MiniCRM Data Privacy Policy
This is a user-friendly summary and not the substitute for the law-friendly data processing brochure provided on the following pages.
Who are we?
- Company name: MiniCRM Zrt.
- Address: 1075 Budapest, Madách Imre út 13-14, Hungary
- Email: help@minicrm.hu
- Phone: 36 (1) 999-0402
What do we do?
We respect your rights and aspire for satisfying your requests within the statutory deadlines. We process your data as we expect others to process our data.
As a Hungarian company, we provide a cloud-based client management system. Protecting your personal data is a priority for us. In earlier times - before the GDPR — our goal was to comply with the German data protection rules, prescribing stricter rules and regulations than the Hungarian ones.
We take care of your data, transfer them via encrypted channels, never sell them to anyone else and never use them for any purposes other than for what you have provided them.
We have our website; we measure its use, maintain a log for security reasons, we have online marketing with targeted campaigns, we process the data given by you, as a data processor we help your company with the CRM solution.
If you require so, we will issue your data after identification. If you require so, we will erase your data.
Our services
-
Website
Using Matomo Analytics, we keep a log of those who visit our web page to optimize the visiting experience, utilizing a “first party cookie”. Since Matomo Analytics is installed on our own server, the data stored through this technology are not accessible by any third party. We only store data about the history of visited pages, the devices, and operating systems used. We do not store IP addresses or physical addresses of the users. When you visit the website, Facebook and Google Ads will place cookies in your browser. Afterwards, based on these, it is possible for MiniCRM ads to be displayed while you are browsing. Your data will be deleted after 90 days.
-
Newsletter
You can subscribe to our newsletter by submitting your email address and your name. We will email you about new features, opportunities of free tutorials, and ideas useful for client management. We’ll send you an unsubscribe link in each email so that if you change your mind, you can cancel it at any time. We store your data for 365 days after the last interaction.
-
Free workshop
If you submit your name, email address, phone number for our free workshop, we will inform you through these channels. Our consultants will contact you using the contact details given by you to schedule a workshop appointment, and if you are interested, they will present the system and help you to acquaint with it. We will email you about new features, opportunities of free tutorials, and ideas useful for client management. If at any time you indicate that it was enough, we would not contact you anymore; if you request, we will erase your data. Otherwise, we will store your data for 365 days after the last interaction.
-
Free test system
If you wish to try our software, you can start a free test system at any time by giving your name, email address, and phone number. Using the contact details given by you, our consultants will contact you to show you the system and help you to acquaint with it. We will email you about new features, opportunities of free tutorials, and ideas useful for client management. If at any time you indicate that it was enough, we would not contact you anymore; if you request, we will erase your data. Otherwise, we retain your contact details and out notes in our CRM system for 365 days after our last contact.
In order to use our software, you must accept our General Terms and Conditions upon registration.
We log the use of the system for security reasons. We retain the data in various detail for 365 days.
The client data you have recorded in your test system and entrusted to us as a processor will be permanently erased 90 days after the test system is closed (during this period you can start a subscription without re-recording your data previously recorded in the test system).
-
Subscription
If you subscribe to MiniCRM services, we process your data as in the case of a free test account (see above). We retain your contact details and our notes in our CRM system for three years after our last contact.
Due to legal requirements, part of your personal data and the data included on the invoices issued will be retained in accordance with the applicable laws (for at least ten years, up to fifteen years after the last invoice is issued).
Detailed Data Processing Brochure
Data controller’s name
- Company name: MiniCRM Zrt.
- Full name of the company: MiniCRM Szolgáltató és Kereskedelmi Zártkörűen Működő Részvénytársaság
- Address: 1075 Budapest, Madách Imre út 13-14, Hungary
- Email: help@minicrm.hu
- Phone: 36 (1) 999-0402
- Website: https://www.minicrm.hu/
- Company registration number: 01-10-047449
- EU VAT number: HU 23982273
- Data processing registration number: NAIH-64809/2013
The term MiniCRM® is the word mark registered by the Office for Harmonization in the Internal Market (OHIM). View certificate.
Statement of consent for processing my personal data
I give my voluntary and explicit consent to the processing of my data given when visiting, subscribing to, and registering at, the electronic platforms of MiniCRM (https://www.minicrm.hu, https://www.minicrm.io, https://www.minicrm.ro, https://www.minicrm.sk, https://www.minicrm.eu, https://www.minicrm.at, Facebook ads, Google ads), as well as given to prepare, the MiniCRM test system required for the free trial.
By recording my details, I declare that I am older than the age of 18 years and have a full legal capacity. I represent a legal person or other organization without legal personality, and I am a mandated, authorized person to act on behalf of the person or organization represented by me and give the consent required for the management and processing of data according to this Brochure.
I declare that I provide no sensitive personal data to MiniCRM during registration or later in any form. Sensitive personal data shall mean, in particular, data revealing racial or ethnic origin; political opinions; religious or philosophical beliefs; trade union membership; genetic data, or biometric data suitable for the purpose of uniquely identifying a person; data concerning health or data concerning sex life or sexual orientation.
I declare that I do not place at the disposal of MiniCRM any number suitable for personal identification, including, but not limited to, passport number, personal number, identity card number, address card number, driving license number.
I declare that I will record my clients’ data exclusively through the dedicated interfaces of the MiniCRM software. I will not email those data either to the central (help@minicrm.hu) or the direct email address of the MiniCRM staff.
I declare that I provide access to my MiniCRM system for the MiniCRM employees only through the “consultant invitation” function, I never record them as a “normal” user.
By giving my consent, I understand that MiniCRM can send me advertising messages, announcements, event invitations and contact me via phone calls related to the scope of its activity.
I can withdraw my consent to the processing of my data at any time by sending a request in the manner indicated in the Brochure, such as using the help@minicrm.hu email address.
Legal ground based on a legitimate business interest
If by filling in the form you give your data and show your interest toward the MiniCRM System, your application is considered as a contract preparation. In this case, a legal ground for the processing of your Personal Data under the GDPR will be the legal ground given by a legitimate business interest. This altered legal ground will not change your rights and the processing of your Personal Data, this only means that during the preparation of the contract if you do not request the termination of the process, we will continue to process your personal data to prepare the contract.
Contractual legal ground in case of subscription
If you subscribe to the MiniCRM System, you shall pay for our product under the terms and conditions detailed in the General Terms and Conditions. In this case, a legal ground for the processing of your Personal Data under the GDPR will be the legal ground given by the contract. This altered legal ground will not change your rights and the processing of your Personal Data, this only means that during the term of the contract if even you withdraw your consent given with the use of the free version, we will continue to process your Personal Data for the performance and purpose of the contract.
As soon as the contract is performed or terminated, the legal ground for the processing of your data will change again and in what follows we will process your Personal Data according to law.
After termination or performance of the Contract, on the basis of law
Regarding the details included in the invoices, we are required to continue to process your Personal Data by law.
Your rights
The following rights apply. Based on the GDPR, we have to reply to your request in connection with those at the latest within one month. We will do everything we can to react much earlier.
Right to information
You may request us to provide information about your personal data that we process. You may request access to these data.
On your profile page you can view the Personal Data you entered in your user account.
At any time, you can request information in writing by sending a letter with acknowledgment of receipt to our address or by email to help@minicrm.hu. We consider the request for information sent by letter as authentic if we can clearly identify you on the basis of the request sent.
We consider the request for information sent by email as authentic only if you send it from your registered email address. However, this does not exclude the possibility of identifying you in another manner for security reasons before providing the information.
The request for information may cover the data we process, their source, the purpose, the legal basis, the duration of the processing, the names and addresses of the casual data processors, the activities related to data processing and, in the case of the transfer of Personal Data, who and for what purpose have received or are receiving your data.
Right of access
If you ask us to inform you whether your Personal Data are being processed, and, where the answer is ‘yes’, you will be given the right to access the purposes of the processing, the data categories, the recipients, the period for which the personal data will be stored, the data subject’s rights, legal remedies, the data sources, the existence of automated decision-making and data transfer to abroad.
Right to rectification
You have the right to obtain the rectification or alteration of your Personal Data in writing at any time by sending a letter with acknowledgment of receipt to our address or by email to help@minicrm.hu. Taking into account the purposes of the processing, you have the right to obtain completion of incomplete Personal Data.
Right to be forgotten (right to deletion)
You have the right to obtain the erasure of your Personal Data we process. The deletion of the data may be refused (i) for exercising the right of freedom of expression and information, or (ii) where Personal Data are processed for reasons of public interest (authorised by law); and where the processing occurs (iii) in an equitable private interest (for the establishment, exercise or defence of legal claims).
We will inform you in any case of the refusal of the deletion request, stating the reason for the refusal. After performing the request for deletion of Personal Data, previous (deleted) data can no longer be recovered.
Newsletters can be canceled via the unsubscribe link they contain.
Right to restriction of processing
You have the right to obtain from the controller restriction of processing if you contest the accuracy of the processed Personal Data. In this case, the restriction applies for a period that enables us to verify the accuracy of the Personal Data.
We will mark the processed Personal Data if you contest their correctness or accuracy, but the incorrectness or inaccuracy of the contested Personal Data may not be clearly ascertained.
You may also request that the processing of your Personal Data be restricted if the Data Processing is unlawful, but you oppose the deletion of the Personal Data processed and request the restriction of their use instead.
You may also use this right if the purpose of Data Processing is achieved, but you require the processing of your data for the establishment, exercise or defense of legal claims.
If you contest processing, we restrict the processing of your Personal Data pending the verification whether the legitimate grounds of the data controller override those of the data subject. Right to data portability
You have the right to receive the Personal Data, which you have provided to us and which are automatically processed by you, in a structured, commonly used and machine-readable format provided by the MiniCRM software (XML/XLS/CSV) and/or obtain their transfer to another data controller.
Right to object
You have the right to object to processing of your Personal Data (i) where the processing of Personal Data is solely necessary to comply with our legal obligation or to enforce our legitimate interests; (ii) where the purpose of Data Processing is direct marketing, public opinion poll or scientific research; or (iii) where the Data Processing occurs for the performance of a task carried out in the public interest.
We investigate the lawfulness of the objection and, if the grounds for the objection are established, we terminate the Data Processing and block the processed Personal Data, also we notify of the objection and any actions taken based thereon all persons to whom the Personal Data affected by the objection were previously transferred.
The purpose of the processing
- Protecting your rights.
- Identifying you, communicating with you.
- Identifying your entitlements.
- Customizing the system and marketing messages sent to you. Ensuring targeted, relevant messages based on the area of interest, industry, company type, deciding factor and job position.
- Client support, consulting, product presentation, answering questions.
- Creating statistics, analyses and decision support. Based on this, coordinating content and product development to produce actually used functions and actually read contents.
- Software product development and safe operation.
- Creation of services, service quality and security conditions undertaken in the General Terms and Conditions.
- Compliance with our legal obligations.
- Pursuing our legitimate business interests.
Data processed
We process the data given by you:
- Name
- Phone
- Website
- LinkedIn/Facebook profile link
- Billing address, place of business
We log the data for security reasons:
- Viewed page/function
- Browser cookie
We build a profile for marketing purposes:
- What problem do you need to find a solution to, why you need CRM?
- What are your main decision viewpoints?
The profile construction is based on the data you provide. Our goal is that the messages we send are really interesting and relevant to you. We also do not like receiving general messages that are not relevant to us.
Based on the profile data, we target and build newsletters manually with hand-made filters. There are no decisions based on automated data processing during the process.
We log the calls:
- Call metadata (who-when talked with whom)
- All incoming calls to our central number are recorded after the pre-recorded message is automatically played, for quality assurance reasons (in case of complaints and randomly selected calls, managers retrospectively listen to the recordings and develop the capabilities of the client service team through coaching).
As a data processor, we store the data recorded by you in the MiniCRM System. The range of these data depends on the fields you create, and this is your responsibility what data you capture in those.
Data sub-processors
Server hosting services:
- Name: Telekom Rendszerintegráció Zrt. - T-Systems Cloud & DataCenter
- Address: 1097 Budapest, Könyves Kálmán körút 36.,
- Telefon: 1400
- E-mail: info@t-systems.hu
- Website: http://www.t-systems.hu/
- Stored data: system logs, data stored in the CRM system.
- Operations: rack cabinet service, Internet connection providing, electricity providing.
Email and document management, calendar, phone contacts, table synchronization, display of targeted advertising:
- Name: Google Ireland Limited
- Address: Gordon House, Barrow Street, Dublin 4, Ireland
- Phone: N/A
- Email: N/A
- Website: https://www.google.com/
- Stored data: correspondence, individual contracts and offers, calendar entries, and telephone contacts, based on data divided into filter tables, unique user IDs, and visitor identification cookies.
- Operations: email service, document management, calendar service, synchronization of phone contacts between devices, online spreadsheet manager, display of targeted advertisements (retargeting).
Display of targeted advertising:
- Name: Meta Platforms Ireland Limited
- Address: 4 Grand Canal Square, Grand Canal Harbour, Dublin 2, Ireland
- Phone: N/A
- Email: N/A
- Website: https://www.facebook.com/
- Stored data: website visit data, unique user IDs, and visitor identification cookies.
- Operațions: displaying targeted advertisements (retargeting).
Calendar, phone contacts:
- Name: Apple Inc
- Address: Apple Park, 1 Apple Park Way, Cupertino, California, U.S.
- Phone: +1 800 220325
- Email: N/A
- Website: https://www.apple.com/
- Stored data: calendar entries, phone contacts.
- Operations: calendar service, synchronization of phone contacts between devices.
Encrypted static data, and data backups:
- Name: Amazon Web Services EMEA SARL
- Address: 38 AVENUE JOHN F. KENNEDY, L-1855 LUXEMBOURG
- Phone: N/A
- Email: N/A
- Website: https://aws.amazon.com/
- Stored data: encrypted static files, encrypted data backups.
- Operations: static storage provision (S3), content delivery network (CloudFront), secondary operating platform.
Customer service call center operation, call recording:
- Name: Arenim Technologies Kft.
- Address: 1095 Budapest, Lechner Ödön fasor 6th, 7th floor
- Phone: +36 1 8 555 111
- Email: support@arenimtel.com
- Website: https://arenimtel.com/hu/
- Stored data: customer service phone call metadata, recorded phone calls.
- Operations: call redirecting, call center service, call recording.
SMS sending service:
- Name: Opennetworks Kft.
- Address: 1125 Budapest, Kiss Áron utca 9.
- Phone: +36 1 999 6000
- E-mail: info@opennet.hu
- Website: http://www.opennet.hu/
- Stored data: phone number, SMS message content and metadata
- Operations: mass SMS sending service for all MiniCRM customers.
International SMS sending service:
- Name: LINK Mobility Poland Sp. z o.o.
- Address: Gliwice, Ul. Toszecka 10, 44-100, Poland
- Phone: +48 32 7 201 200
- Email: support@smsapi.com
- Website: https://www.smsapi.com/
- Stored data: phone number, SMS message content, and metadata
- Operations: international bulk SMS sending service for all MiniCRM customers.
Accounting:
- Name: Finacont Szolgáltató és Tanácsadó Kft.
- Address: 1062 Budapest, Aradi u. 16. 2. em. 2.
- Phone: +36 1 345 0092
- Email: finacont@finacont.com
- Website: https://finacont.com/
- Stored data: customer and seller data on the invoice, invoice items, and detailed invoice data.
- Operations: accounting, preparation of statutory reports and declarations.
Online data provision (invoicing):
- Name: Hungarian National Tax and Customs Administration (NAV)
- Address: 1134 Budapest, Dózsa György út 128-132.
- Phone: +36 1 412 5400
- E-mail: ebpavig@nav.gov.hu
- Website: https://www.nav.gov.hu/
- Stored data: customer and seller data on the invoice, invoice items, and detailed invoice data.
- Operations: online data provision from the invoicing module, data analysis, risk analysis, and official control.
Web analytics on the website
Please note that we use Matomo Analytics, Google Ads Remarketing, Google Ads Conversion Tracking and Facebook Pixel to measure the attendance of the www.minicrm.hu website and monitor visitor activity, prepare statistics, and optimise the performance of our ads.
The referred programs place so-called cookies in your browser, which store unique user identifiers. As a user of the MiniCRM website, you agree to the use of Matomo Analytics, Google Ads Remarketing, Google Ads Conversion Tracking and Facebook Pixel. You also agree to the monitoring and tracking of your activity and the use of all the services provided by the programs.
Additionally, you have the option to disable the capture and storage of information in cookies at any time in the future as described below. Please note that the settings and usage of Matomo Analytics, Google Ads Remarketing, Google Ads Conversion Tracking and Facebook Pixel programs fully comply with the requirements of the Data Protection Authority.
Matomo Analytics does not use a third-party cookie. The program is installed on MiniCRM’s server, and the collected data is accessible only by MiniCRM. We have configured Matomo Analytics in such a way that it does not collect IP addresses. The only personal data stored are the history of visited pages, the device, and the operating system used. These data do not allow for the identification of individuals.
Matomo Analytics
MiniCRM uses Matomo Analytics primarily for the production of its statistics, including measuring the effectiveness of its campaigns. Using this programme, MiniCRM mainly gets information on how many visitors have visited its Website and how much time visitors spent on the Website. The program recognizes the visitor, so you can track whether the visitor is a returning or a new visitor. Also, it can track the activity of the visitor, the traffic source and accessed pages.
Google Ads Remarketing
With the Google Ads Remarketing programme, MiniCRM collects DoubleClick cookie data in addition to the usual data. The DoubleClick cookie allows you to use the remarketing feature that primarily ensures that the MiniCRM Website visitors can later see the MiniCRM ad on free ad surfaces. The MiniCRM ads are also displayed on external service providers’ websites, such as Google. MiniCRM and external service providers such as Google use their own cookies and third-party cookies (such as DoubleClick cookie) to collect users’ past visits to the Website for orientation and for optimizing and displaying ads.
Google Ads Conversion Tracking
Google Ads Conversion Tracking is designed to enable MiniCRM to measure the effectiveness of Google Ads. This is done using cookies placed on the User’s computer, which exist for 30 days.
Facebook Pixel
MiniCRM uses Facebook’s remarketing pixel to increase the efficiency of Facebook ads, to build a so-called remarketing list. So, after visiting the Website, you can see ads on external service providers websites, such as Facebook. Remarketing lists are not suitable for personal identification. They do not contain visitor’s personal information, only the browser software is identified. We use these lists also to exclude MiniCRM users from viewing ads/advertisements for the service they are already using.
Disable cookies
If you want to manage or disable cookie settings, you can do so in your browser. This option can be found in the cookies/ tracking features placement menu depending on the browser toolbar. Usually, you can use the Tools > Preferences > Privacy settings to set which tracking features you enable/disable on your computer.
Principles of data processing
- The Data Controller manages the Personal Data by the principles in good faith, fairness, and transparency, as well as the applicable legislation and the provisions of this Brochure.
- The Data Controller uses the Personal Data that are indispensable for the use of the Services by the consent of the User concerned and solely in compliance with the purpose limitation.
- The Data Controller processes Personal Data only for the purpose specified in this Brochure and the relevant legislation. The scope of the Personal Data processed is proportionate to the purpose of data processing and cannot be expanded (data minimization).
- The Personal Data of a person who has not reached the age of 18 are not processed by MiniCRM as a business software provider.
- The Data Controller does not transfer the Personal Data it processes to any third parties other than the Data Processors specified in the present Brochure, and, in some cases referred to in this Brochure, the External Service Providers. Except as provided in this clause, the use of the data in a statistically aggregated form, that cannot contain any other data suitable for identifying the User concerned, shall not constitute Data Processing or data transfer.
- In certain cases, including official court or police inquiries, legal proceedings against copyright, property or other breaches, or their reasonable suspicion, the violation of Data Controller’s rights, the jeopardising of the provision of Services, etc., the Data Controller makes accessible to third parties the available Personal Data of the User concerned.
- The Data Controller’s System may collect data on the activity of Users that cannot be combined with other data provided by Users during registration, nor with any other data generated by the use of other websites or services.
- The Data Controller is responsible for the rectification, limitation or deletion of the Personal Data it processes and on notifying the affected User, and those to whom the Personal Data were previously transferred for the Data Processing
- Notification is not required if it does not violate the rightful interest of the data subject in light of the purpose of Data Processing.
- The Data Controller ensures the security of Personal Data, takes the technical and organizational measures and establishes the procedural rules that ensure that the recorded, stored, or processed data are protected or prevented from being accidentally lost, or unlawfully destructed, accessed to, used, altered or disclosed. The Data Controller requests all third parties to whom Personal Data is transmitted to comply with this obligation.
- Given the relevant provisions of the GDPR, the Data Controller is not obliged to designate a Data Protection Officer.
- The Data Controller is responsible for compliance with the principles.
Confidential data processing
MiniCRM processes recorded data confidentially doing everything to ensure the security of the data and uses them to ensure the proper functioning of the Website. This includes, inter alia, sending email and SMS to you and the contact details you provided, in which case the message will be sent through that service provider.
MiniCRM will never sell or loan your personal information to a third party for marketing purposes. By a summons, court decision or in the context of civil proceedings, MiniCRM may, if necessary, transfer your personal data and other relevant information.
Also, MiniCRM can assure or exercise its statutory rights and defend itself against legal actions.
For the safe processing of data, MiniCRM selects the IT tools used to process the data so that, during the operation, the data processed can be accessed only by MiniCRM as authorised for this purpose, the data credibility be preserved, no alteration of the recorded data occur outside the recording procedure, the recorded data be protected from unlawful access.
The data processed by MiniCRM may be transferred when requested by an authority or court, or by law, whereas MiniCRM will notify its users of this fact in its newsletter if this is not in conflict with the official or court request, or the related legal requirement.
Access of our staff to personal data
For our staff, we only provide the access to strictly necessary to work with the personal data processed by us. We log every access, and we ensure only strictly restricted access to the data saver feature.
Our salespersons, consultants, client support staff and developers do not even see the personal data recorded in your own MiniCRM system. If you provide access to your system to our colleague through the “Invite a Consultant” feature, he or she will only see your settings, not your data.
If because of integration development or debugging we reload the system to a test or development environment, it can only retrieve data through such a channel where data in a production environment are destroyed during the backup. Thus, in test and development environments, randomly generated characters can be found in the place of personal data (e.g., name, email, phone number, address) in the system.
Data backups are made using two-key encryption. Thus, even the employees who have access to the data backup file do not access the saved data in the absence of an “offline stored” key required for decoding.
Only the narrowest group of people required to operate production servers has access to the servers with live data. Every access is strictly logged after three-factor authentication: VPN key, SSH key, user password.
Data security
Data security is a complex issue in case of systems processing sensitive business data. Internal rules and processes of MiniCRM ensure that data security and privacy requirements are met in all areas:
- Data security
- Network security
- Data separation
- Contact
- Data backup, disaster prevention
- Identification and access control
- Security-conscious software development
All data stored in the MiniCRM System are stored physically in the territory of the European Union or a country that GDPR considers equivalent in the context of privacy and are subject to the EU privacy directives.
When external integrations are turned on (e.g., Google Calendar), the data concerned may get outside the EU territory, so when turning on these integrations, the system will require prior consent from users.
Technology
MiniCRM regularly updates all applied software for the protection from known platform attacks at all levels (Tools used by employees, Server operating system, Virtualization layer, Guest operating system, application).
Our servers are located in one of Europe’s most secure data centers (Dataplex/Magyar Telekom). We use a redundant and scalable infrastructure that does not have any point/device which failure would cause a loss of service.
Encrypted data backups are made automatically on a daily basis and transferred to other data centers to ensure data recovery in case of a disaster.
We adopt accepted industry solutions such as the Open Web Application Security Project (OWASP) and the Cloud Security Alliance Cloud Controls Matrix (CCM).
Access protection
Physical access to infrastructure is very limited. In each case, proper identification is required.
Since its inception, the MiniCRM System has been built as a multi-user service; the entire platform and infrastructure provide logical separation of data. The use of external identification services (Single-Sign-On) is supported (Google Account, OpenID).
Network security
Multiple level firewall protection separates data storage servers from the outside world. Internet connectivity is provided only by dedicated load balancing servers. Application servers and data storage servers operate in internal network separated from each other, a connection between them is provided via an intermediate firewall/load balancing layer.
Production/test/intergration test/development environment operate in a separate network.
Multilevel intrusion attack alert and phishing attack alert protect the stored data. Unused services, protocols, and software become removed. All our servers are built on a minimal basis; only the required software is installed.
We control the effectiveness of our processes and internal rules by external security audits.
Availability
The availability of business applications is critical. Our infrastructure, built with dozens of quality servers, ensures that the failure of any component does not lead to a complete service failure.
Container-based architecture is not only conducive to security; individual services can be automatically migrated between servers, providing continuous availability and balancing the different loads of different periods.
The MiniCRM contract guarantees at least 99.9% availability. The planned availability of the infrastructure used is 99.99% per month. Independent external monitoring service measures the availability between 99.98% and 99.99% on a monthly basis, including any downtime during pre-announced night-time maintenance as a service failure.
Data backup and disaster prevention
All data recorded in the MiniCRM System are mirrored on multiple media and multiple servers in almost real-time. Distributed, redundant data storage ensures that failure of any of the hardware devices does not lead to data loss.
Automatic data backup is made daily and transferred in encrypted form to a data center outside of Hungary.
Every day backup is automatically tested. Databases are loaded from backup to the dedicated server, and a thorough, multi-step process runs through restored systems. The testing system collects the logs and analyzes the expected test results. It sends a daily report to the operating team.
Identification and access control
All and any access is only possible through specified user accounts to ensure traceability.
Strong passwords protect user accounts, the rules found in the app provides password strengths. Each password is stored as a highly encrypted, one-way “salted” hash value.
The users with administrator privileges can manage user accounts in the client system.
Accounts are protected against incorrect password attempts by an automated blocking system that locks out the IP address and user account after several incorrect attempts.
Two-factor identification
Users can turn on two-factor authentication. In this case, after login with a valid email address and a password from a new device, the MiniCRM System will ask for an additional security code. This can be either SMS or TOTP (Google Authenticator) code.
Security-conscious software development
Security is not only a subsequent idea; it is an integral part of our development processes. New developers are engaged in detailed training to understand data security and privacy issues adequately.
There are several layers of application design, and the platform has built-in protection against the most commonly encountered attack interfaces/modes.
After each change, automatically running tests, automated integration tests, and static code analysis tools monitor the quality.
Security-sensitive code parts are monitored separately, and changes to these parts can be added to the next version after compulsory code review.
Reliability
In addition to data security and availability, it is of utmost importance that users rely on the solution as a registration system. Based both on objective and subjective considerations.
A Registration System is required to be a credible source of the data elements and information it processes. It should be possible to track what, by whom and when was recorded, modified or placed to recycle bin.
The rules determined in the development stage ensure the validity of the data and the integrity of the relationships between interrelated data.
Up-to-date technology
Without a separate upgrade/follow-up/development fee, we always provide a system supporting current technologies.
We continuously update not only the software running on our servers but also the “building blocks” of the framework system seen by the users. This way, we ensure that once delivered solutions will work during many years with the then current browser/notebook/mobile device combinations.
Automatically scales itself
The MiniCRM System is fast not just at launch, but with a dozen of users and some thousand records. As the data accumulate and the number of users increases, the platform automatically allocates more resources always to meet the needs.
Duration of data processing
In compliance with the requirements of GDPR, we process your data with predetermined limitation period for each group of data processed.
As a rule of thumb, detailed security logs are stored for 90 days; other security logs are stored for 365 days.
Personal data are stored for 365 days after the last contact unless a statutory requirement or a contract requires a more extended period.
For a detailed description of each data group, purposes of data processing, and retention times see “Our Services”.
Data transfer
We are entitled and required to transfer any Personal Data that is available to us and lawfully stored by us, to the competent authorities, where a legal rule or a final official order compels us to transfer this Personal Data. The Data Controllers cannot be held responsible for such data transfer and the resulting consequences.
If we transfer the operation or utilization of our service to a third party in whole or in part, we may transfer, in whole or in part, the Personal Data we have processed to the new operator without requesting your specific consent for this third party, however having properly informed you in advance, so that this data transfer shall not put you in a disadvantageous situation as regards the data processing rules indicated in the then current text of this Brochure. In the case of data transfer under this paragraph, before the data is transferred, we ensure a possibility for you to object to the data transfer before the data transfer. In case of objection, the transfer of your data according to this Section is not possible.
With a view to verifying the lawfulness of data transfer and for the information of the data subject, the data controller shall maintain a data transfer log, showing the date of transfer, the legal basis and the recipient of transfer, the description of the personal data transferred, as well as other information prescribed by the relevant legislation on data processing.
Updating the Brochure, Tracking Legal Changes
The data controller continuously reviews and updates the Brochure by changes in the legal environment and the official expectations. The User may continuously obtain information about the current Brochure in the “Privacy Policy” section on the MiniCRM website.
More questions/answers
You can always get information about data management and/or processing by sending an email to help@minicrm.hu.
You can turn with your complaints concerning data processing directly to the National Authority for Data Protection and Freedom of Information (address: 1125 Budapest, Erzsébet Szilágyi fasor 22/c, Hungary; phone: +36-1-391-1400; email: ugyfelszolgalat@naih.hu; website: www.naih.hu).
In the event of a violation of your rights, you may turn to court. The action shall be heard by the general court. If so requested by the data subject, the action may be brought before the general court in whose jurisdiction the data subject’s home address or temporary residence is located. At your request, we will inform you about the possibilities and means of judicial remedy.
Budapest, 30 January 2024