iKokoon is a product of the Dynamix Group and has been developed by Dynamix IT Services SRL.
iKokoon takes personal data protection seriously respecting the General Data Protection Regulation (GDPR).
This document servers also the purpose for all websites owned by Dynamix Group to cover the legal requirements of the GDPR. Therefore, iKokoon refers where applicable also to Dynamix Group legal entity or its websites.
Our mission is to provide iKokoon clients and the iKokoon community with a reliable software which allows fulfilling all duties of Data Processors efficiently.
As Data Processor, can I be compliant with the GDPR using iKokoon?
Is the iKokoon cloud product service compliant with the GDPR?
Has iKokoon all GDPR needed security processes in place?
iKokoon is a product of the Dynamix Group.
“Data Protection Law” means any laws applicable to you or Microsoft, relating to data security, data protection and/or privacy, including Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to processing of Personal Data and the free movement of that data (“GDPR”).
“Personal Data” means any information relating to an identified or identifiable natural person. An identifiable natural person is one who can be identified directly or indirectly by referencing an identifier such as a name, an identification number, location data, an online identifier, or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural, or social identity of that natural person.
Data Controller – the entity determining purposes, conditions, and meaning of processing personal data. In this document, it is your organization.
Data Processor – the entity that processes data on behalf of the Data Controller.
In this document:
iKokoon cloud version: iKokoon is, in terms of the GDPR, the Data Processor. The data is processed based on rules setup by you in your iKokoon tenant of the cloud application.
iKokoon on premise: iKokoon is not a Data Processor, but will help you to setup and organize your data properly.
iKokoon is an application which may or may not be used to process data by the Data Controller.
Each party will comply with Data Protection Law (as defined below). Without limiting the foregoing, each party will:
not use or share Personal Data received from the other party for a purpose for which it has not obtained consent;
establish independent procedures for managing and responding to any communication from a customer seeking to exercise its rights under Data Protection Laws;
provide reasonable assistance to the other in responding to any requests, investigation, consultation, or claims from a customer, regulator, or supervisory authority concerning Data Protection Law;
take appropriate security measures that are required by Data Protection Law, and in accordance with good industry practice relating to data security; and
refrain from transmitting unsolicited commercial communications in any manner that would violate applicable laws.
Dynamix IT Services SRL as the developing company of iKokoon is assisting Data Controllers fulfilling their GDPR obligations.
As cloud client you are informed hereby, about iKokoon as Data Processor.
iKokoon is fully compliant with GDPR requirements.
3. iKokoon – Data Controllers
iKokoon brings following features to increase data security and specific demand of GDPR to Data Controllers.
Extended Password Policy Obligation
use minimum length, usage of big letters, numbers and special characters in the password
time limit for password validity and password repetition control
auto sign-off user after a period
re-enter your password once manipulating with user roles and privileges
GDPR specific features
Right to be Forgotten: Deleting resource data is a traditional feature but it may disturb data consistency, reports etc. There is a possibility to have resource data linked to modules and their instances and teams. Also, it would corrupt data about your resource profiling. Resource anonymization would allow deleting data from resources, users or contact data which allows identifying the individual, but anonymous data about services, tasks and other linked to the anonymized data will stay.
Right to Access: A specific button which would export resource data details in automated readable format (XML) would fulfill your obligation to provide individual information regarding collected data.
Limited data visibility – it is a critical requirement of GDPR asking Data Controllers to limit access to personal data only to those people they need to have access. iKokoon brings couple approaches to this problem:
A limitation to access resource data in general.
A limitation to access resource data only for by specific roles. Typically, everyone can access company data (companies are not subject to GDPR) and limit access to resource data only to users having a specific role. Users or Team Members without the resource permissions may see the linked resource name without seeing data of personal identification.
Custom field visibility – certain data can be restricted to be seen only by
User / list of users
User group / list of user groups
User type / list of user types
User Action Audits
iKokoon provides logs about user actions including view actions.
iKokoon logs can usually only be viewed by the user himself or the team the user is part of (historical views)
iKokoon helps you to manage logs.
Data Controller – GDPR Compliance with iKokoon
Identify all Personal Data you collect in iKokoon.
Setup internal regulations on how to use data in iKokoon. The recommended approach is to store personal identifying data only in resources.
If you like to use anonymization you shall have a regulation that all personal data is stored only in resource data.
Identify what data are subject for deletion due to anonymization.
Decide what resource data iKokoon users need to access. The access can be limited via permissions and roles.
Identify what data outside of resource data needs to be protected and set data visibility and accessibility accordingly.
Increase password policy enforcement of iKokoon.
We recommend defining a template which would formalize all steps to delete personal data from iKokoon with all details. Once a request comes you can simply document that all steps were done according to your internal process.
Setup a rule of keeping user audit data (logs) and configure accordingly in iKokoon.
4. iKokoon (SaaS)
Dynamix Group provides iKokoon as cloud based software-as-a-service. Here iKokoon acts as Data Processor. As such iKokoon fulfills GDPR requirements as follows:
iKokoon Software implemented technical and process measures to limit potential access to data only on exceptions and requested occasions.
If you are an EU organization, it is guaranteed that your iKokoon database tenant instance (and so data and their backups at disaster recovery sites) are stored within the EU.
iKokoon uses only verified Data Centers with high-end security and all relevant ISO certifications. Details can be provided upon request.
Regular backups, https for browsers, SSH-2 encryption is used for the backup transfer. Firewall limited to HTTPS and other regular settings are meeting GDPR requirements. If you need more information please require these from our technical support team.
Security can be further increased with iKokoon private cloud service, i.e. individual security can be extended by a specific configuration of the dedicated server.
Dynamix IT GmbH is a German company but the GDPR regulation was implemented in all aspects of an organization and for all products and services.
5. iKokoon – Personal Data
iKokoon is a business-to-business application, i.e. all collected data supports iKokoon services for businesses and organizations.
As per GDPR regulation, there is data of individuals collected under the protection of the GDPR.
5.1. Personal data collected
all data within the resource section
jobs, skills and related information
history of visiting iKokoon
history on tasks, achievements, timesheet (i.a. working time, costs, holiday, absence) and travel. All details can be provided on request.
5.2. Purpose of data collection, processing, and profiling
iKokoon collects data for following scopes and purposes:
setup a commercial co-operation with organizations.
provide service for existing customers and organizations.
inform customers and potential customers about new features functions, releases and other messages of both informational and marketing character.
all information collected about individuals are gathered through contact forms.
iKokoon does not possess or use data about individuals from external sources.
Data combination and profiling:
iKokoon does not profile any individuals, all data collected serves as contact information.
iKokoon profiles organizations for marketing and business purposes. Not subject to these analyses.
iKokoon combines all data in the own information system (iKokoon). Other systems use only data fragments and hence are not considered as data under GDPR.
See further details on the Data Protection and Privacy section of this website.