This documentation is intended to shed light on the rules within Second. Please keep in mind that it is your contract that governs the limitation of liability between you and Second and not this docum
Last updated
Was this helpful?
GDPR or General Data Protection Regulation is a set of rules about how companies should process the personal data of people concerned, within the European Union.
The GDPR defines the responsibilities of organizations to ensure the confidentiality and protection of personal data. It grants to the concerned people certain rights.
It also gives regulators the power to demand proof of their liability, or even to impose fines, in cases where an organization does not comply with GDPR requirements.
The GDPR puts companies based in the European Union and those based outside Europe on an equal footing and puts an end to unfair competition.
For all marketplaces services.
Second use natively Cookiebot services on every platform.
The end-users of our solution solely remain responsible for the application of the GDPR on their platform.
At Second, we have minimized our responsibility. Also can help platform administrators with their requests regarding user data because we have access to the tools. However, this is not our responsibility.
Keep in mind that the first person in charge of user data remains the customer: the administrator of the platform.
Definition: Personal data can only be collected and processed for specific, explicit and legitimate purposes.
At Second we collect the data for:
Users accounts
Listings creation and publication
Bookings creations
Payments
KPI’s
Definition: The processing must correspond to one of the legal bases provided for by the GDPR (legal obligation, contract, legitimate interest, consent...). When the processing is based on consent, it is important to ensure that it has been validly collected.
Second is “in accordance with Article 6-1-b of the General Data Protection Regulation, the processing is necessary for the performance of the contract to which the customer has subscribed.”
Definition: They must be informed in a precise and transparent manner before the processing is implemented. Various information must be communicated to them: purposes, legal basis, retention period, rights of access, rectification, etc.
Second inform employees, customers, and users thanks to contract, general pages on the platform such as cookies pages, general terms, and conditions of sale.
Technical and organizational measures must be put in place to guarantee a level of security adapted to the risk (pseudonymization, encryption, confidentiality clauses, authorizations, backups, logging, audits, etc.). The risks to be taken into account include destruction, alteration, disclosure, or unauthorized access.
At Second, we make security controls on the platform each week, we also have security procedures in the office, for computer access, and more.
This must be supported by specific tools or solutions if the third country does not offer an adequate level of protection.
None of our data leaves the European Union.
Procedures for handling complaints and requests from data subjects (right of access, rectification, opposition, portability, etc.)
To illustrate this point, here is a part of our charter on data protection:
“Second is not a data company. We do not exploit our customer’s data nor their user’s data, and therefore we have no economic interest in any data processing activities.
The right to be informed
The right of access
The right to rectification
The right to erasure
The right to restrict processing
The right to data portability
The right to object
Rights related to automated decision making and profiling”
Data security: data breach notification management procedures, etc.
email for password level of security
Weekly security check (detectify)
Relations with subcontractors (service providers, suppliers, etc.): procedures for contracting, auditing, etc.
The contracts define the limits
Awareness and training of the company's personnel to the regulations and the problems of personal data
Security documentation is accessible by all company's personnel on confluence, and during each onboarding and once a year company's personnel have to pass a test to keep up to date.
Taking into account data protection by design and by default: when designing an application, new processing…
At each step of the development process, security is taken into account.
The Password management policy in Second follow several rules in order to be compliant.
By creating a new password, please make sure you respect all these cases:
Minimum password length: 10 characters, it can be increased
Contain at least:
1 uppercase character (A-Z)
1 lowercase character (A-Z)
1 digit (0-9)
1 special character
The new password must be different from the previous one
The user should not use the first part of his email address
There is no expiration date for passwords.
Users do not have to change their password at the first connection because the password is not generated by the application but by the users themselves.
Users have 10 unsuccessful access attempts before they are locked out for 10 minutes.
Second, do not allow the choice of one of the last 8 passwords created on the application.
The passwords are not known by the employees and/or its subcontractors.
The solution protects the stored passwords thanks to the default hash by symfony, in practice on the libraries installed by default script, sodium (Argon2), or more rarely bdkdf2. The cryptographic salt is integrated in these algorithms. In short, respect of symfony best practices.
By enabling the Audit bundle, any change in entity status is stored and logged. Also stored and logged are the accounts responsible for the entity state change, including its login address. This applies to users, managers, and administrators. The technical operators are traced via the VCS Bitbucket of all interventions.
There is no expiration date on the above-mentioned logs.