Recent Searches

No recent searches

    Popular Articles

      Articles
      View all
        Topics
        View all
          Tickets
          View all
            no results

            Sorry! nothing found for

            Information Security

            Modified on Fri, 29 May at 10:56 AM

            Information Security

            Documentation on information security and measures in accordance with data processing agreements with customers

            Document typeInformation Security Documentation

            VersionMay 2026

            Date21 May 2026

            Signed byRasmus Halberg, CEO, Hubhus ApS

            LanguageEnglish (translation of original Danish document)

            Important note

            This document is prepared for customers who have entered into a data processing agreement with Hubhus ApS. It describes how Hubhus processes personal data on behalf of data controllers and documents compliance with the EU General Data Protection Regulation (GDPR).

            5 key facts

            1

            Data stays within the EU/EEA

            Personal data is not transferred outside the EU/EEA. This is ensured through cooperation agreements with all suppliers. Annual follow-up confirms compliance. Hubhus uses the sub-processors CuraNet and Hetzner Online GmbH, both within the EU/EEA.

            2

            Technical and organizational measures

            Hubhus maintains security policies, access controls, antivirus, firewalls, network segmentation, system monitoring with alerting, logging, vulnerability scanning, penetration testing, and two-factor authentication for high-risk processing. All measures are reviewed continuously and at minimum once a year.

            3

            Employee controls and confidentiality

            All employees sign a confidentiality agreement upon employment and are introduced to information security policies and data processing procedures. Access to personal data is isolated to employees with a work-related need. Continuous awareness training is conducted on IT security and GDPR. Resignations trigger immediate access revocation.

            4

            Security breach handling

            Hubhus has established procedures for identifying, handling and notifying data controllers in the event of a personal data security breach. Employees receive awareness training specifically covering breach identification. Hubhus will assist the data controller with notifications to the supervisory authority (Datatilsynet) if required.

            5

            No DPO required — annual review

            Based on applicable guidelines, Hubhus has assessed that a Data Protection Officer (DPO) is not required. A record of processing activities is maintained and reviewed at minimum once a year. Roles and responsibilities in relation to GDPR are documented and updated annually.

            Read more — full statement and control objectives

            Section 1 — Nature of processing

            Hubhus processes personal data on behalf of data controllers primarily to handle their users/customers in the Hubhus system. The purpose is the customer's desire to communicate with their users when delivering services or messages.

            Customers decide which personal data to enter. This may include general personal data such as name, address, postal code and city. Hubhus ensures via forms that documented instructions exist from the data controller before handling personal data.

            A risk assessment has been prepared in connection with the processing of personal data. Where there is a high risk, a procedure for impact assessment has been prepared.

            Section 2 — Hubhus ApS' statement (signed 21 May 2026)

            Hubhus ApS confirms that the accompanying description provides a fair presentation of how Hubhus has processed personal data on behalf of data controllers as of 21 May 2026. The sub-processors used are CuraNet and Hetzner Online GmbH. This statement does not cover control objectives at sub-processors.

            Some control objectives can only be achieved if complementary controls at the data controllers are appropriately designed and operate effectively together with Hubhus' controls.

            Control objectives — assessment summary

            Objective Description Assessment
            A — Instructions Processing only occurs based on documented instructions from the data controller. Data processor notifies immediately if an instruction infringes GDPR. No deviations
            B — Technical measures Risk assessment completed. Antivirus, firewall, network segmentation, access isolation, system monitoring, logging, vulnerability scanning, penetration testing, two-factor authentication, change management and pseudonymization for test/dev data. No deviations (minor note: log manipulation protection not explicitly documented)
            C — Organizational measures Information security policy approved by management and communicated to employees. Employee verification, confidentiality agreements, onboarding introductions, offboarding access revocation, awareness training, DPO assessment, record of processing activities. No deviations
            D — Deletion and return Written procedures exist for storage and deletion of personal data. Specific retention periods and deletion routines agreed with data controllers. Data deleted upon termination of processing. No deviations
            E — Storage Storage only in locations, countries or territories approved by the data controller. All data stored within EU/EEA. No deviations (minor note: storage location not explicitly stated in DPA text — referenced in separate document)
            F — Sub-processors Only approved sub-processors used (CuraNet, Hetzner Online GmbH). Sub-processor agreements impose equivalent data protection obligations. Customers notified of any changes. Annual follow-up on sub-processor activity. No deviations (sub-processors listed in separate customer-accessible document)
            G — Third country transfers No personal data is transferred to third countries outside the EU/EEA. No deviations
            H — Data subject rights Procedures exist to assist data controllers with provision, correction, deletion or restriction of personal data to data subjects. No deviations
            I — Security breaches Procedures for identifying and notifying data controllers of security breaches without undue delay. Employee awareness training. Hubhus assists with notifications to the supervisory authority. No deviations (no security breaches occurred during the statement period)

            Customer responsibilities (complementary controls)

            Certain control objectives can only be achieved if the data controller also performs their complementary controls correctly. These include:

            • Ensuring personal data entered into the platform is accurate and up to date
            • Ensuring a lawful basis for processing exists
            • Informing data subjects about their rights
            • Verifying the identity of data subjects who wish to exercise their rights
            • Ensuring their own users and access configurations are current

            Common searches

            GDPR • data processing • information security • personal data • sub-processors • data protection • security breach • DPA

            Was this article helpful?

            That’s Great!

            Thank you for your feedback

            Sorry! We couldn't be helpful

            Thank you for your feedback

            Let us know how can we improve this article!

            Select at least one of the reasons
            CAPTCHA verification is required.

            Feedback sent

            We appreciate your effort and will try to fix the article

            Preview
            0 of 0