As a service provider, Assessio acts first and foremost as processor of personal data. Our customers act as Controllers of the personal data. This means we assist our customers according to the instructions we receive. So, when candidates or employees conduct tests in our platforms, it is you as customer who determine the goals and purposes of these treatments.
As processor, we must be able to provide sufficient guarantees that the processing meets the requirements of the data protection regulation and ensures that the data subject's rights are protected. That is why we have built our services with Privacy by design and default in mind. For this, we have appointed an external data- protection officer (DPO) and certified our management system for information security in accordance with ISO 27001. Our DPO is obliged to support and monitor our implementation of GDPR. Our information security management system (ISMS) is annually audited by external auditors from certification bodies to ensure that security meets the high standards.
We therefore have our own responsibility to ensure processing of personal data takes place in accordance with our customers' instructions and does not exceed these.
Name, address and employer identification number | Purpose | Location | Legal basis |
Amazon Web Services EMEA SARL |
Maintenance and hosting of Ascend | Irreland/Germany | Within EU/EES |
LogsHero Ltd. |
Application logs | Germany | Within EU/ESS |
Assessio Psychometrics AB |
Supplier of Ascend | Sweden | Within EU/ESS |
Name, address and employer identification number | Purpose | Location | Legal basis |
Amazon Web Services EMEA SARL |
Maintenance and hosting of Assessio platform | Ireland/Germany | Within EU/EES |
Assessio Psychometrics AB |
Supplier of Assessio platform | Sweden | Within EU/ESS |
Name, address and employer identification number | Purpose of treatment | Location | Legal basis |
Amazon Web Services EMEA SARL |
Maintenane and hosting of Assessio platform | Ireland/Germany | Within EU/ESS |
Assessio Psychometrics AB |
Supplier of Assessio platform | Sweden | Within EU/ESS |
Name, address and employer identification number | Purpose of treatment | Location | Legal basis |
Detron ICT Group B.V. |
Cloud service provider. Operates the servers where the personal data is stored. | The Netherlands | Within EU/ESS |
Eelloo B.V. |
Technical support. | The Netherlands | Within EU/ESS |
Underbiträdets namn, adress och org.nr. | Syftet med behandlingen | Lokalisering | Legal grund för överföringen |
Amazon Web Services EMEA SARL |
Drift och Hosting | Irland / Tyskland | N/A |
AddPro i Stockholm AB |
Drift av Assessios IT miljö och därmed tillgång till e-mail och lagringsplatser | Sverige | Ingen egen överföring, enkom data för Assessios vägna |
LogsHero Ltd. |
Applikationsloggar | Tyskland | Inom EU/ESS |
Assessio Psychometrics AB |
Leverantör av Ascend | Sverige | Inom EU/ESS |
SimplyBook.me Ltd 30 Gladstonos Street, P, Makedonas court Mezzanine Floor. 3041 Limassol, Cyprus Org. nr. 556804-3367 |
Bokningsystem för kunder | Cypern | Avtal |
Underbiträdets namn, adress och org.nr. | Syftet med behandlingen | Lokalisering | Legal grund för överföringen |
Amazon Web Services EMEA SARL |
Drift och hosting av Ascend | Irland/Tyskland | Inom EU/EES |
AddPro i Stockholm AB |
Drift av Assessios IT miljö och därmed tillgång till e-mail och lagringsplatser | Sverige | Ingen egen överföring, enkom data för Assessios vägnar |
LogsHero Ltd. |
Applikationsloggar | Tyskland | Inom EU/ESS |
Assessio Psychometrics AB |
Leverantör av Ascend | Sverige | Inom EU/ESS |
Underbiträdets namn, adress och org.nr. | Syftet med behandlingen | Lokalisering | Legal grund för överföringen |
The Myers-Briggs Company Limited |
Framtagande av MBTI-tester. | United Kingdom | SCC samt land med adekvat skyddsnivå enligt EU-kommissionens beslut. |
DevCore AB |
Utvecklar och driftar MBTI-plattformen samt lagring. | Sverige | Inom EU/EES |
Underbiträdets namn, adress och org.nr. | Syftet med behandlingen | Lokalisering | Legal grund för överföringen |
PSI Services LLC |
Framtagandet av PSI-tester/16PF | United Kingdom | Land med adekvat skyddsnivå enligt EU-kommissionens beslut. |
DevCore AB |
Utvecklar och driftar MBTI-plattformen samt lagring. | Sverige | Inom EU/EES |
Personal data processed in the platform is encrypted both at rest in the system and during transmission (encryption in transit and at rest).
Personal data is stored on servers within the EU/EEA (Ireland and Germany).
Assessio's DPA with the sub processorsub processorss based on Standard Contractual Clauses (SCC).
Assessio's sub processors provide transparency reports (Transparency Reports)
ISO 27001 certification
Two-factor authentication for login & Single Sign On (SSO) available.
In addition to the above security measures, we have also developed an anonymization/pseudonymization function in our platform Ascend. This, in accordance with the European Data Protection Board's recommendations regarding supplementary measures during transfers, more specifically Use Case 2. This function acts as an additional guarantee of GDPR compliance in the event of a potential involuntary transfer.
We have developed our services with privacy by design and default in mind. This means that our systems support basic data protection principles such as data minimization. Personal data that is no longer necessary to achieve the purpose must be deleted. Within Assessio, standard times are used for checking and, where applicable, deleting personal data. However, you as Controller have full control over this and set the rules for when personal data is to be deleted automatically.
We only process the personal data we are instructed by our customers to process. The categories of personal data vary depending on the service. But most often it is the candidates' names, e-mail addresses and assessment results. For more information look at the instructions for the respective service.
No. The European Data Protection Board has clarified in its guidance 05/2021 that there is no third country transfer just because a European established company has an overseas parent company.
Within the EU, more information can be found under in our list of sub-processors.
We work with a number of third-party service providers. We require that all our suppliers work to the same high standard as Assessio. We regularly audit our sub processors to make sure they comply with necessary certifications and established processes.
Assessio process personal data in accordance with given instructions from our clients. The purpose is to deliver the service our clients purchased from us. For more information, take a closer look at our DPA, based on the European Commission's Standard Contractual Clauses (SCC).
Yes, this feature is available in Ascend.
We have developed our services with privacy by design and default in mind. This means our systems support basic data protection principles such as legality and transparency. Our platform enables you to carry out the processing based on the legal basis you consider correct.
We have developed our services with privacy by design and default in mind. This means our systems support basic data protection principles such as transparency. Candidates have the right to be informed about both the collection and use of their personal data and their rights. The information must include, among other things, the purpose of the processing, the storage period, the type of data that will be processed and who will have access to the data. Candidates should also be informed if there is automated decision-making involved (and if so the logic behind it), as well as if data will be transferred outside the EU/EEA.
Candidates also have the right to receive a register extract of what data is processed. Please note that this information must be provided to the candidate at the time of collection.
The information must be transparent, easily accessible and in simple language.
Our platform Ascend enables you to link to your privacy policy and thereby comply with your obligation to provide information.
We have an established processes in place to respond to candidate exercise of rights. When a candidate contacts us, we inform our client (data controller) as soon as possible you. The client can hereafter decide to delete data. We will also inform the candidate we have informed our client and the client will get in contact.