GDPR and Data Protection

How we comply with GDPR

As a data processor for Danish childcare institutions, we are fully committed to complying with the EU General Data Protection Regulation (GDPR) and the Danish Data Protection Act. We have implemented comprehensive technical and organizational measures to protect personal data.

Roles and responsibilities

Your role as data controller

Your childcare institution is the data controller for the personal data processed in Minly. This means the institution determines the purpose and means of processing personal data about children, parents, and staff.

Our role as data processor

Minly acts as data processor and only processes personal data according to instructions from the institution. We have no independent right to use data for our own purposes. Our role is solely to provide a secure platform for administration.

Technical security measures

• Encryption in transit: All communication between users and our servers is encrypted with HTTPS and TLS 1.3 - the newest and most secure standard
• AES-256 encryption of sensitive data: All health information (allergies, illnesses, medication) is encrypted with AES-256-CBC - the same encryption standard used by banks, healthcare, and the military. Data is unreadable even with unauthorized database access
• Encrypted databases: The entire database and all backups are encrypted at disk level
• Access control: Role-based access ensures users can only see relevant data. Parents can only see their own children's information
• Tenant isolation: Data from each institution is completely separated, so no one can access other institutions' information
• Two-factor authentication: Can be used for extra security
• Logging: All critical actions are logged for auditing
• Automatic backup: Daily backups with encryption and storage in the EU

Organizational measures

• All employees are trained in data protection
• Access to production data is limited to key personnel
• We have procedures for handling security breaches
• Regular review of security measures
• Our subcontractors are approved and subject to data processing agreements

Data Processing Agreement

All institutions using Minly are covered by our standard data processing agreement. The agreement ensures that we only process data according to your instructions and comply with all GDPR requirements.

The data processing agreement includes:

• Description of the purpose and nature of processing
• Categories of personal data processed
• Technical and organizational security measures
• Procedure for reporting personal data breaches
• Terms for use of sub-processors
• Obligations upon termination of cooperation

Contact us at kontakt@minly.dk to receive a copy of the data processing agreement.

Sub-processors

We use the following sub-processors to deliver our service:

Vendor	Purpose	Location
Hetzner	Server hosting	Germany (EU)
Postmark	Email delivery	EU

All sub-processors are subject to data processing agreements that ensure GDPR compliance.

Data subject rights

Parents and staff have the following rights under GDPR:

• Access: Right to see what information is registered
• Rectification: Right to have incorrect information corrected
• Erasure: Right to have information deleted (with certain exceptions)
• Restriction: Right to restrict processing
• Data portability: Right to receive data
• Objection: Right to object to processing

Inquiries about data subject rights should be directed to the relevant institution, which is the data controller. Minly assists the institution in responding to such inquiries.

Security breaches

In the event of a personal data breach, we will:

1. Immediately investigate and contain the breach
2. Notify affected institutions within 24 hours
3. Assist with reporting to the Data Protection Agency (if required)
4. Document the incident and measures taken
5. Conduct subsequent analysis and improvements

Contact

Do you have questions about our GDPR compliance or data protection in general? Contact us at:

Minly
Email: kontakt@minly.dk