency are paramount in this regard. This includes:

Incident detection: Our IT environment is monitored 24/7 for suspicious activity or vulnerabilities. IT&Care has set up real-time monitoring and keeps a constant eye on the infrastructure. The internal Security Operations team uses NIDS, XDR, SIEM and SOAR technologies, supported by an external Managed Detection & Response provider affiliated with Z Cert, which also offers DFIR services. 

Incident response plan: In the unlikely event of a security incident or data breach, an incident response plan will be immediately implemented. Authorised security and privacy officers from IT&Care and BlueVi B.V. then work together to plug the leak, limit the impact and prevent a recurrence. In doing so, they act strictly in accordance with the law, contractual agreements and internal procedures.

Reporting obligation and communication: In accordance with the GDPR and the data breach reporting obligation, IT&Care will inform you as soon as possible if your data has been affected by a serious data breach. You will then receive information about the nature of the leak, what data is involved, the (expected) impact and the measures being taken. As you are the data controller, you are obliged to report the data breach to the Information Commissioner's Office (ICO) if it is reportable and, if applicable, to inform the individuals concerned. IT&Care will support you in this by providing the necessary information in a timely and comprehensive manner, as stipulated in the processing agreement. We always strive for transparency and due diligence in such situations.

Continuous improvement: After resolving major incidents, we conduct an evaluation. Where necessary, we improve our security measures and processes to prevent any future incidents.

Thanks to our detection technologies, proactive approach and rapid response capacity, we are able to effectively manage incidents. Of course, we do everything in our power to prevent data breaches. Should such a breach occur, you will be informed appropriately and in a timely manner, and the necessary steps will be taken to protect your data.
 

IT&Care facilitates secure and reliable links to external systems, such as customer HR, payroll or absence management systems. These integrations are generally implemented based on the SIVI Absence Standard, as published by the SIVI Foundation. This standard describes clear data definitions, process agreements and interfaces (APIs and messaging) for the secure and interoperable exchange of absence data. By adopting this standard, we guarantee both a standardised integration approach and data protection, and we can quickly connect to commonly used systems in the market. If necessary, customised interfaces or alternative secure connections can also be set up, all in accordance with our information security and privacy guidelines. 

Customer data is logically separated in the underlying database structure. Each customer has their own, protected dataset, which means that your data remains strictly separated from the data of other customers. IT&Care manages database encryption and key storage centrally; use of customer-managed keys does not apply. In addition, the database environment is actively hardened and secured according to best practices, ensuring data integrity and confidentiality within the multi-tenant architecture.

In principle, you have limited direct access to logging from our systems. For this reason, we recommend using single sign-on (SSO) wherever possible, so that logging and user management can be largely handled within your own IT environment. IT&Care logs all relevant access and processing of personal data in accordance with the NEN 7513 standard. In the event of a security incident, we will provide you with the necessary log data if this is relevant for the investigation or for accountability purposes.

A processing agreement is not required in every case. IT&Care applies the following principle:

• In the case of negative registration, whereby only data relating to employees with care needs is exchanged with the occupational health and safety service HumanCapitalCare, no processing agreement between the customer and IT&Care is required. This also applies if a technical link is used. In this situation, IT&Care does not act as your processor, but merely facilitates the exchange of data to the occupational health and safety service.
• For a positive registration, where you also share data on employees without care needs (in the absence portal or via a link), a processing agreement between you, as the employer, and IT&Care is required. In this case, IT&Care processes personal data on your behalf and therefore acts as a processor.

If there is a negative registration, but you do use the absence portal as part of the service, this may lead to a different situation. If you actively use the portal for your own absence registration, a processing agreement between you and IT&Care is necessary. If the portal is only used passively to consult feedback from the occupational health and safety service, this is not required.

You may not switch from negative to positive registration independently. This always requires consultation with your HumanCapitalCare account manager so that the contractual agreements can be amended and, if applicable, a processing agreement can be concluded with IT&Care.