Last Modified: March 10, 2022
Customer data handling
How do we handle your data?
Luscii assures compliance with the GDPR with regards to data processing, as a Data Controller, as well as a Data Processor on behalf of her customers. Within Luscii, we adhere to the principles of personal data processing according to article 5 of the GDPR:
- Lawfulness, fairness and transparency: Luscii's personal data processing activities are in accordance with the GDPR, and are transparent for external parties.
- Purpose limitation: Luscii can only collect data for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes. The purpose of data processing must be clear at all times, and is contained within our Privacy Policy and data processing agreements with our customers.
- Data minimization: Data collected by Luscii must be adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed. Luscii processes only the data it needs for its Products and internal organization to function.
- Accuracy: Data is accurate and, where necessary, kept up to date; Luscii takes steps to ensure that personal data that are inaccurate, with regard to the purposes for which they are processed, are erased or rectified without delay.
- Storage limitation: data is kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed; personal data may be stored for longer periods insofar as the personal data will be processed solely for scientific research purposes or statistical purposes subject to implementation of the appropriate technical and organisational measures required by the GDPR in order to safeguard the rights and freedoms of individuals.
- Integrity and confidentiality (security): Luscii must process data in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures.
- Accountability: Luscii ensures that she, as a Controller as well as a Data Processor, is able to demonstrate compliance with the aforementioned principles.
What data does Luscii collect on behalf of its customers?
In order to provide our service, Luscii collects personally identifiable data from your patients and healthcare providers. With regards to patient, this includes (sensitive) health data related to the specific program for which the patient is enrolled. The complete list of data processed for your organization is detailed in the data processing agreement.
Who controls the data?
The personal data processed by Luscii on behalf of its customers will always remain under the control of the healthcare provider, who is the designated Data Controller. Luscii is the Data Processor.
Where does Luscii store your data?
Data processed within the Luscii-app is mainly stored on virtual private servers managed by Amazon Web Services (AWS). AWS is ISO9001, ISO27001, ISO27017, ISO27018 certified which provides ample security guarantees. Data, including sensitive personal identifiable information (or 'PII') is physically stored in AWS data centers in Frankfurt (Germany). Sharing of data exports, including sensitive PII, at the customer’s request is done via Google servers exclusively based in the European Economic Area.
Besides AWS, Luscii uses other sub-processors to provide our services and process certain personal data. We make sure that the personal data that is processed by sub-processors is handled properly and in line with applicable law. To that end, we have data processing agreements (DPA's) in place with all of our sub-processors.
Luscii in some cases transfers data outside of the European Economic Area (EEA). In addition to contracting with sub-processors through Standard Contractual Clauses (SCC’s), Luscii requires that these subprocessors have implemented additional safeguards. When transferring personal data outside the EEA, Luscii verifies, on a case-by-case basis and in collaboration with the sub-processors, whether they ensure a level of protection for the personal data that is equivalent to the EEA’s protections.
Below is a list of services Luscii uses:
| Company | Sensitive PII | Transfer outside EEA? | SCC's? | Security measures |
|---|---|---|---|---|
| Amazon Web Services (AWS) | Yes | No | N.A. | https://aws.amazon.com/products/security/ |
| Branch Metrics | No | Yes | Yes | https://branch.io/security/ |
| Google Firebase / Analytics | No | Yes | Yes | https://firebase.google.com/support/privacy?authuser=0 |
| Google Workspace | Yes | No | N.A. | https://services.google.com/fh/files/misc/google-cloud-security-foundations-guide.pdf |
| Hubspot | No | No | N.A. | https://legal.hubspot.com/security |
| Productboard | Yes | No | N.A. | https://www.productboard.com/product/security/ |
| Vidyo | No | No | N.A. | vidyo.com/video-conferencing-solutions/product/desktop-video-calling/secure-video-conferencing |
| Zapier | No | Yes | Yes | https://zapier.com/help/account/data-management/data-privacy-at-zapier |
| Zivver | Yex | No | N.A. | https://www.zivver.com/security |
What periods of storage does Luscii adhere to when it comes to personal data?
As a default setting, Luscii retains personal data processed in the Luscii Platform for two years after the end of the contract with the healthcare provider. The healthcare organisation may instruct Luscii to use alternative retention periods as a part of the data processing agreement. Upon expiration of the retention period, Luscii will transfer the personal data to the healthcare organisation and shall permanently remove the personal data. The healthcare organisation is responsible for retaining personal data in the medical files in accordance with the applicable (healthcare) laws.
Who has access to the data?
Access to information is always granted on a need-to-know basis and is regularly reviewed according to the principle of ISO 27001 on access rights. All employees receive training on data privacy and security.
Luscii’s engineers have full access to our databases. This is necessary for the development and maintenance of our systems. All engineers have a bachelor and/or master degree in computer science or a related discipline and have signed a confidentiality agreement.
Employees with specific supporting roles have access to the information of your users (patients and healthcare practitioners) in order to assist them in the use of the platform.
All other employees, as a rule, do not have access to your users information.
How is data shared with respect to EMR integration?
When the Luscii App is set up to integrate with your EMR software, there are two flows of data:
- Patient information (name, birth date, etc.) from the EMR to the Luscii App for the onboarding of the patient. This is secured with TLS (https) and authenticated with SAML.
- Alerts and measurements from the Luscii App to the EMR, secured with TLS (https) and authenticated with SAML.
We are closely cooperating with EMR vendors to integrate our products responsibly and securely.
Can Luscii provide a DPIA?
Under the General Data Protection Regulation (GDPR) a data controller is obliged to carry out a data processing impact assessment (DPIA) when an intended data processing activity is likely to result in a high risk to the rights and freedoms of individuals. Luscii processes the personal data of patients as a data processor. The healthcare providers individually act as data controller. We have developed a DPIA factsheet to help our customers comply with this obligation. This document is available on request.
How are data leaks detected and handled?
We use the following logging, monitoring, and audit systems setup: Kibana logging, AWS CloudTrail and AWS CloudWatch. This allows us to quickly detect when a data leak has occurred.
In the event of a data leak, we comply with the GDPR requirements: Luscii will notify the affected healthcare organisations of any personal data breach without undue delay after becoming aware of it and where feasible no later than 24 hours after the leak.
Website visitors and applicants
All information on data processing by Luscii as a Data Controller can be found in the Privacy Policy here.