Our main priority at GO4CLIC GROUP SL is to ensure the security of our clients' data. This security section provides a detailed overview of the practices implemented to achieve this goal.
Our methodology encompasses everything from risk identification to the implementation of preventive and corrective measures in risk analysis, security measures, and regulatory compliance.
The purpose of the Security Policy is to establish the necessary framework to protect information resources from internal or external threats, whether deliberate or accidental, ensuring the confidentiality, integrity, and availability of information.
GO4CLIC GROUP SL is GDPR compliant.
We manage the information provided by interested parties to manage the business relationship, from contract execution to maintaining contact and sending commercial communications electronically.
Personal data will be retained for as long as the business relationship is maintained and up to five years after the last transaction or service termination. No automated decisions will be made.
To exercise your rights to request your data and/or its deletion, please send an email to firstname.lastname@example.org. You can also contact the Spanish Data Protection Agency (www.aepd.es) for additional information or to file a complaint.
All of go4clic's infrastructure is hosted on AWS (Amazon Web Services) Data Centers, where the highest standards of security, monitoring, data processing, data integrity, availability, redundancy, change management, and data retention are established.
Thanks to the shared responsibility model, go4clic benefits transitively from the controls, reports, standards, and certifications of the underlying infrastructure. The following list details the controls, reports, standards, and certifications:
Service Organization Controls (SOC-1) / International Standard on Assurance Engagements (ISAE) 3402, SOC-2, SOC-3.
Federal Information Security Management Act (FISMA), Department of Defense Information Assurance Certification and Accreditation Process (DIACAP), and Federal Rial and Authorization Management Program (FedRAMP)
International Organization for Standardization (ISO) 9001, ISO/IEC 27001, and ISO 27018
IMPORTANT: We are working on creating our own certifications regarding the layer of our software.
go4clic is hosted on AWS (Amazon Web Services), pioneers in providing Cloud Computing services.
Specifically, we use RDS for storing our main database, where our users' personal data resides. To comply with GDPR, it is located within the EU (European Union) region, specifically in the Spain (eu-south-2) availability zone.
To ensure optimal disaster recovery with the shortest possible time window, go4clic performs periodic backups of the entire main database instance through snapshots, with a retention period of up to 7 days.
These backups are performed in a Multi-Zone form, guaranteeing data recovery in the event of disasters in a specific availability zone. The alternate zone used is Paris (eu-west-3).
All information sent and received from end-users is encrypted in transit using an RSA / SHA-256 encryption mechanism.
All endpoints comprising the go4clic API are accessible via TLS/SSL only.
Through Let's Encrypt dedicated SSL certificates are generated for each of the customized domains and those of *.go4clic.com.
Security Breach Policy
At GO4CLIC GROUP SL, we take security breaches seriously. Our rigorous procedure includes detailed analysis, immediate notification to authorities and affected parties, and the implementation of measures to mitigate risk.
At go4clic, we strive to keep all services and dependencies updated to the latest possible version, ensuring that bug fixes and corrections of possible vulnerabilities are kept up to date.
go4clic uses mechanisms to record events that occur from user interaction with our application.
Short-term logging system: allows us to detect circumstantial and random failures.
CloudWatch: allows us to record all events that occur with the resources of our infrastructure, enabling us to perform detailed active monitoring of our infrastructure resources, as well as configure overload alerts for passive monitoring.
Sentry: allows us to keep track of unexpected failures to act immediately. Additionally, it allows us to track how optimized database queries are.
We implement internal security measures, including receiving cybersecurity newsletters, regular training for staff, and reviewing access controls, to ensure both the integrity of our systems and data, and access to third-party tools used for daily work.
We implement password policies that allow us to define a specific and reinforced key scheme, which allows us to avoid the use of key storage tools, which are continuous hacking targets.
Thanks to our continuous monitoring, high availability, and stability of the underlying AWS infrastructure, we have an average uptime of 99.9% for all our services.
Additionally, we perform redundant monitoring through the Uptime Robot and HetrixTools, tools, allowing us to immediately become aware if any service becomes inactive, and thus take appropriate actions as soon as possible, minimizing downtime.
Authentication and Authorization
Access to our clients' data is limited only to authorized employees, which is necessary to perform daily work. All data served by go4clic is 100% protected by the use of the HTTPS.protocol.
Additionally, the platform operates through different levels of granular permissions. An owner user is the only one authorized to manage subscription billing data to go4clic and establish high-level configurations such as creating and managing academies. In turn, this user can grant access to users as administrators of such academies, who can perform the same operations, and they can grant granular access to other users such as mentors and participants within the desired trainings.
To comply with FUNDAE, administrators can even grant permissions to training inspectors (read-only users).
For any operation on the platform, the user must be authenticated. To do this, initially, the user must log in, at which point they are granted an access key (access token) that allows them to access only the data they have access to.
To comply with security standards regarding password protection, go4clic applies a hashing mechanism as a method for securely storing users' passwords.
All go4clic collaborators sign a confidentiality agreement upon joining the company.
Confidentiality is paramount at GO4CLIC GROUP SL. We are committed to safeguarding our clients' information.
Therefore, go4clic and the client undertake to keep confidential the existence and content of all documentation and information provided, transmitted, or disclosed, and not to make it public without the prior written authorization of the other party.
What does go4clic consider Confidential Information?
Enumeratively but not limited to, Confidential Information shall be understood to include information relating to customer data, its existence, structure, promotion and sales plans, source codes and object of computer programs, systems, techniques, inventions, processes, patents, trademarks, registered designs, copyrights, know-how, trade names, technical and non-technical data, drawings, sketches, financial data, plans regarding new products, data regarding customers or potential customers, as well as any other information used in the business scope of go4clic and the Client.
How long will the confidentiality duty last?
The obligation of confidentiality shall subsist even after the resolution, for any reason, of the contractual relationship between the parties without generating any type of compensation.
What would happen if confidentiality obligations were breached?
Failure to comply with the confidentiality obligation assumed in this agreement or the return of the Confidential Information established above shall entitle either party to claim the full amount of damages caused by such breach.
Payment Card Industry Data Security Standards (PCI DSS)
All payments made to go4clic are managed by Stripe.. Details about their security configuration and PCI compliance can be found on the Stripe security page.