Privacy & Data Processing

Onesurance processes personal data exclusively on behalf of its clients, in full compliance with the GDPR. Privacy by Design is embedded in our architecture and processes.

Privacy policy summary

  • GDPR compliant — Full compliance with the General Data Protection Regulation
  • Processor role (art. 28 GDPR) — Onesurance acts as Processor; the client is the Controller
  • DPO appointed — Data Protection Officer available at dpo@onesurance.ai

GDPR Compliance

Onesurance operates as a Processor within the meaning of the General Data Protection Regulation (GDPR). Our clients — insurance companies — are the Controllers who determine the purpose and means of processing.

Role allocation

  • Onesurance = Processor — We process personal data exclusively on behalf of and according to the instructions of the Controller
  • Client = Controller — The insurance company determines the purpose and means of data processing

Data Processing Agreement (DPA)

  • Article 28 GDPR — A Data Processing Agreement is concluded with each client in accordance with article 28 GDPR, detailing the obligations of both parties
  • Standard Contractual Clauses (SCCs) — Where necessary, EU Standard Contractual Clauses are included as an additional safeguard

Data Protection Officer

  • Menno Kooistra — DPO — Our Data Protection Officer can be reached at dpo@onesurance.ai for all privacy-related questions and requests

Data Types

Onesurance processes various categories of personal data on behalf of insurance companies. All processing takes place within the European Union.

Categories of personal data

Category Examples
Personal details Name, address, city of residence
Contact details Email address, phone number
Date of birth Age data for risk assessment
Family situation Household composition, marital status
Policy number Insurance policy number and product type
Claims data Loss reports, claims history, claim status

Processing purposes

  • ML predictions — Churn prediction, Customer Lifetime Value (CLV), next-best-product recommendations
  • Anonymised ML data — Machine learning models are trained exclusively on fully anonymised datasets
  • 100% EU processing — All data processing takes place exclusively within the European Union

Data Subject Rights

Onesurance supports all data subject rights as established under the GDPR. Requests can be submitted via our Data Protection Officer. The response time is a maximum of 30 days.

GDPR rights

  • Right of access (art. 15) — Data subjects can request which personal data is being processed
  • Right to rectification (art. 16) — Inaccurate personal data is corrected upon request
  • Right to erasure (art. 17) — Personal data is deleted upon request where no statutory retention obligation applies
  • Right to restriction (art. 18) — Processing can be restricted upon request in specific cases
  • Right to data portability (art. 20) — Personal data is provided upon request in a structured, machine-readable format
  • Right to object (art. 21) — Data subjects can object to the processing of their data

Submit a request

All requests can be submitted via dpo@onesurance.ai. We respond within 30 days to every request, in accordance with GDPR requirements.

Privacy Measures

Onesurance employs comprehensive technical and organisational measures to protect personal data, in accordance with the principles of Privacy by Design and Privacy by Default.

Privacy by Design & DPIA

  • Privacy by Design — Privacy protection is built into the design of all systems and processes, not added as an afterthought
  • Data Protection Impact Assessment (DPIA) — For high-risk processing activities, a DPIA is conducted in advance to identify and mitigate risks

Pseudonymisation & Anonymisation

  • Pseudonymisation with SHA-256 — Personal identifiers are pseudonymised using SHA-256 hashing to prevent direct identification
  • Anonymisation of ML data — Data used for machine learning is fully anonymised, making re-identification impossible

Encryption & Access Control

  • AES-256 encryption at rest — All stored personal data is encrypted with AES-256
  • TLS 1.3 in transit — All communications are secured with TLS 1.3
  • RBAC + MFA — Role-based access control combined with mandatory multi-factor authentication for all users

International Transfers

Onesurance processes and stores all data exclusively within the European Union. No transfers of personal data to countries outside the EU take place.

EU Data Residency

  • 100% EU data residency — All personal data is stored and processed in Azure data centres within the European Union (West Europe region)
  • No transfers outside the EU — Onesurance does not transfer personal data to third countries or international organisations outside the EU

Standard Contractual Clauses

  • SCCs with Microsoft Azure — Standard Contractual Clauses (SCCs) have been agreed with Microsoft as an additional contractual safeguard for all cloud services

Questions about Privacy?

Our Data Protection Officer is happy to assist you with questions about privacy, data processing or your rights as a data subject.

General Support: support@onesurance.ai
DPO Email: dpo@onesurance.ai (DPO — Menno Kooistra)
Phone: +31 6 13 27 01 44 (Onesurance Support)
Contact Our DPO →