Privacy and security
      Back to home
      1. Help Center
      2. Other
      3. Privacy and security

      Data security FAQ

      Everything about Privacy and Data Security

      As a software-as-a-service provider, we collect and store data “in the cloud.” We take data security and privacy extremely seriously.

      We are ISO27001-certified for the development and hosting of online training and testing software-as-a-service, providing technical support, and offering functional support through customer success services (certificate available upon request).

      Below you will find answers to some frequently asked questions about data security.

       

      What data do you collect and how is it obtained?

      Data we collect beforehand (required):

      • Name

      • Email address*

      • Personal password* (randomly generated, one-way encrypted)

      • Name of employer or training agency (derived from the account the user is linked to)

      • Phone number (only for users of SkillsCoaching.traintool.com)

       

      Data generated during use:

      • Name of the training(s) the user participates in (including group and coach providing feedback)

      • Audio or video recordings the user chooses to save and share (generated during training)

      • Information on participation, progress, and scores, such as:

       • Given answers

       • Feedback from and to other participants

       • Feedback and evaluation scores from or to coaching

       

      Who owns the data?

      The customer owns the data and is ultimately responsible. TrainTool acts solely as a data processor and operates accordingly.

       

      Where is the data stored?

      All data is stored in the Netherlands, in data centers located in Eemshaven (Google Cloud).

       

      A.I. Data Processing

      TrainTool uses a proprietary AI, named Alix, which applies OpenAI’s Whisper technology to assess participants. Both Alix and Whisper run on our own servers (see previous section).

       

      What is the backup cycle (retention, maximum data loss)?

      • TrainTool performs daily backups and retains them for 30 days.

      • Maximum data loss: 24 hours.

      • Maximum retention of (deleted) data: 30 days.

       

      What procedures exist for data deletion?

      Automatic “hide” function after license expiration

      When a user license expires, their answers and recordings are automatically hidden from themselves, peers, and coaches. This can be manually restored by an administrator.

       

      - Automatic deletion of video recordings after license expiration

      45 days after the license expires, video recordings are automatically deleted (as they are considered sensitive data). The user is notified 14 days in advance and may prevent this process if desired.

      - Manual deletion of user accounts

      TrainTool (data processor) deletes data upon explicit request from the customer (responsible party). The data then remains in backups for a maximum of 30 days. Additionally, the user has the right to be “forgotten.”

      - End of contract

      45 days after the contract between the customer and TrainTool ends, all customer data and user accounts are destroyed. It takes another 30 days before all data is also removed from backups.

       

      Which subcontractors do you work with?

      • Infrastructure, hosting, and management: TRUE B.V. (ISO27001-certified)

      • Data storage: Google Cloud (ISO27001-certified)

       

      What security measures are in place?

      • Firewall cluster with a standard “deny” policy

      • Daily review of firewall logs

      • Firewall updates go through a version control system with peer review

      • Bi-weekly network scans to identify issues such as open ports

       

      Additional security measures:

      • OS hardening

      • NaWas anti-DDoS

      • Quarterly vulnerability scans

      • Regular patches (quarterly), emergency patches (daily)

      • ISO27001 principles and compliance

      • Standard offsite backups and DR snapshots

       

      Encryption:

      All connections to and from the TrainTool application are encrypted via the SSL/TLS protocol. These settings are automatically monitored.

       

      Physical Security:

      TRUE Data Center:

      • Access only for authorized individuals (whitelist)

      • Manned reception with ID check

      • Hardware stored in locked cabinets

      • Visitors always escorted by TRUE staff

      • Authorization required for hardware changes

       

      Google Data Center:

      • Biometric identification

      • Metal detection

      • CCTV surveillance

      • Vehicle barriers

      • Laser-based intrusion detection systems

      • Physical backup locations in case of fire

      • Backup generators for power outages

       

      How is the application secured and how is unauthorized inspection or alteration prevented?

      Authorization levels

      Users may have one or more of the following roles:

      • Participant

      • Coach

      • Content Developer

      • Administrator

       

      The first administrator of an account registers other users and assigns authorization levels. This administrator is either a customer employee or a TrainTool employee acting under the customer’s explicit instruction.

       

      Logs

      Every inspection of user data is logged. Privacy logs are available upon request.

       

      Authorization level control

      Every inspection of user data is checked on four levels:

      1. Is this the correct account?

         • Is the user logged in?

         • Does the logged-in user belong to the current account?

         • Does the page’s data belong to the current account?

      2. Does the user have the right authorization to view this page?

      3. Does the user have permission to inspect specific data?

         Examples:

         “May user view feedback from person X on person Y’s video?”

         “May user download a progress report for person X?”

      4. Superusers

         TrainTool employees in technical or support roles are “Superusers” and may access user accounts when necessary.

         These employees have signed a confidentiality agreement and are informed of their responsibilities.

         All actions are logged, and the list of Superusers is reviewed at least quarterly.

       

      How is incident management organized?

      1. Incidents are reported in the TRUE Care portal (by TRUE or TrainTool).

      2. The TRUE Security Officer is automatically notified and determines the priority based on the CIA classification (Confidentiality, Integrity, Availability).

      3. An action plan is drawn up for the involved parties. The customer is regularly informed.

      4. Depending on priority, response and diagnostic times are determined.

      5. After the action plan is executed, the incident is closed by the TRUE Security Officer in consultation with TrainTool.

      6. Follow-up: The Security Officer determines whether additional measures are needed to prevent future incidents.

      7. Reporting: The customer receives periodic SLA reports with an overview of incidents and how they were handled (Root Cause Analysis).