Search the documentation...

Security

Privacy & Data Processing

Privacy & Data Processing

GDPR

Compliant

DORA

Compliant

ISO 27001

Q1 2026

Key security principles at Onesurance

End-to-end encryption for all data in transit and at rest

Multi-factor authentication required for all users

24/7 security monitoring with automated incident detection

Data residency within the EU (Azure West Europe)

ISO 27001 certification in preparation (target Q1 2026)

End-to-end encryption for all data in transit and at rest

Certifications and Standards

Onesurance to the highest security and compliance standards in the financial sector. Below you will find an overview of our current certifications and roadmap.

Certification

Description

Status

TRUST CENTER - PRIVACY & DATA PROCESSING

Onesurance & Data Processing Practices
Last updated: December 2024

Our Commitment to Privacy

At Onesurance , we don't Onesurance privacy as a checklist, but as a fundamental right. We are aware that we process sensitive personal and insurance data, and we take this responsibility very seriously. Our privacy

practices go beyond legal minimum requirements and are built on transparency, accountability, and respect for individual rights.

GDPR Compliance

Legal Basis

Onesurance .V. is registered in the Netherlands (Chamber of Commerce: 87521997) and is subject to the General Data Protection Regulation (GDPR). We only process personal data when we have a valid legal basis for doing so:

• Contractual necessity: Processing necessary for the performance of the contract with our customers
• Legitimate interest: For improvements to our services, security, and fraud prevention
• Legal obligation: When required by law and regulations
• Consent: In specific cases where other legal grounds do not apply

Data Protection Officer (DPO)

• Designated: Yes, dedicated Data Protection Officer
• Contact: onesurance
• Responsibilities:

  • Monitoring GDPR compliance

  • Advice on Data Protection Impact Assessments

  • Training and awareness for employees

  • Contact point for supervisory authority (Personal Data Authority)

  • Handling of requests from data subjects
    • Independence: Reports directly to management, no conflict of interest
    • Expertise: Certified in privacy and data protection

GDPR Principles

We strictly adhere to the seven GDPR principles:

  1. Legality, propriety, and transparency

    • Clear communication about data usage

    • Privacy notices in plain language

    • No hidden data processing

  2. Target commitment

    • Data used only for specific, legitimate purposes

    • No reuse for incompatible purposes

    • Clear documentation of processing purposes

  3. Minimum data processing

    • Only necessary data collected

    • Regular review of data collection

    • Removal of redundant data points

  4. Accuracy

    • Mechanisms for correcting inaccurate data

    • Regular validation of data quality

    • Update immediately in case of known inaccuracies

  5. Storage limitation

    • Defined retention periods per data category

    • Automatic deletion after retention period

    • Exception only in case of legal requirements

  6. Integrity and confidentiality

    • Technical and organizational measures (see Template 03)

    • Encryption, access controls, security monitoring

    • Incident response procedures

  7. Accountability

    • Comprehensive documentation of compliance

    • Regular audits and assessments

    • Demonstrable compliance with GDPR

Rights of Data Subjects

We respect and facilitate all rights under the GDPR:

Right to Information
• Privacy notice: Available on website and during onboarding
• Content: What data, why, how long, with whom shared, rights
• Updates: Proactive communication in case of changes
• Language: Dutch and English available

Right of Access (Art. 15 GDPR)
• Procedure: Request via onesurance
• Identification: Identity verification required (copy of ID)
• Response time: Within 1 month (extension possible up to 3 months)
• Content of access:

  • Copy of personal data

  • Processing purposes

  • Categories of data

  • Data recipients

  • Retention period

  • Source of data (if not from the data subject)
    • Format: PDF or structured data (CSV/JSON)
    • Costs: First request free of charge, reasonable costs for repeated requests

Right to Rectification (Art. 16 GDPR)
• Procedure: Via onesurance or via customer portal
• Response time: Immediate correction, confirmation within 1 month
• Transmission: Corrections are transmitted to recipients
• Validation: Verification of correctness in case of changes

Right to Erasure / 'Right to be Forgotten' (Art. 17 GDPR)
• Grounds for erasure:

  • Data no longer necessary

  • Withdrawal of consent

  • Objection to processing

  • Unlawful processing

  • Legal obligation to delete
    • Exceptions:

  • Legal retention periods (e.g., for tax purposes)

  • Establishment/exercise of legal claims

  • Archiving obligations
    • Response time: Within 1 month
    • Confirmation: Written confirmation of deletion
    • Backup retention: Data in backups will be overwritten during the next backup cycle

Right to Restriction of Processing (Art. 18 GDPR)
• Grounds:

  • Disputing accuracy (pending verification)

  • Unlawful processing but no deletion desired

  • Data no longer needed by us but still needed for the data subject's legal claims

  • Objection to processing (pending balancing test)
    • Implementation: Technical blocking, marking in system
    • Removal: Only with consent or to assert legal claims

Right to Data Portability (Art. 20 GDPR)
• Scope: Data provided by the data subject, processed by automated means
• Format: Structured, commonly used, machine-readable (JSON, CSV, XML)
• Direct transfer: Where technically possible, directly to another controller
• Response time: Within 1 month

Right to object (Art. 21 GDPR)
• Grounds: Special personal situation
• Processing: Legitimate interest or task in the public interest
• Assessment: Balancing test between the interests of the organization and the data subject
• Direct marketing: Unconditional right to object
• Response time: Within 1 month

Automated Decision-Making & Profiling (Art. 22 GDPR)
• Policy: No fully automated decisions with legal consequences
• AI models: Always human-in-the-loop for critical decisions
• Profiling: Transparent about the use of predictive models
• Opt-out: Possible for non-essential profiling
• Explanation: Right to an explanation of the logic behind automated processing

Data Processing Details

Categories of Personal Data

We process the following categories (depending on service and relationship):

Contact information

  • Name, address, telephone number, email address

  • Company name, position (B2B context)

Identification details

  • Chamber of Commerce number (for companies)

  • Unique customer IDs (internal)

Usage data

  • Login times, IP addresses

  • Features used, click behavior

  • API calls, system usage

Insurance-related Data (from our customers' end customers)

  • Policy numbers, claim amounts

  • Risk profiles, premium calculations

  • Churn risk scores, lifetime value

Technical Specifications

  • Browser type, device information

  • Cookies, session IDs

  • Log files, error reports

Special Categories (minimal, only if necessary)

  • Health data: Only if relevant to insurance product (e.g., health insurance)

  • Criminal data: Not processed unless legally required

Processing purposes

• Services: Implementation of SaaS platform for insurers
• Customer support: Troubleshooting, helpdesk, onboarding
• Product development: Feature improvements, bug fixes, innovation
• Security: Fraud detection, access control, incident response
• Compliance: Compliance with legal obligations
• Analytics: Aggregated, anonymized usage statistics
• Marketing: With consent, opt-out possible

Register of Processing Activities (ROPA)

We maintain a comprehensive ROPA in accordance with Art. 30 GDPR:

• Scope: All processing activities documented
• Details per processing operation:

  • Name and contact details of the controller

  • Purposes of processing

  • Categories of data subjects

  • Categories of personal data

  • Categories of recipients

  • Transfer to third countries (not applicable)

  • Retention periods

  • Technical and organizational measures
    • Update frequency: For new processing operations and at least once a year
    • Availability: Available to the supervisory authority upon request

Retention periods

Data category

Retention period

Basis

Customer data

Long-term contract + 30 days

Contractual necessity

Communication

Long-term contract + 1 year

Legitimate interest

Invoices

7 years

Legal obligation (tax)

Support tickets

2 years

Legitimate interest

Security logs

1 year (7 years for incidents)

Legitimate interest

Marketing data

Until consent is withdrawn

Permission

Analytics (aggregated)

Unlimited

No personal data (anonymized)

Automatic deletion: Automated process checks for expired data on a daily basis

Data Protection Impact Assessments (DPIA)

When is it required
• New technology with high privacy risk
• Large-scale processing of special categories
• Systematic monitoring
• Automated decision-making with legal consequences
• Large-scale processing

Our DPIAs
• Performed for: AI models (Churn, CLV, NBP), Defend Agent
• Latest DPIA: [Date]
• Outcome: Acceptable risk with mitigating measures
• Measures: Anonymization, aggregation, human oversight
• Review: In case of significant changes or annually

DPIA Process

  1. Description of processing and purposes

  2. Necessity and proportionality assessment

  3. Risk identification for rights of data subjects

  4. Measures to address risks

  5. Consultation with the Data Protection Officer

  6. Documentation and approval

  7. (If necessary) Prior consultation with supervisory authority

International Data Transfer

Data location
• Primary: Azure West Europe (Netherlands)
• Backup: Azure West Europe (geographically redundant within the EU)
• No transfer outside the EU/EEA

Subprocessors (See also Template 08)
• Microsoft Azure: EU data centers, Standard Contractual Clauses
• Bonsai Software: EU-based, processing agreement
• Adequacy decisions: Preference for EU-based vendors
• New subprocessors: Prior customer approval possible

Safeguards for transfers (if applicable)
• Adequacy decision (Art. 45 GDPR)
• Standard Contractual Clauses (Art. 46 GDPR)
• Binding Corporate Rules (not applicable)
• Transfer Impact Assessment (TIA) performed

Privacy by Design & Default

Design Principles
• Proactive not reactive: Privacy from the initial design phase
• Privacy as default: Most privacy-friendly settings by default
• Embedded into design: Privacy an integral part of the system, not an add-on
• Full functionality: No trade-off between privacy and functionality
• End-to-end security: Full lifecycle protection
• Visibility and transparency: Clear to users
• User-centric: Respect for user privacy


implementation • Minimization: Only essential data fields required
• Purpose limitation: Data only for declared purpose
• Access controls: Least privilege by default
• Encryption: Default for all sensitive data
• Audit logging: Transparency about data access
• Retention: Automatic deletion after period
• Portability: Built-in export functionality

Privacy Governance

Privacy Review Board
• Composition: FG, Security, Legal, Product, Engineering
• Frequency: Monthly
• Agenda: New features, DPIAs, privacy incidents, policy updates
• Decision-making authority: Go/no-go for privacy-impactful changes

Privacy Training
• Onboarding: Mandatory privacy training for all new employees
• Refresher: Annual refresher
• Specific training: For employees with data access
• GDPR awareness: Understanding principles and rights
• Incident response: Procedures in the event of a privacy breach

Privacy Metrics
• Data subject requests: Number, type, response time
• DPIAs: Number performed, risks identified
• Privacy incidents: Number, severity, time-to-resolution
• Training completion: Percentage of employees
• Policy updates: Frequency and communication

Data breaches & Reporting obligation

Detection & Assessment
• Monitoring: 24/7 security monitoring for anomalies
• Sources: Security tools, user reports, third-party notifications
• Initial assessment: Within 4 hours of detection
• Classification:

  • Scope: number of people involved

  • Data type: special categories, financial, etc.

  • Consequences: identity fraud, financial claim, damage to reputation

Reporting procedure
• Internally: Direct escalation to FG and management
• Dutch Data Protection Authority: Within 72 hours if required
• Criteria for reporting:

  • Likely risk to the rights of those involved

  • May lead to physical, material, or immaterial claim

  • Cannot be mitigated by measures
    • Content of report:

  • Nature of data breach

  • Categories and number of individuals involved

  • Likely consequences

  • Measures taken/proposed
    • Stakeholders: Without unnecessary delay in high-risk situations
    • Customers: Proactive communication, updates, support

Prevention
• Preventive controls: See Template 03 (Data security)
• Regular testing: Penetration tests, vulnerability scans
• Incident response drills: Annual exercises
• Lessons learned: Post-incident reviews and improvements

Cookies & Tracking

Cookie policy
• Cookie notice: Clearly visible on first visit
• Categories:

  • Strictly necessary: Always active

  • Functional: For user experience

  • Analytics: For statistics (opt-in)

  • Marketing: For personalization (opt-in)
    • Consent management: Granular control per category
    • Withdrawal: Easy withdrawal via settings

Tracking Technologies
• Session cookies: For user sessions, deleted when browser is closed
• Persistent cookies: Retention period clearly communicated
• Third-party cookies: Only with consent
• Analytics: Google Analytics with IP anonymization
• No selling: We never sell data to third parties

Customer Processing Responsibilities

As data controllers, our customers determine:
• Purposes and means of processing
• Legal basis for processing
• Rights of their data subjects
• Retention periods (within our technical capabilities)

Onesurance processor:
• Processes data only on the instructions of the customer
• Assists with compliance with GDPR obligations
• Facilitates the exercise of data subjects' rights
• Assists with DPIA's if necessary
• Reports data breaches directly to the customer

Data Processing Agreement (DPA)
• Standard DPA available
• In accordance with Art. 28 GDPR
• Components:

  • Subject and duration of processing

  • Nature and purpose of processing

  • Type of personal data

  • Categories of data subjects

  • Rights and obligations of the controller

  • Processing instructions

  • Confidentiality

  • Security

  • Subcontractors

  • Rights of data subjects

  • Assistance with compliance

  • Audits

  • Data deletion/return
    • Available upon: Contract signing or upon request

Transparency & Communication

Privacy Notice
• Location: Website, in-app, contract documentation
• Updates: Version control, changelog available
• Notification: Email for material changes
• Archive: Previous versions available

Contact for Privacy
• Data Protection Officer: onesurance
• Response time: Within 5 business days for initial response
• Languages: Dutch and English
• Escalation: Management if dissatisfied with DPO response

Supervisory authority
• Netherlands: Dutch Data Protection Authority (AP)
• Website: autoriteitpersoonsgegevens.nl
• Right to lodge a complaint: Data subjects may lodge a complaint with the AP.

Last updated: December 2024
Onesurance .V. | Breda, Netherlands | Chamber of Commerce: 87521997