Privacy statement

This Privacy Policy tells how Creuna gather and use certain information about individuals.

1. Purpose of collecting personal data

Creuna process personal data only for purposes that are needed by Creuna’s services and to perform the processing according to privacy rights and regulations, including the need to protect personal integrity and private life and to ensure that personal data are of right quality.

Further it is the policy of Creuna to adhere to local data privacy legislation as well as corporate policies and procedures and applicable privacy directives, including General Data Protection Regulation (EU 2016/679). Processing may include collection, recording, alignment, storage, transfer and disclosure or a combination of this. Creuna may use resources from subcontractors outside EU-/EEA-area in a way that is considered as transfer of personal data for carrying out tasks (I a support services) based on EU standard contractual clauses. Creuna processes personal data both as a processor and as a controller.

2. Categories of Personal data

Personal data are related to employees, customers, and customers of the customers, vendors and visitors on Creuna’s webpages. Creuna processes:

  1. Personal data on behalf of Creuna’s customers and
  2. Personal data where Creuna is data controller

It is the policy of Creuna to limit these data only to include contact details, strictly professional information and information related to the activities Creuna has performed in relation to the persons concerned. Creuna may collect, store, use and transfer personal data for specifically expressed purposes when the user visits Creuna’s webpages. Such purposes are in general daily operation of the system and communication.

3. Principle rules

When processing personal data Creuna will fulfill obligations

  1. towards the data subjects,
  2. towards public authorities and
  3. towards customers and other controllers than Creuna regarding how the processing is carried out.

The obligations are further detailed below.

3.1. In relation to the data subject there are provisions in the applicable personal data act stipulating conditions for authorizing the processing. Consent from the data subject is normally a sufficient authorization. Dependent upon the data being sensitive or not, other conditions may authorize the processing. Furthermore, Creuna has an obligation to provide information to the data subject and upon request to provide access to the data. To ensure that personal data are of right quality, inadequate personal data may be corrected.

3.2. In relation to the public authorities the applicable Personal Data Act contains an obligation to give notification.

3.3. When Creuna is providing services to customers that include processing of personal data, such processing can only take place when there is a contractual basis for such processing. The transfer of personal data to Creuna’s subcontractors in countries outside EU/EEA can only take place when the data subject or the customer has approved the transfer. A legal basis is required for such transfer, for example a specific EU model clause agreement.

3.4. Regarding the processing itself there are obligations with regard to data security and internal control. Organizational, physical and technical security measures shall be implemented to ensure adequate level of data security. The measures shall be in proportion to the probability and consequences of any breaches of security to prevent loss of life or health, economical loss or loss of reputation and personal integrity. The use of external resources to process personal data may be subject to specific provision of applicable Personal Data Act, as well as the transfer of data to other countries. Creuna will delete personal data when all purposes of the processing of the personal data are fulfilled. The retention time of each category of personal data is assessed considering practical, technical and other considerations.

4. Audit program

To verify that Creuna’s processing meets data protection and privacy requirements, Creuna will conduct audits according to standard audit regime.

5. Changes to the Privacy Statement

Creuna reserves the right to amend this Statement at any time.

6. Complaint Mechanisms

Complaints may be addressed to compliance@creuna.com

Creuna Information Security and Data Privacy statement

1. General

This document is an overview of the Creuna Information Security and Data Privacy Governance.

2. Risk Assessment and Treatment

Creuna has the organization and routines in place to continuously identify and mitigate risks regarding:
• Security in IT operations
• Business
• Legal

3. Security and Data Privacy Policies

Creuna has, through the Creuna Security Governance and in accordance with ISO 27001 and OWASP S-SDLC, implemented several security- and data privacy policies:

  • DATA CLASSIFICATION POLICY
  • DATA PROTECTION POLICY
    • PERSONAL DEVICES POLICY
  • NETWORK POLICY
  • ENCRYPTION POLICY
  • IDENTITY AND ACCESS POLICY
  • SOFTWARE AND SYSTEMS POLICY
  • DATA CENTER POLICY
  • TRAFFIC, DEVICE AND DATA MONITORING POLICY
  • SOFTWARE DEVELOPMENT POLICY
  • BREACH AND DATA LEAK DISCLOSURE POLICY
  • TRAINING AND AWARENESS POLICY
  • DATA SHARING AND COLLABORATION POLICY
  • PII PROCESSING POLICY
  • LOCAL POLICIES

4. Organization of Information Security

The Creuna SOC (Security Operations Center) is responsible for maintaining the high level of Security and Data Privacy stated in the Creuna Security Governance document. The Creuna SOC is not only responsible for the IT operations part of security and data privacy, but also has close collaboration with HR, Legal and Management. The Creuna SOC department reports to NMT (Nordic Management Team) which is the top-level operational management entity within the Creuna organization. The Head of SOC is responsible for identifying, reporting and mitigating any Security and Data Privacy risks and/or incidents. The Head of SOC is also available for consultation on specific customer, partner, sub-contractor and/or 3rd party requirements and questions.

5. Asset Management and Confidentiality Controls

As part of the Security Governance, Creuna has an implemented Data Classification policy. This policy aims to ensure that all data processed by Creuna is classified as either Forbidden, Highly Sensitive, Sensitive, Normal or Public, and handled accordingly. Creuna has systems and routines in place to monitor the compliance of the classified data, and act on violations.

6. Human Resources Security

The Creuna SOC works closely together with HR to make sure we maintain a high level of awareness and competence in regard to Information Security and Data Privacy among our employees and sub-contractors. Creuna incorporates training and awareness as part of our onboarding process, and continuously host training sessions. All Creuna employees and sub-contractors have a responsibly to keep up-to-date with the Security and Data Privacy policies and procedures.

7. Physical and Environment Security

The Creuna server facilities (Data Centers) has high levels of certification in regard to physical and environmental security. Creuna also has procedures and systems in place to security our premises and monitor access to facilities and equipment:

  • Visitor system
  • Key-card access
  • Alarms
  • Pin codes and screen locks on computers and devices

8. Communications and Operations Management

The Creuna Data Center is our common infrastructure in the organization. This allows us to approach Information Security and Data Privacy in an efficient and unified fashion. Some of the common tools implemented in this infrastructure are:

  • anti-malware
  • phishing protection
  • services disruption protection
  • intrusion prevention
  • DLP
  • cloud services assessment, monitoring and compliance
  • identity and access management
  • vulnerability scanning and patch management
  • network encryption and segmentation
  • monitoring and incident response

Creuna provides and maintains numerable systems (Sanctioned Systems) for collaboration and processing of data and documents covered by the infrastructure security and compliance tools listed above.

9. Access Control

Creuna control access and authentication centrally and can quickly deploy and demote access as needed.

10. Information Systems Acquisition, Development and Maintenance

The Creuna Systems & Security board are responsible for deciding on introduction of- and changes to- sanctioned systems. The board evaluates and decides requests on recurring meetings through a change management process. Decisions are made based on:

  • Security
  • Business risk
  • Compliance
  • Business needs
  • Cost

The Creuna SOC is responsible for ensuring that our customer solutions are developed in a secure manner (Secure by design, Privacy by default), and that the solutions maintained by Creuna stay secure through continuous vulnerability monitoring

11. Information Security Incident Management

The Creuna SOC is responsible for monitoring our compliance and respond to incidents. This includes, but is not limited to, notifying authorities of breaches.

12. Business Continuity Management

Creuna has implemented several solutions and processes to secure our Business Continuity in case of disaster or emergency.

  • perimeter security and access control
  • education and awareness
  • onboarding and offboarding procedures
  • highly available and geo-resilient data center
  • backup and D/R
  • Personnel and knowledge retention
  • Procedure documentation and procedure automation
  • Continuous risk assessment and adaptation

13. Compliance

The Creuna SOC has the main responsibility for ensuring compliance. We also rely on external specialists and mechanisms to validate the work of the SOC and make sure we’re compliant. For example:

  • Recurring Legal auditing
  • Electronic whistle-blowing system
  • External InfoSec specialists doing recurring auditing

Our use of cookies

The information in this Cookie Policy is provided to you in an open and transparent way, so that you can see how cookies are used to enrich your visitor experience and make an informed choice to allow their usage. However, if you wish to delete cookies, this can be done via settings in your web browser. Below you can read more about our use of cookies.

Cookies

When you visit this website your online device will automatically receive one or several cookies, which are transferred from this website to your internet owser.

What is a cookie?

A cookie is a small text file. It does not contain any personal information and is not able to collect information.  Two types of cookies can be used, "session-only" and "persistent". "Session-only" cookies are deleted when you end your browser session. "Persistent cookies" remain on your device for the time period set in the cookie after which time they delete themselves. However, these cookies may be renewed every time you visit the website.

Cookie types

It is common to distinguish between first-party cookies and-third party cookies. First-party cookies are allocated to the website that you visit while third-party cookies come from a third-party, such as a web analytics program.

Why does the website use cookies?

We use cookies to assess content usage and to compile statistics about the use of the website in order to improve the user experience. This data may be used to define where the visitors come from, what content is viewed and for how long. This information cannot be used to identify a visitor as an individual.  Both first-party and third-party cookies may be used on this website.

How long will cookies be stored on my computer?

Cookie lifetime may vary. Some cookies will disappear when you close the browser while others exist for longer. For more information on cookie expiry see the cookie declaration.

Can I still visit the website if the cookie-function is disabled?

Yes. Should you have cookies disabled on your online device, you will continue to have the same access to the website content as with cookies enabled. However, some functions such as surveys and tools might operate with reduced functionality or not at all.

How to avoid or delete a cookie?

Most browsers accept cookies by default. You can alter your browser settings to not accept cookies or delete the cookies from your computer. Different web browsers may use different methods for managing cookies. Please follow the instructions below, from the most common web browser manufacturers directly, to configure your browser settings*.

Microsoft Internet Explorer (IE)Google ChromeSafariFirefox

* These links are to third party sites, over which we have no control – no liability can be claimed if they are inaccurate.

This cookie declaration is delivered and maintained byCookie Information

Cookie declaration last updated on 06.03.2020

Strictly necessary (7)

Strictly necessary cookies help make a website navigable by activating basic functions such as page navigation and access to secure website areas. Without these cookies, the website would not be able to work properly.
Name Provider Purpose Expiry
JSESSIONID .nr-data.net Collects information about the website and its contents for reporting and security purposes. Session
stsservicecookie login.microsoftonline.com Required for the website to perform properly. Session
ARRAffinity .creuna.com Required for the website to perform properly. Session
x-ms-gateway-slice login.microsoftonline.com Required for the website to perform properly. Session
ASP.NET_SessionId www.creuna.com Supports the integration of a third-party platform on the website. Session
fpc login.microsoftonline.com Required for the website to perform properly. a month
__cfduid .errorception.com Required for the website to perform properly. a month

Functional (1)

Functional cookies make it possible to save information that changes the way the website appears or acts. For instance your preferred language or region.
Name Provider Purpose Expiry
__cfduid .myvisitors.se Required for the website to perform properly. a month

Statistical (9)

Statistical cookies help the website owner understand how visitors interact with the website by collecting and reporting information.
Name Provider Purpose Expiry
_hjIncludedInSample www.creuna.com Collects information about the users and their activity on the website for analytics and reporting purposes. Session
_dc_gtm_UA-xxx-xxx .creuna.com Collects information about the users and their activity on the website through embedded elements with the purpose of analytics and reporting. a few seconds
player .vimeo.com Collects information about the users and their activity on the website through embedded video players for analytics and reporting purposes. a year
_sp_ses.xxx .simplecast.com Collects information about the users and their activity on the website for analytics and reporting purposes. 30 minutes
_ga .creuna.com Collects information about the users and their activity on the website for analytics and reporting purposes. 2 years
_sp_id.xxx .simplecast.com Collects information about the users and their activity on the website for analytics and reporting purposes. 2 years
_hjid .creuna.com Collects information about the users and their activity on the website for analytics and reporting purposes. a year
vuid .vimeo.com Collects information about the users and their activity on the website through embedded video players for analytics and reporting purposes. 2 years
_gid .creuna.com Collects information about the users and their activity on the website for analytics and reporting purposes. a day

Marketing (19)

Marketing cookies are used to track visitors across websites. The intention is to display ads that are relevant and interesting to the individual user and thus more valuable for publishers and third-party advertisers.
Name Provider Purpose Expiry
fr .facebook.com Facebook's primary advertising cookie, used to deliver, measure and improve the relevancy of ads. 3 months
UserMatchHistory .linkedin.com Supports online marketing by collecting information about the users to promote products through partners and other platforms. a month
lang .linkedin.com Supports online marketing by collecting information about the users to promote products through partners and other platforms. Session
bcookie .linkedin.com Supports online marketing by collecting information about the users to promote products through partners and other platforms. 2 years
xxx_u c.23video.com Collects information about the users and their activity on the website through embedded video players with the purpose of delivering targeted advertising. a year
uuid c.23video.com Collects information about the users and their activity on the website through embedded video players with the purpose of delivering targeted advertising. a year
ad_session_id creunano.videomarketingplatform.co Collects information about the users and their activity on the website through embedded video players with the purpose of delivering targeted advertising. an hour
www.facebook.com Supports online marketing by collecting information about the users to promote products through partners and other platforms. Session
session_referer creunano.videomarketingplatform.co Collects information about the users and their activity on the website through embedded video players with the purpose of delivering targeted advertising. Session
IDE .doubleclick.net Used for online marketing by collecting information about the users and their activity on the website. The information is used to target advertising to the user across different channels and devices. a year
lang .ads.linkedin.com Supports online marketing by collecting information about the users to promote products through partners and other platforms. Session
lidc .linkedin.com Supports online marketing by collecting information about the users to promote products through partners and other platforms. a day
bscookie .www.linkedin.com Supports online marketing by collecting information about the users to promote products through partners and other platforms. 2 years
_visual_swf_referer c.23video.com Collects information about the users and their activity on the website through embedded video players with the purpose of delivering targeted advertising. Session
GPS .youtube.com Collects information about the users and their activity on the website through embedded video players with the purpose of delivering targeted advertising. 30 minutes
YSC .youtube.com Collects information about the users and their activity on the website through embedded video players with the purpose of delivering targeted advertising. Session
VISITOR_INFO1_LIVE .youtube.com Collects information about the users and their activity on the website through embedded video players with the purpose of delivering targeted advertising. 6 months
xxx_p c.23video.com Collects information about the users and their activity on the website through embedded video players with the purpose of delivering targeted advertising. a year
_fbp .creuna.com Identifies browsers for the purposes of providing advertising and site analytics services. 3 months

Unclassified (4)

We are in the process of classifying unclassified cookies together with the providers of the individual cookies.
Name Provider Purpose Expiry
x-ms-routing-name .t.myvisitors.se an hour
TiPMix .t.myvisitors.se an hour
spscreqid .simplecast.com 19 years
_cunaid www.creuna.com Pending 2 years

Your consent applies to the following domains: creuna.com