ISO 27001:2022 Certificate
An up-to-date certificate of our Information Security Management System compliant with ISO 27001:2002 standard.
ISO 27001:2022 Certificate
Privacy at Centra
Explore how we protect your personal information at Centra
1. Introduction
At Centra Technology A/B (Centra), we take your privacy seriously and are dedicated to protecting your personal data. It's important to know that we might handle your personal data (also known as PII) in two main ways: either as a controller (like when you visit our website or work with us) or as a processor (when one of our clients uses the Centra Platform for their e-commerce).
2. Data collected
The personal data we collect depends on the context of your collaboration with us.
Scroll to see more
| Centra as a Controller - the EU-based legal entity | Centra as a Processor - the provider of the Centra Platform |
|---|---|
| In that context, we process your PII as a controller when you visit our website, contact us directly, work with us, or interact with Centra and its subsidiaries as an organization. | In that context, we process your PII as a processor when you use an online e-commerce shop, developed and hosted by a client, that is hosted on our Centra Platform. |
| If you would like to execute any of your individual rights under privacy regulations please contact Centra via privacy@centra.com email. | If you would like to execute any of your individual rights under privacy regulations please contact the controller of such an online shop as the Controller of your PII. |
| To understand the personal data Centra processes, click the link below. Please note: If you are employed by or provide services to Centra, this information will be expanded once you have access to our IT infrastructure, due to security reasons. PIMS Records of Processing Activities | To understand the personal data we process as a data processor on behalf of a data controller, please click this link. Kindly note that the Controller may process more PII through their e-commerce solution setup than we do on the Centra platform. PIMS Records of Categories of Processing Activities |
3. Compliance
As a global company with the headquarter in the EU Centra has to comply with different national regulations concerning privacy and security - privacy regulations. Some of these regulations are listed below.
(EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation) - GDPR
The Swedish Data Protection Act (Dataskyddslagen, SFS 2018:218)
If you are interested in the compliance with your national privacy regulation, please contact us for further details.
Our contact information as either a controller or processor of personal data is:
Centra Technology AB
Torsgatan 26, 113 21 Stockholm
Email: privacy@centra.com
As a Swedish company our regulatory authority concerning privacy is Integritetsskyddsmyndigheten (IMY). You can contact them via their website https://www.imy.se/.
As Centra does not fulfill the conditions specified in the GDPR Article 37, we have not appointed a Data Protection Officer. Still you can contact us regarding any issues concerning privacy using the “Privacy contact” details.
4. Data security
Centra is committed to prioritizing security through building information security culture across the whole organization and following established security and privacy standards that guarantee confidentiality, integrity, and availability of information and our products.
To address the security of your personal information, we have implemented, certified and operate ISO 27001-based Information Security Management System at Centra. We apply both technical and organizational measures (TOMs) to protect your personal data and other information. The list of TOMs is available from ISO 27001:2022 Statement of Applicability.
We use these TOMs to fulfill controller’s and processor’s obligations described in GDPR Articles 24-34, (EU) 2021/915 Annex III, and other privacy regulations.
5. Subprocessors
To provide our product and services we use other processors e.g. cloud providers. Every time we start using a new processor we evaluate its capabilities from the security and privacy perspective using the supplier evaluation process required by the ISO 27001 standard. With every subprocessor we enter into a Data Processing Agreement, or its equivalent, to ensure that the privacy of your personal data is ensured along the full supply chain.
In the link below you can find the current list of subprocessors we use in the organization: Centra Platform Sub-processors List.
We may be in the process of bringing new subprocessors to the Centra Platform. This is usually done with the one month notice period. We do it so in case you would not like to share your data with the new processors you still have time to take any actions. You can check the planned suppliers list by clicking that link Centra Platform Sub-processors List - Planned.
6. Your individual rights
As Data Subject, you have several rights regarding your personal data under the relevant Privacy Regulation:
Right to be informed: You should be transparently informed about all details regarding processing your personal data - that is what we fulfill via this policy and the consent functionality when using Centra Platform. The Data Controller fulfills this requirement within the Frontend System.
Right to Access: You can request information on the personal data we hold about you.
Right to Rectification: You can ask us to correct any inaccuracies.
Right to Object: You may object to certain data processing activities, including direct marketing.
Right to Erasure (Right to be forgotten): You have the right to request that your data be deleted or anonymized under certain conditions.
Right to Data Portability: You can receive your personal data in a structured format and transfer it to another provider.
Right to Restrict Processing: You can request that we limit the use of your data.
Right not to be subject to automated decision making: You have the right to object to any automated decision making on Centra Platform.
We implement and guarantee the execution of these rights in different ways dependently on the personal data category we process and our role in that process.
Scroll to see more
| Centra as a Controller - the EU-based legal entity | Centra as a Processor - the provider of the Centra Platform |
|---|---|
| To understand your rights with Centra as the Controller click this link. Centra Privacy Policy | In that context you can execute your individual rights by contacting the controller of your personal data. We implement and offer functionality within the Centra Platform that helps the controller to ensure your rights are respected. To understand our role in that process click this link. Centra Platform Privacy Policy |
For more information of which of the rights are applicable for each of the personal data categories please read Centra Platform List of Personal Data Categories.
7. Resources
Below you can find some publicly available information security or privacy resources. If you cannot find what you are looking for please contact us directly.
ISO 27001:2022 Statement of Applicability
A list of information security controls listed in the Annex A of ISO 27001:2022 with the implementation statement. You can use this resource to understand the technical and organizational measures (TOMs) that are implemented by Centra.
ISO 27001:2022 Statement of Applicability
ISMS Information Security Policy
An entry level policy describing on the high level Centra’s Information Security Management System. You can use this policy to understand our ISMS setup in the organization.
ISMS Information Security Policy
Centra Platform Privacy Policy
A policy describing our approach to managing privacy of personal data on the Centra platform. You can use this policy to understand your rights as an individual (data subject) or the split of responsibilities for privacy between a data controller and a processor of personal data.
ISMS Centra Platform Privacy Policy
ISMS Record of Processing Activities
A formal document required under the GDPR that outlines how an organization collects, uses, stores and shares personal data that it processes as a controller.
PIMS Records of Processing Activities
ISMS Record of Categories of Processing Activities
A formal document required under the GDPR that outlines how an organization collects, uses, stores and shares personal data that it processes as a processor.
PIMS Records of Categories of Processing Activities
ISMS Centra Platform Sub-processors List
This document presents the list of sub-processors that are engaged by Centra Technology as Data Processors in the context of the Centra Platform.
Centra Platform Sub-processors List
ISMS Centra Platform Sub-processors List - Planned
This document presents the list of planned sub-processors that will be engaged by Centra Technology as Data Processors in the context of the Centra Platform.
Centra Platform Sub-processors List - Planned
6. Security contact
For any privacy related questions of information please contact us at privacy@centra.com.