General Information
1. This Data Pro Statement is applicable for:
Ultimo Software Solutions bv (NL/BE), Ultimo Software Solutions Ltd.(UK), Ultimo Software Solutions GMBH(DE).
Head Office address:
Ultimo Software Solutions
Waterweg 3
8071RR Nunspeet
The Netherlands
For any questions regarding this Data Pro Statement or data protection you can contact:
Name: Erik Riphagen
Position: Team Leader IT Services
E-mail address: erik.riphagen@ultimo.com
Telephone: +31(0)341 423 737
2. This Data Pro Statement has been in force since 1 October 2020, version 2.0
The Security Measures described in this Data Pro Statement will regularly be monitored to ensure they are up-to-date and suitable for securing the Client Personal Data. Client will be kept informed about new versions through Data Processor’s regular communication channels.
3. This Data Pro Statement applies to the following products and services of Data Processor
Product A: All software products offered by the Data Processor.
Service A: Support and update activities.
Service B: Service activities
Service C: Hosting services specifically for SaaS users.
4. Description of products & services
Product A: All software products offered by the Data Processor used by customers for asset management and related (IT, Facility) purposes, like Ultimo Essentials, Professional, Premium and Enterprise, all interfaces and other related software products.
Service A: Delivery of support and update work for the proper operation of the software products.
Service B: Delivery of services, including consultancy, implementation, training and advice, for the proper operation of the software products.
Service C: Delivery of hosting services specifically for the use of the products on the basis of SaaS.
5. Intended use
Product A has been designed and structured to process the following type of Personal Data:
Personal Data will be registered for the reasonably normal operation of work and management processes in the Ultimo software products. Ultimo Software offers Client the option to register Personal Data for identification of reporters, processors and managers of assets (for example) and activities in areas like Technical, IT and / or facility management.
Personal Data that can be processed for Client:
- Name, organization or organizational unit, e-mail address and any other name and address data which can be registered in the standard Ultimo configuration.
- The software product is not adapted to process special categories of Personal Data (as per Article 9 GDPR), information relating to criminal convictions or offences or other sensitive information – the software product is only intended to capture basic information required for the registration and processing of activities in the fields of facility, IT management, and / or technical management.
Services A and B have been designed and structured to process the following type of Personal Data:
Personal Data can be processed by viewing, which may be necessary for performing (for example) support and test activities, configuration work or importing / converting data files in Ultimo software products.
Service C has been designed and structured to process the following type of data:
Supporting SaaS services by sub-processors for the proper operation of the Ultimo software products. Furthermore, Personal Data will not be viewed or processed.
These services do not take into account the processing of special Personal Data nor are they intended to process data regarding criminal convictions or legal offences. Processing of these data by Client with the product or service described above is for the assessment of Client.
6. On designing the product/service Data Processor implemented ‘privacy by design’ in the following manner:
- Access to Personal Data can be restricted by setting authorizations.
- Private Personal Data and business Personal Data can be separated starting version 2018R2.
- Anonymization of Personal Data can be implemented starting version 2018R2 at the assessment of Client if a database required for consultancy or support activities is sent by or to Ultimo.
- Default settings are available for the retention period of Personal Data.
7. Data Processor uses the Standard Clauses for Processing for processing actions that can be requested from Data Processor.
The following Client Personal Data will be processed:
- Name, organization or organizational unit, e-mail address, and possible other name and address data that will be registered in the standard software products or Data Processor.
- This does not concern special categories of Personal Data as intended in Article 9 GDPR or other sensitive information, because it concerns basic information needed for the registration and processing of activities in the fields of facility, IT management, and / or technical management.
8. Data Processor processes Client Personal Data within the EU / EEA.
9. Data Processor engages the following sub-processors:
- Entities affiliated with data processor
- Sentia Netherlands BV (SaaS)
- Microsoft (Azure) (SaaS)
- NetRom (update support)
- NCC Group (Escrow provider)
A (sub) data processing agreement has been entered into with this sub-processor to offer an appropriate level of protection for Client Personal Data. Client Personal Data will be processed on servers of sub-processor within the EU / EEA.
10. Data Processor supports Client in the following manner upon request:
By default, software products of Data Processor offer the option to view, change and remove Personal Data in a regulated manner and with the right level of authorisation. It is also possible to export Personal Data from the Ultimo Customization Tool if requested.
11. After the termination or expiry of the Agreement:
Data Processor shall delete the Client Personal Data in such a way that the Client Personal Data can no longer be used by Data Processor and is rendered inaccessible.
After termination or expiry of the Agreement the ‘Ex-customer procedure’ shall commence, in which arrangements will be made with Client concerning the deletion.
12. After the termination of the Agreement with Client:
Data Processor returns all Client Personal Data he processes for Client in the following manner:
See also 4.3 of our privacy policy. The Client Personal Data will be destroyed within 28 days after the Agreement is terminated. At the end of this period of 28 days, the privacy policy will also be terminated.
Security policy
13. Data Processor has taken the following Security Measures to ensure the security of its products and services:
- Ultimo has taken its security measures based on: ISO 27001 and NEN 7510 standards and has a Statement of Applicability which can be requested by Client.
- The data centres in which Personal Data are managed, are ISO 27001 certified.
- Security is checked periodically by means of audits and third parties Penetration tests.
For more information about the technical or organizational measures, please contact us.
14. Data Processor complies with the Information Security Management System (ISMS):
- ISO 27001
- NEN 7510
15. Data processor has the following certificates
- ISO 27001
- NEN 7510
Data breach procedure
16. Data Processor will at all times have a written procedure on hand
The written procedure on hand enables Data Processor to provide Client with a prompt response in the event of a personal data breach and to collaborate effectively to deal with the incident.
On request Data Processor will submit this procedure for inspection. The following people are primary contacts with Client and Data Processor in case of an incident.
Primary contact Data processor:
Name: Erik Riphagen
Position: Team Leader IT Services
E-mail address: erik.riphagen@ultimo.com
Telephone: +31(0)341 423 737
In the absence of first contact:
Position: Manager Customer Support Services
Name: Peter Paul Schreuder
E-mail: peterpaul.schreuder@ultimo.com
Telephone number work: +31 (0)341 423 737
