Security and Privacy
Focused on security and privacy
Security is the foundation of trusted services and Taktikal is passionate about maintaining a high standard of security. Taktikal solutions are housed in highly secure data centers in Azure and utilize multi-factor access control systems and best practices in security controls.
Meets the eIDAS regulation
From the beginning Taktikal solutions for digital signatures have been developed in accordance with the requirements of EU Regulation no. 910/2014 (eIDAS).
Taktikal qualified signatures (QES) use CA Qualified Certificates provided by Auðkenni. Each signature is produced in such a way that the signature is uniquely linked to both the signer and the data signed. In addition, each signature is protected with a valid timestamp (from a qualified TSA) providing legal proof about the time it was produced. Finally the document is sealed to ensure that it is not possible to modify the time of signature or change a document after signing without the signature being invalidated.
Taktikal Advanced Signatures (AES) use ID and live photo biometric verification as well as a two factor authentication via email and text messages, to authenticate users. Advanced signatures include a valid timestamp and are valid for long term storage.
Taktikal Standard Signatures (SES) use two factor authentication via email and text messages, to authenticate users. Standard signatures include a valid timestamp and are valid for long term storage.
Technical specifications
Our qualified signatures are developed according to the technical requirements of Regulation (EU) №910/2014 (eIDAS).
The signatures are produced according to the requirements for PAdES Long-Term Validation (LTV) signatures. The signatures are CAdES Signatures (ETSI.CAdES.detached) with added document timestamps, CA certificates and OCSP revocation applied to the document on time of signing.
Qualified Certificates
The signatures are produced using CA Qualified Certificates and OCSP according to the requirements of Regulation (EU) №910/2014 (eIDAS). CA Qualified Certificates and OCSP are provided by Auðkenni. Auðkenni is a qualified trust service provider included in the European Trust List.
Qualified Timestamps
The signatures are protected with a qualified timestamp within the electronic signature creation device, according to the technical requirements of Annex II of Regulation (EU) №910/2014 (eIDAS), providing proof of the existence of specific data at the time of signing.Time stamping services are provided by a trust service provider included in the European Trust List and provides a certified service that meets the eIDAS requirements for qualified electronic time stamps.
Privacy by design
Taktikal ehf puts a lot of effort into ensuring the security of users' personal information.
Taktikal ensures that all personal information is handled in accordance with the General Data Protection Regulation (EU) 2016/679 (GDPR). Taktikal works closely with lawyers who specialize in privacy and provide advice on the design of the solution. A Data Processing Agreement is an integral part of the customer contract.
Taktikal products using digital signatures have been developed with privacy in mind from the beginning. Taktikal places great emphasis on ensuring the security of data based on privacy considerations with the "privacy by design" methodology. Taktikal works with short-term information for signing requests for up to 30 days from the time the signing request is sent and until the signing process is completed. Once the document is signed, it is stored for an additional 30 days, or a maximum of 60 days in total.
All of Taktikal employees sign a non-disclosure agreement as a part of their onboarding process, and all of Taktikal suppliers meet the same requirements.
Access by Taktikal to customer information is only permitted following a written request by the customer and approval by the data owner. Such access is strictly restricted to Taktikal Security Team where all actions are audit logged and monitored.
Security measures
Taktikal maintains a documented Information Security Management System that has been independently certified to adhere to the ISO27001 Information Security Standard. As part of this Taktikal keeps an up to date list of all assets, assesses risks to those assets and implements mitigation measures, including a disaster recovery plan. Taktikal registers all security events, incidents and non-conformities and organizes and implements measures to prevent a repeat of incidents.
Taktikal security partner conducts regular audits and penetration tests on all of Taktikal systems to ensure that vulnerabilities are detected and eliminated before they go into production. Taktikal also conducts vulnerability scanning via a third party solution. All Taktikal employees partake in security training as part of their onboarding process, as well as on an annual basis.
Should a security incident occur that involves Customer Data, Taktikal will inform affected customers without undue delay and provide reasonable assistance with notifications to regulatory authorities and/or customers.
Access Control and separation
All customers data is logically separated from each other and can only be accessed with the customers credentials.
Customer portal
User credentials are based on email address with a two factor authentication. After authentication a session cookie is created that is valid for 7 days, so users are not required to re-authenticate within that time.
Once a Customer has signed up at Taktikal, administrators of the Customer can add users or create a user self-signup URL that are open to anyone within the Customers domain.
API
Credentials used in communication with the API includes information that populates the request on the server site. This ensures that the user can only collect data owned by them.
Admin Users
Admin users can create and lock users, provide admin rights to the company’s account and allow self-signup for users within listed domains. Admins can also give specific users permission to manage Smart Flows and Fill & Sign documents. For Business and Enterprise plans admin users have access to the API keys used for that customer in the Customer Portal.
Operating environment
Taktikal strives to provide a 99,98% uptime of its API and 99,5% uptime of Taktikal frontend services. Partial system errors and 3rd party downtime is reported in a banner on our portal and signature pages.
A record of Taktikal uptime can be accessed at status.taktikal.is
Taktikal operational environment is hosted by Microsoft Azure, a ISO / IEC 27001 which maintains a certified information security management system. All data is stored within the EU.
Data retention
When a signing process has been started, the signee has 30 days to sign the data. If the data is not signed, the document is deleted once the 30 day period concludes. After the document has been signed it is available in the customer portal for 30 days before it is deleted, and cannot be retrieved again.
Each customer has access to the activity log, which contains personal information regarding the signees of a particular document. This makes it possible for Taktikal customers to see historic data of signees that have signed documents. Taktikal customers can define for how long this data has personal information. The default value is not to delete from the activity log. If a customer sets a retention limit then, the logs will be made anonymous when the retention time limit is reached.
Privacy Policy
Taktikal ehf. (“Taktikal”) ensures the security of users' personal information. Taktikal handles personal information in accordance with Regulation EU 2016/679 (General Data Protection Regulation). Taktikal’s policy is to store and work with as little personally identifiable information as possible in order to be able to provide the services that Taktikal provides. Taktikal guarantees not to use information about users in an irresponsible, insecure or illegal way.
All information provided by the users of Taktikal’s website to Taktikal or that Taktikal obtains with their permission from a third party is thus only collected for the purpose of providing them with the services to which they are entitled unless otherwise stated.
Taktikal processes personal data both in its role as a data controller and as a data processor in accordance with Regulation EU 2016/679 (General Data Protection Regulation) see chapters 2 and 3 below.
1. Personal information
Personal information: The terms “personal data” or “personal information” in this Privacy Policy, mean information that identifies, relates to, describes, is reasonably capable of being associated with, or could reasonably be linked, directly or indirectly, to an individual. It does not include aggregated or anonymized information that is maintained in a form that is not reasonably capable of being associated with or linked to an individual. Taktikal only processes Personal information for the purpose it is collected.
Platform: The Taktikal cloud-based visual workflow and e-signature platform, the Taktikal desktop or mobile applications and related products, integrations, add-ons and extensions services managed and operated by Taktikal.
Customer: A business customer with a signed contract for Taktikal’s services.
User data: Personal data concerning individuals engaging with Taktikal on behalf of Customers, including Admin users, privacy and billing contacts, authorized signatories, and each Customer’s authorized users of the Platform (collectively, “Users”)
Prospect Data: Data relating to visitors of Taktikal’s websites (including www.taktikal.com), participants at Taktikal’s events, and any other prospective customer, user or partner (collectively, “Prospects”) who visits or otherwise interacts with Taktikal’s websites, digital ads and content, emails, integrations or communications under Taktikal’s control (“Sites”, and collectively with the Platform – the “Services”).
Signing Process: Once a document has been sent to one or more individuals for signing, a signing process is started. That signing process ends when the document/s has been signed by all signatories or 30 days after the signing process was started, even if not all signatures have been collected.
Activity Log: A log of activities related to signing processes that is accessible to Customers and Users. The activity log includes personal information on the signee, information on activities in the signing process, such as when it was started and by whom, if a document has been viewed, if a document has been signed. It also includes the name of the document to be signed, but does not include any other information from within the document
Cookies: A cookie is a small file, which is downloaded to computers when users visit certain websites. Taktikal uses cookies on the website to ensure the best possible user experience. Cookies are used to improve the functionality of the website, for analysis and to direct ads to target groups.
Cookies are used for a variety of purposes, such as remembering what settings a user has saved while browsing Taktikal’s site. Cookies can also be used for security purposes.
Third-party cookies are cookies that are created on sites other than the site you are visiting. Taktikal uses cookies from Hubspot, Google and Facebook only on an open website (such as taktikal.com) and not on the Taktikal service website (app.taktikal.com). These cookies help Taktikal understand how the websites are used or how effective Taktikal’s marketing campaigns are. They help Taktikal improve your site experience and tailor marketing content and advertising to specific audiences.
2. Personal Data processed by Taktikal in its capacity as a Data Processor
When Users upload data, including Personal data, on Taktikal’s Platform and use the services on the platform (“Customer Data”), Taktikal is considered a data processor in GDPR terms. In such cases Taktikal processes personal data on behalf and according to the instructions of the data controller (the Customer) in accordance with Taktikal’s Data Processing Addendum with the Customer.
This applies for instance:
- When a User sends a data subject a document to sign on Taktikal’s platform
- When a data subject fills out a form on Taktikal’s platform
- When a data subject answers a questionnaire on Taktikal’s platform and/or is the subject of connected database lookups.
- When a data subject authenticates their identity through Taktikal’s platform
Documents are stored during a signing process's active state and for 30 days after the signing process ends. Activity logs including information about the signing process, such as the signee name, ID number, email address and phone number of the signee as well as the name of the process may however be stored for a longer time, depending on each Customer’s preferences.
Accordingly, this Privacy Policy – which describes Taktikal’s independent privacy and data processing practices as a “data controller” – does not apply to the processing of Customer Data. If you have any questions or requests regarding Customer Data, please contact the Customer directly.
3. Personal Data processed by Taktikal in its capacity as a Data Controller
When Taktikal is a data controller, Taktikal determines the purposes and means of the processing of personal data.
Taktikal collects the information directly from you when:
- You use the Platform.
Taktikal collects information on your name, email address, personal ID number (for users on the Icelandic portal only), phone number, workplace, permissions, usage, contractual and billing details. Taktikal processes the information to facilitate, operate, enhance, and provide the Services; (Performance of Contract; Legitimate Interests), to invoice and process payments (Performance of Contract; Legitimate Interests); and to personalize the Services, including by recognizing an individual and remembering their information when they return to the Services, and to provide further localization and personalization capabilities (Performance of Contract; Legitimate Interests) - You register to one of Taktikal’s events
Taktikal collects information on your name, email address and company to be able to contact you regarding the event and derived sales processes. - You visit Taktikal’s website and consent to using cookies or otherwise interact with Taktikal’s marketing material
Taktikal collects data, such as IP addresses and approximate general locations derived from such IP addresses, device and application data (like type, operating system, mobile device or app id, browser version, location and language settings used); system logs of actions and events attributed to those IP addresses, devices and applications; the relevant cookies and pixels installed or utilized on your device; and the recorded activity (sessions, clicks, use of features, logged activities and other interactions) of Prospects and Users in connection with the Services.
Taktikal collects and generates this information automatically, including through the use of analytics and system monitoring tools (including cookies and pixels) – which collect data such as: how often Prospects visit or use the Sites, which pages they visit and when, which website, ad or email message brought them there, how Users interact with and use the Platform and its various features, and technical data concerning the performance, functionality and stability of the Platform.
Taktikal processes this information to facilitate and optimize Taktikal’s marketing campaigns, ad management and sales operations, and to manage and deliver advertisements for the Services more effectively, including on other websites and applications. Such activities allow Taktikal to highlight the benefits of using the Services, and thereby to increase your engagement and overall satisfaction with the Services. This includes contextual, behavioral and interests-based advertising based on User and Prospect activities, preferences or other data available to Taktikal (Legitimate Interests; Consent); To contact Taktikal’s Customers, Users and Prospects with general or personalized Services-related messages, as well as promotional messages that may be of specific interest to them (Performance of Contract; Legitimate Interests; Consent) - You are an employee or job applicant
Taktikal processes personal information about Taktikal employees in order to be able to pay them for their work. Certain information is necessary to be able to pay wages, e.g. contact information, pay grade, time records, tax bracket, union membership, bank information, pension fund information and debts to the Treasury Collector. Also, the actions of employees in the Platform are recorded in the Activity log for each instance.
If you’re a job applicant, Taktikal processes personal information in order to evaluate your application, e.g. contact information, resumes, cover letters, educational information, employment interview results, third-party reviews and other communications with you. - You send an enquiry, message or call Taktikal through a form on Taktikal’s website, through email or through a phone call.
Taktikal processes only the personal information necessary to respond to you. For instance when a query arrives in an email Taktikal will process information about your name, email address and workplace. Such activities allow Taktikal to highlight the benefits of using the Services, and thereby to increase your engagement and overall satisfaction with the Services. This includes contextual, behavioral, preferences or other data available to Taktikal (Legitimate Interests; Consent) - You communicate with Taktikal’s help desk
Troubleshooting or security purposes (such as investigating a bug or abuse), subject to the Users’ prior consent, insofar access to Restricted personal data is required to resolve a support issue (Performance of Contract; Legitimate Interests);To provide Taktikal’s Prospects, Users and Customers with assistance and support, to test and monitor the Services, diagnose or fix technical issues (Performance of Contract; Legitimate Interests) - You enter into a contract with us
Taktikal processes information about Customers, including those employees that Taktikal communicates with on behalf of the customer. Such information includes name, email, workplace, position, phone number, ID number. In certain cases Taktikal may collect information about political involvement, company ownership, tax residency, ID and address in order to verify your identity and perform due diligence on the Customer to prevent and mitigate the risks of fraud or any illegal or prohibited activity (Performance of Contact; Legitimate Interests; Legal Obligation)
Taktikal may also receive the information from others when:
- Your employer grants you access to the Portal or lists you as a contact for the company. Taktikal collects information on your name, email address, personal ID number (for users on the Icelandic portal only), phone number, workplace, permissions, usage, contractual and billing details. Taktikal processes the information to facilitate, operate, enhance, and provide the Services; (Performance of Contract; Legitimate Interests), to invoice and process payments (Performance of Contract; Legitimate Interests); and to personalize the Services, including by recognizing an individual and remembering their information when they return to the Services, and to provide further localization and personalization capabilities (Performance of Contract; Legitimate Interests)
- You are a contractor or supplier or an employee of such entities
Taktikal processes personal information that is necessary including your contact details and system logs of actions and events where applicable. Taktikal does this in order to monitor your compliance with the contractual obligations. - Your data is involved in a software bug
Taktikal may process your ID number, name, email address, phone number and device and application data (like type, operating system, mobile device or app id, browser version used) as well as any data included in a signature process owned by a Customer in order to provide Users and Customers with assistance and support, for troubleshooting or security purposes (such as investigating a bug or abuse), to test and monitor the Services, or to diagnose or fix technical issues (Performance of Contract; Legitimate Interests) - Taktikal sends you sales or marketing materials
Taktikal may collect information such as name, workplace, country, position, email address, phone number and other information from organizers of events or promotions that both you and Taktikal were involved in, and through the use of tools and channels commonly used for connecting between companies and individual professionals in order to explore potential business and employment opportunities, such as LinkedIn and LeadIQ.
Taktikal does this in order to contact Prospects with general or personalized Services-related messages, as well as promotional messages that may be of specific interest to them (Performance of Contract; Legitimate Interests; Consent); and to explore and pursue growth opportunities by facilitating a stronger local presence and tailored experiences, including through partnerships with local distributors, resellers, business partners and providers of professional services related to the Services (Legitimate Interests); - You are listed as a reference on a job application
If a job applicant lists you as a reference on a job application Taktikal may process any contact information as well as the results of the reference in order to perform due diligence on the possible employee.
Data retention
Taktikal may retain your personal data for as long as it is reasonably needed in order to maintain and expand your relationship with Taktikal and provide you with the Services and offerings; in order to comply with Taktikal’s legal and contractual obligations; or to protect Taktikal from any potential disputes (i.e. as required by laws applicable to log-keeping, records and bookkeeping, and in order to have proof and evidence concerning your relationship with Taktikal, should any legal issues arise following your discontinuance of use) at Taktikal’s reasonable discretion. To determine the appropriate retention period for personal data, Taktikal considers the amount, nature, and sensitivity of such data, the potential risk of harm from unauthorized use or disclosure of such data, the purposes for which Taktikal processes it, and the applicable legal requirements.
4. Data subject rights
If you wish to exercise your privacy rights under applicable law (including the EU or UK GDPR, the California Consumer Privacy Act (CCPA) / California Privacy Rights Act (CPRA), the Virginia Consumer Data Protection Act (VCDPA), or the Colorado Privacy Act (CPA)) please contact Taktikal by email at [email protected]. Such rights may include – to the extent applicable to you – the right to know/request access to (specific pieces of personal data collected; categories of personal data collected; categories of sources from whom the personal data was collected; purpose of collecting personal data; categories of third parties with whom Taktikal has shared personal data), to request rectification or erasure of your personal data held with Taktikal, or to restrict or object to such personal data’s processing (including the right to direct Taktikal not to “sell” or “share” your personal data to third parties now or in the future), or to obtain a copy or port such personal data, or the right to equal services and prices (e.g. freedom from discrimination). If you are a GDPR-protected individual, you also have the right to lodge a complaint with the relevant supervisory authority in the EEA or the UK, as applicable.
Please note that when you ask Taktikal to exercise any of your rights under this Privacy Policy or applicable law, Taktikal may instruct you on how to fulfill your request or require additional information and documents, including certain personal data and credentials in order to process your request in a proper manner (e.g. in order to authenticate and validate your identity so that Taktikal knows which data in the systems relates to you, and where necessary, to better understand the nature and scope of your request). If your request relates to personal data that may be processed on behalf of Customers, as their “data processor” or “service provider”, note that such Customer exclusively determines how such data is processed, as well as if and how your request should be handled – so Taktikal advises that you submit your request directly to them. Taktikal will not fulfill your request unless you have provided sufficient information that enables Taktikal to reasonably verify that you are the individual about whom Taktikal collected the personal data, and that such data is processed on behalf of any Customers, so that Taktikal may forward it to such Customer for their further handling. Such additional information will be then retained by Taktikal for legal purposes (e.g. as proof of the identity of the person submitting the request, and of how each request was handled).
Taktikal may redact from the data which Taktikal makes available to you, any personal or confidential data related to others.
5. Information to third parties
Taktikal will not hand over, sell or rent personal information to third parties unless Taktikal is obliged to do so by law or at the request of the responsible party or the user to whom the data belongs. Taktikal has several sub-processors that may have access to personal data, depending on each of their specific roles and purposes in facilitating and enhancing the Services or other activities, and may only use the data as determined in Taktikal’s agreements with them. A description of that data and the processors may be requested by emailing [email protected].
6. Information Security
Taktikal has established an information security management system to protect personal information. The information security management system complies with the requirements of ISO/IEC 27001:2013 for the following scope: “Taktikal standard cloud-based services for e-signatures, e-sealing, e-identification and related software development and delivery including people and processes.”
7. Limitation of liability
To the extent permitted by applicable law, Taktikal is not liable for any incidents that may arise due to how the service is used or provided, unless such incidents can be traced to culpable negligence or misconduct by Taktikal.
8. Law and jurisdiction
This privacy policy is governed by Icelandic law. Disputes that may arise or in connection with the privacy policy before the Reykjavík District Court shall be resolved if it cannot be resolved in any other way.
9. Changes
Taktikal reserves the right to change and update this Privacy Policy at any time. Changes are announced on Taktikal’s website or by e-mail to customers.
10. Contact information
Taktikal is located at Borgartún 25, 105 Reykjavík, Iceland. Taktikal’s email address is [email protected] and the phone number is +354 552 5620. You can contact Taktikal’s Data Protection officer at [email protected].
11. List of sub-processors
A list of sub-processors may be requested by sending an email to [email protected].