Service overview

Data Protection: Frequently Asked Questions

We are committed to protecting your personal data and maintaining transparency in how we process your information, in full compliance with the General Data Protection Regulation (GDPR).

This page provides answers to data protection questions, complementing the details outlined in our Privacy Policy.

GDPR

Studyo Ltd ("Supplier") is in full compliance with GDPR and all other current legislation concerning data protection and privacy.

The Supplier shall act as the data processor and the Customer is the data controller. However, if the Parties have agreed on the OnPrem Solution, the Supplier shall act as the sub-processor, the Customer shall act as the data processor and the Customer’s end customer shall act as the data controller

ISO/IEC 27001

The Truugo service and its data are hosted in Microsoft Azure Cloud that is ISO/IEC 27001 certified.

Data storage

We store your personal data securely, utilizing industry-standard encryption methods both in transit and at rest. Our data storage is hosted in secure data centers with strict access controls and monitoring protocols.

The data storage is hosted within the EU at the premises of our data center provider, Microsoft Azure Cloud.

Data retention periods

Personal data

Personal live data will be automatically deleted or anonymized within 90 days following the closure of a user account.

Additionally, personal data stored in backups and logs will be deleted according to the schedules outlined below.

Customer data

Customer data includes user-generated content (test profiles, subset documentation, test reports), and uploaded files (test files and supplementary documentation).

Test reports and files are retained according to the storage period specified by the service plan, typically between 2 and 30 days. Users also have the option to remove test reports and files at any time.

Other customer data marked as "removed" will be permanently deleted automatically, following item-specific schedules, usually within 60 days.

Additionally, customer data stored in backups and logs will be deleted according to the schedules outlined below.

Billing data

Billing data is retained for as long as necessary to meet legal and business requirements.

Log data

System logs are archived monthly and will be automatically deleted based on log-specific retention schedules, typically within 30 to 180 days.

Statistics data

System-generated statistics are generally stored for up to one year.

Backup data

Backup data is retained for 30 to 365 days and will be automatically deleted according to backup-specific schedules.

Data backups and recovery

We perform automated backups on a daily, weekly, and monthly basis, which are securely stored in the Microsoft Azure Cloud.

Live data can be restored from existing backups, and the software can be restored using GIT version control. The entire restoration process is documented to ensure quick and efficient recovery if needed.

Vulnerability management

The service is deployed as a containerized application. Each new release includes automated searching for and installing library patches and updates.

Studyo Ltd performs regular internal audits to ensure the integrity and security of our systems.

Incident management

We systematically track and resolve incidents with appropriate corrective actions. When applicable, we will identify, collect, and provide the necessary evidence to the customer in the form of application and audit logs related to the incidents affecting them. Additionally, we will implement controls to prevent similar incidents from recurring.

Customers will be notified of incidents relevant to their environments, along with any recommended actions they may need to take.

For incidents specific to a customer, we will inform the affected party via email, using the registered email address of the customer’s primary contact.

2FA/MFA

Users can enable Multi-Factor Authentication (MFA) in their account settings. Additionally, MFA is mandatory whenever a user logs in from a new device or web browser.

Minimum password enforcement policy

The system applies the following policies to ensure the security of user passwords:

Minimum length: The password must be between 8 and 32 characters.
Complexity requirements: Passwords must include at least one uppercase letter, one lowercase letter, one numeric digit, and one special character.
Password expiry: Passwords will expire after a defined number of days. Prior to expiry, the system will send an email prompting users to update their password.
No reuse of old password: New passwords must be different from the previously used password.
Account lockout on failed attempts: Accounts will be locked after a defined number of unsuccessful login attempts.