Certifications

GDPR

The GDPR (General Data Protection Regulation) is the new European framework for the processing and circulation of personal data. This text, applicable from 25 May 2018, which standardises the legislation of the European Union Member States on personal data, is intended to give all EU residents more control over their personal data, to make data controllers more responsible while reducing their prior formalities with regulators and to strengthen the role of Data Protection Authorities.

This compliance has been verified and validated by the Racine Law Firm, specialized in the digital field. The Racine Law Firm, also serves Pineappli as a delegated DPO (Data Protection Officer).
This new actor provided for in Articles 37 and following of the RGPD is mandatory.

Its missions are as follows :
– informing and advising the members of the entity on the legal obligations regarding data processing
– monitoring compliance with the RGPD
– advising, upon request, on privacy impact assessments and verifying their execution
– cooperating with the competent Data Protection Authority- being the point of contact with this Authority on matters relating to processing, including consultation on privacy impact assessments
– being the interlocutor of the data subjects for any question relating to the processing of their data and the exercise of their rights.

ISO 270001

Pineappli is very proud to be ISO certified!

For those who are not familiar with the AFAQ ISO/IEC 27001 certification: It demonstrates that you have implemented an effective Information Security Management System (ISMS) based on the international reference standard, ISO 27001. It defines a methodology for identifying cyber threats, controlling the risks associated with your organization’s critical information, and implementing appropriate protective measures to ensure the confidentiality, availability and integrity of information.

Key benefits that contribute to a healthy and secure business policy :
– Greater business resilience
– Alignment with customer requirements
– Improved business processes and integration with business risk strategies
– Increased reliability and security of systems and information
– Improved customer and business partner confidence

The access control policy contains the rules for access to systems, equipment, facilities and information. These rules are designed to give a clear overview of who has access to which network and/or service. Access to all systems is in accordance with the access control policy, which means that access is protected by secure login procedures and that access to source code is highly secure. Software tools giving access to (sensitive) information are reserved for system administrators and are only accessible under supervision and in certain (rare) situations. Users must register in our information system and have access to certain areas according to their privileges. IT security policy rules determine how users maintain the confidentiality of their authentication data.
By obtaining ISO 27001 certification, we have reduced the risk of information security breaches. The IT Service Management System (ISMS) ensures appropriate risk management and is implemented for development, maintenance, management and hosting.

This certification depends on ISO, the international standards organisation, and thus has international scope and recognition.
It can only be obtained through the intervention of an organization accredited by national organizations such as COFRAC in France.
This requires a great deal of work and organization in-house to meet all the technical and organizational requirements.
Obtaining this certification demonstrates the commitment and importance that the company attaches to information security and represents a real guarantee of seriousness for the companies with which we work.
This certification gives rise to a certificate issued by the certifying body and authorises the use of a logo which allows the reality of this certification to be verified.

Compliance with applicable laws and standards:

– Pineappli has just been certified ISO 27001. This certification guarantees that security requirements are taken into account in the management of the Pineappli solution. The ISO 27001 standard is an international standard for strengthening the confidence of digital players and is also synonymous with reliability and competitiveness. This certification is indicative of our seriousness and our level of competence in the field of information systems security.
– Compliance with the RGPD standard and state-of-the-art technology.
– Application of the European eIDAS regulation of July 2014 and the Monegasque law of December 2019 “For a Digital Principality”.
– Pineappli’s compliance in terms of cryptography has also been validated by the company ADACIS, itself PASSI (1) certified by the ANSSI (2).
(1) PASSI: Information Systems Security Audit Service Provider
(2) ANSSI: National Agency for Information Systems Security
– Certification is also underway with the AMSN (3), for electronic archiving, the electronic safe and digitisation with probative value, in compliance with the Monegasque law of December 2019.
(3) AMSN: Monegasque Agency for Digital Security

Two major consequences for companies thanks to the strict application of laws :
– In the event of a dispute, Pineappli can provide the evidence requested: a very valuable evidence manager! Pineappli can be seen as an Evidence Management Service Provider insofar as it integrates all the services directly linked to trust environments. Pineappli is thus able to deliver a rich digital pathway that covers all the needs of its clients in strict compliance with the law. Its probative value traceability system (see log management below) enables proof to be provided of the execution of each referenced action, when and by which user.

– Pineappli is one of the few companies to offer probative value scanning: i.e. eliminating paper after scanning documents! The Pineappli solution has a probative value digitisation system that complies with the law of December 2019 “for a digital Principality”, which means that the paper is no longer retained after digitisation. The latter must be carried out in compliance with the required conditions and it must be ensured that the storage of digitised documents meets the conditions for electronic archiving with probative value, which is the case for Pineappli’s safes.

Our patent was filed by Mr. Jean-Marc Rietsch on June 8, 2015, dealing with “securing digital data”, bearing the national registration number 15 01179 and European 3304409 and issued on April 7, 2020 in the United States under the number 10,614,230.

This patent is a real guarantee of seriousness and innovation for users.

HDS

Hosting health data (HDS), a guarantee of quality to secure health data.

Personal health data are particularly sensitive. Access to it is therefore regulated by law to protect the rights of individuals. Consequently, the hosting of this data must be carried out under security conditions adapted to its criticality. The regulations define the terms and conditions expected.

“Any natural or legal person who hosts personal health data collected in the course of preventive, diagnostic, care or medico-social monitoring activities on behalf of natural or legal persons who are at the origin of the production or collection of such data or on behalf of the patient himself or herself, must be approved or certified for this purpose.”

Health Data Hosting (HDS) certification is required for entities such as Cloud service providers that host personal health data governed by French law and collected to provide preventive, diagnostic, and other health services. The HDS regulation was issued by ASIP SANTÉ which, under the aegis of the French Ministry of Health, is responsible for promoting e-health solutions in France.

The hosting of health-related data is governed by French law and the French Public Health Code (Article L.1111-8), which stipulates that any health organization (hospitals, pharmaceutical companies, laboratories) that manages personal medical data must use an HDS-certified service provider.

 

HDS certification requires service providers to adopt measures that ensure the security, confidentiality and accessibility of personal health data for patients. These measures include strong authentication and authorization procedures, reliable backup systems and strong encryption methods. HDS also specifies mandatory provisions that must be included in contracts with the cloud service provider. These requirements apply regardless of where the data is stored.

Like ISO 27001, this certification can only be obtained through accredited bodies.

It gives rise to a certificate issued by the certifying body and the use of a logo which allows the reality of this certification to be verified.

The company also appears in the list of certified organizations on the ASIP Santé website.

eiDAS

Compliance with the requirements of standard EN 319-401, provides a presumption of compliance with the requirements of the European regulation eIDASchapter III TRUST SERVICES and article 24, “Requirements applicable to qualified trust service providers” and in particular:

  • The use of reliable systems and products, safety and process reliability

  • To have a plan for stopping the activity of the services offered by the provider

The fact of being a qualified trust service provider brings a presumption of reliability of the services offered. This means that in the event of a dispute, it will be up to the company questioning the solution to demonstrate that the service was not provided in accordance with the requirements.

This is in contrast to the more common situation where, in the event of a dispute, it is up to the accused company to demonstrate the quality of the service provided. This is called the reversal of the burden of proof.

This certification can also only be obtained through the intervention of accredited bodies, which are moreover recognised by the national control body in the EIDAS sense of the term, i.e. the AMSN for Monaco and the ANSSI for France.

It gives rise to a certificate issued by the certifying body and the use of a logo which allows the reality of this certification to be verified.