-
- Trending/popular
- Platform
-
Sign up for our upcoming free events!
Go to events
-
- Popular features
- Event formats
- Inspiring use cases
-
Sign up for our upcoming free events!
- Demo
- Pricing
- Customers
-
- Trending now
- Our resources
-
Sign up for our upcoming free events!
Go to events
Your privacy and event data is our top priority
Taking effect on 25 May 2018, the European Union's General Data Protection Regulation (GDPR) is one of the most important international legislative changes in data protection in decades. The purpose of the regulation is to increase the individual's rights to manage and process their personal data and to harmonise legislation within the European Union.
Lyyti is firmly committed to the new Data Protection Regulation. In addition to complying with the regulation ourselves, it is important for us to help our customers with their compliance efforts. This goal will be achieved through training, instruction, and technical development of our software.
Lyyti offers tools and features for
GDPR-compliant event management
Lyyti is a SaaS company specialised in participant data management, with millions of registrations and over 70 000 events handled yearly. Where events are handled, there’s always personally identifiable information and sensitive personal information involved. We want to set a high standard for data protection in event management and lead by example. Lyyti offers all clients all the adequate tools needed for creating and managing GDPR-compliant events, and more.
Based on hundreds of client interviews we’ve found that organisations around Europe battle pretty much the same issues when it comes to GDPR compliancy. This page is a roundup of these common data protection challenges, where we also present the tools and features Lyyti provides for addressing these issues.
All of our clients have access to the basic compliance tools included in their Lyyti license. However, our clients are different and have different needs. This is why we’ve bundled the advanced compliance tools into either the Compliance Center (included in Lyyti licenses purchased or updated after Jan 1st 2017) or the Enterprise license level.
Information security
A high level of information security is of primary importance to us.
Maintaining a high level of information security is our top priority. When you entrust your event data to Lyyti, you can be assured of its safety. We are 100% committed to upholding stringent security standards through multiple layers of protection.
With Lyyti, you have all the tools necessary to manage your participant data securely.
Lyyti's Information Security Management System (ISMS) aligns with the ISO/IEC 27001 standard, encompassing a comprehensive range of security measures. These measures include controls, policies, guidelines, plans, and procedures, all designed to safeguard every aspect of our operations.
Lyyti processes data exclusively within EU territory, in strict compliance with GDPR (2016/679).
Lyyti's premises have been designed and equipped to comply with strict security regulations.
An operations team constantly guards Lyyti's operability. The team is on duty 24/7, every day of the year.
We continuously monitor Lyyti environments to identify and address potential vulnerabilities promptly.
All Lyyti subprocessors are carefully selected to meet our stringent security standards. Each subprocessor is audited annually to ensure compliance and a list of these partners is available on the Lyyti website.
Lyyti’s backup system is robust, encompassing four distinct operational levels that are geographically separated to enhance security.
Our personnel security program mandates that all employees complete annual training in data security and data protection, ensuring our team is well-versed in maintaining the highest standards of information safety.
Lyyti Security
Program
Company security encompasses all aspects of the company's operations. Security operations safeguard Lyyti's core values, including people, data, reputation, property, assets and the environment. A primary responsibility of corporate security is to enhance the company's competitiveness by ensuring the confidentiality, integrity, and availability of all processed information.
Lyyti Information Security Management System (ISMS)
The Lyyti ISMS, which encompasses controls, policies, guidelines, plans, and instructions, is based on the ISO/IEC 27001 standard and developed in accordance with the criteria of the KATAKRI audit system. KATAKRI, standing for the 'National Security Auditing Criteria' of Finland, is a tool utilized by Finnish authorities to audit the security arrangements of organizations managing national security information.
Physical
Security
The Lyyti office is equipped with electronic locks, camera surveillance, and modern burglar alarm systems and is monitored 24/7 by an external security company. Each employee is required to use a personal electronic key for office access. All access events are logged, monitored, and can be audited if necessary.
The hosting provider for Lyyti products adheres to several industry-recognized security standards, such as ISO 9001, SOC 1 Type II, SOC 2 Type II, ISO 27001, ISO 22301, and PCI-DSS. A comprehensive list of the hosting provider's certifications can be found here: https://upcloud.com/data-centres.
Data
Classification
Lyyti uses a three-tier data classification model. The criteria for classifying data into these levels, along with guidelines for handling each classification level, are described in our policy documentation. Employees receive regular training on these procedures to ensure proper data handling.
Endpoint
Security
All user devices accessing company data are company-issued and have been hardened in a documented manner. These devices are protected against various types of attacks by an XDR solution, which is monitored 24/7. Lyyti employs an MDM solution for endpoint policy control and patching, ensuring that all devices are managed and encrypted. Users are obligated to report any anomalies encountered while using the company's devices.
Lyyti Acceptable Use Policy outlines the acceptance use of company IT resources and company-issued assets and includes the policy violations process.
Security
Trainings
All new employees must complete security and privacy training and pass a related exam on their first day of work. The training content is periodically updated, and all staff are required to successfully complete these updates and pass the corresponding exams within the designated time frames, normally at least annually. The outcomes of these exams are carefully monitored and recorded for accountability purposes.
Developers are trained for Secure Software Development practices annually.
Data
Encryption
All company-issued devices are encrypted. Customer data is always processed in encrypted format, both at rest and in transit.
Company
Security Roles
All security-related roles and substitutes are described on Lyyti's internal company pages. The company's secure communication channels include contact details for the security role holders.
Policy
Description
The company's security documentation comprises several controlled policy documents and guidelines, each of which is assigned to a designated owner with primary responsibility for the review process. These documents undergo an annual review process, or in the event of any significant modification to the content. This robust system ensures that the policies and guidelines remain current and aligned with the organization's objectives, goals, and statutory requirements.
Security Breaches and
Incident Management
Lyyti maintains documented processes and comprehensive plans for incident management, ensuring continuous monitoring of security breaches with sophisticated solutions. All employees are mandated to promptly report any detected or suspected breaches of information security policies, intrusion attempts, data breaches, theft or loss of hardware, or other security-related events and incidents.
The company reviews its incident management documentation regularly and makes it accessible to all users. The documentation describes communication protocols to be followed during incidents, underlining the importance of swift response to safeguard Lyyti's services and data.
Risk
Management
Risk management is an integral part of Lyyti's strategic process. It helps the company achieve its targets by ensuring that risks are proportional to risk capacity.
Lyyti has identified and documented various risks in its Risk Register. The risks have been classified and analyzed, and action plans are made annually to mitigate the risks. The CTO, along with the CEO and Compliance team, is responsible for the formulation of Risk Management policy and Risk assessment. The management team approves the risk management policy and reviews the process annually.
Business Continuity Plan (BCP) and Disaster Recovery Plan (DRP)
Lyyti has a Business Continuity Policy that is supported by a comprehensive Disaster Recovery Plan. This ensures that all critical business functions can continue, both during and after a disaster. The primary objective of the Disaster Recovery Plan is to minimize system downtimes and data losses. These documents are regularly reviewed to ensure their effectiveness.
Vulnerability Scans
and Monitoring
All Lyyti infrastructure undergoes 24/7 operational monitoring, including cloud infrastructure, networks, endpoints, and office properties. Any anomalies found are classified, documented and handled according to policies and guidelines.
All environments are scanned against vulnerabilities either online, daily or weekly, depending on the system.
Penetration
Testing
An independent external company executes Penetration testing at least once per year. All possible findings are documented in the electronic systems and handled appropriately.
A summary from the latest penetration test, executed by Fraktal Oy in March 2024.
Patching
Process
Lyyti's production hardware and software are continuously monitored for potential vulnerabilities. Vulnerabilities classified as 'Critical' or 'High' according to the CVSS v3.0 Severity Rating system are patched immediately, while those rated 'Medium' or lower are patched within one month following the release of the patch.
Employee and Contractor Security Practices
Lyyti is dedicated to upholding the highest levels of security, starting with the hiring and onboarding processes for both employees and contractors. The company hires only individuals who are dependable and trustworthy, and additionally, each contract includes a confidentiality clause to protect any sensitive information.
To ensure security, staff and contractors undergo training and pass assessments before being granted system access. Access is strictly regulated based on job roles, allowing only necessary access to sensitive data.
Furthermore, as a requirement of their employment or contractual agreement, all staff members must adhere to the company's security policies. This strict dedication to security practices and policies helps Lyyti safeguard its assets, data, and client's privacy.
Employee
Offboarding
When an employee leaves the company, a detailed step-by-step offboarding process is followed. This includes, for example, disabling or deleting the user account immediately to all systems used and wiping the endpoint devices used. All the company-issued devices are listed in the asset registers and are collected and managed according to documented procedures.
Data Location
and subprocessing
All data processed by Lyyti, including subprocessing, is handled within the EU Region. A list of subprocessors used by Lyyti is available at https://www.lyyti.com/en/subprocessors, and all subprocessors are reviewed annually.
Lyyti features for data protection
Scattered registers, i.e. participant lists saved here and there can cause problems. Scattered registers form easily at events, when there’s an undeniable need to share specific participant information with third parties like catering or accomodation representants.
Lyyti offers one centralized participant database for safe storage of personally identifiable information. The data can be shared securely via online reports, which can be regulated closely by the sender: the report can be password protected, access can be restricted and the report set to expire at a certain time. Thanks to online reports, the recipient never needs to save any personal data onto their own device.
The online reporting feature is included in all Lyyti license types.
The privacy policy is the document that clarifies to the registered person how and why their data is stored and handled. One organization can have several privacy policies due to having several registers, e.g. one for marketing purposes and another for customer data. The privacy policy needs to be accessible to the registered persons.
All our clients have the option of creating and publishing (in several languages if needed) one privacy policy for their Lyyti events. In practice this is sufficient when the client only maintains one register.
One privacy policy feature is included in all Lyyti license types.
If an organization is managing events that form separate filing systems or registers (e.g. client events related to the marketing register or internal events related to the employee register), there may be a need to manage several different privacy policies.
A person can be entered into a filing system in Lyyti based on explicit consent, where the person ticks a box to agree to be registered. The registration can also be based on other terms, which are to be clarified to the person about to be registered when they are signing up. In this case explicit consent isn’t needed, as long as the terms are presented clearly to the registered person.
Several separate registers in Lyyti is an especially useful model of conduct for event agencies. In this model, the client is producing events for their client, which makes them not a register controller, but a processor. An event agency can create client-specific privacy policies, manage client-specific consent questions and edit or remove data in client-specific registers.
The several registers feature is available in Lyyti licenses that include the Compliance Center. The Compliance Center is included in licenses purchased or updated after Jan 1st 2017.
If the participant’s/registered persons explicit consent is requested for something (e.g. for a newsletter), the consent information can be stored and handled in Lyyti. The consent question feature is easy to use and transparent for both user and participant. If consent has been given in a previous event, Lyyti will recognize this based on the email adress connected to the participation, which eliminates repeated consent questions.
One consent question and consent management is included in all Lyyti license types.
When a need arises for several separate consent questions (e.g. several different newsletters or other marketing consent), an unlimited amount can be created in Lyyti. The relevant consent questions can be selected for each event at the user’s discretion.
The several consent questions feature is available in Lyyti licenses that include the Compliance Center. The Compliance Center is included in licenses purchased or updated after Jan 1st 2017.
According to Article 15 in the regulation the registered person (in this case the participant) has the right to access their personal data and information about how this personal data is being processed, and to request changes or erasure.
Lyyti has solved this by providing a search feature that retrieves all data on a participant and compiles it into either a PDF-file or machine language. The search can be executed either within the events belonging to one user, or within all events belonging to the entire organization.
Participant data retrieval from one user’s events at a time is included in all Lyyti license types.
Participant data retrieval from the entire organization’s events and the PDF or machine language file generation is available in Lyyti licenses that include the Compliance Center. The Compliance Center is included in licenses purchased or updated after Jan 1st 2017.
When an organization manages more than one register, the participant data search can be performed in either just one register or all existing registers at once.
Participant data retrieval from one or more registers is available in Lyyti licenses that include the Compliance Center. The Compliance Center is included in licenses purchased or updated after Jan 1st 2017.
Personally identifiable information loses its sensitivity status when all data that could help tie the information to a natural person is removed. The process is known as anonymisation, after which the data isn’t subject to the GDPR anymore. Such anonymised event data can be used for statistics etc. The need for anonymisation may arise either from the registered person’s request or when the need to process certain personal information is gone (e.g. a sufficiently long time has passed since the event).
An anonymisation feature for processing an individual participant at a time is included in all Lyyti license types.
When an organization controls several registers, a need may arise to find and anonymise a registered person within just one of many registers. A good example is a company that requires explicit consent for entering a participant in their participant register, but want to keep their participant register and marketing register separated.
Event agencies and conference organizers appreciate this feature, because this way different clients’ participant registers can be kept separately and the participant search is easy to direct to the correct register.
Anonymisation spanning one or several registers is available in Lyyti licenses that include the Compliance Center. The Compliance Center is included in licenses purchased or updated after Jan 1st 2017.
Anonymisation of an entire event at one click is a handy feature for getting rid of personally identifiable data in e.g. old, archived events.
Anonymisation of an entire event is available in Lyyti licenses that include the Compliance Center. Since anonymisation cannot be undone, this feature is only accessible to the admin user.
Automatic anonymisation is a set of tools for the admin user to set certain organization-wide rules for anonymisation with. Data can be set to be anonymised at a certain point in time, or a certain field or question can be anonymised automatically at the admin user’s discretion.
This set of tools is particularly useful to large organizations and other clients who want to standardize and centralize data management and anonymisation practices for the entire organization.
Automatic anonymisation is available in Lyyti Enterprise licenses.
Event participation often acts as an expression of consent, e.g. when a participant signs up for an event and simultaneously agrees to receive a newsletter as stated in the marketing register privacy policy. In these cases the consent information, along with the participant information, needs to be entered into another system (e.g. a marketing platform), where the register is processed further.
Consent information export via reports and Excel file generation is available in all Lyyti license types.
Users who generally manage and process their registers in another system (CRM, marketing platform, HR-system etc) despite managing their events in Lyyti, appreciate the fact that the consent information can be managed automatically. Automatic consent information export (and import) can be facilitated via Lyyti’s API.
Export and import of consent information via API is available in Lyyti Enterprise licenses.
Information considering a natural person’s health situation, political activity or sexual orientation are examples of sensitive personal information. Sensitive personal information should only be processed and stored when it is absolutely necessary and removed once it’s no longer needed.
Lyyti offers tools for flagging certain questions as sensitive data and for scheduling removal of said data. The admin user can set the sensitive data rules for the entire organization, ensuring safe and certain removal of sensitive data.
Sensitive personal data management tools are available in Lyyti Enterprise licenses.
Please bear in mind that events themselves don’t need to be deleted, because they are not personally identifiable information.
When it comes to personal data contained in past events, it’s good to reflect on these points:
Is the organizer under some legal obligation to retain the data, e.g. relating to proof of education or bookkeeping purposes?
Does the organizer have a lawful basis and purpose for data processing, e.g. in events aimed at customers who are already in the customer register?
Does the organizer have a reason to store the data in connection to legitimate economic activity or to fulfill contractual obligations (e.g. a recurring event where previous participation may affect future guest lists)?
If there’s no need to hang on to personal data from past events, it may be in order to anonymise e.g. events that have ended more than two years ago, instead of removing them completely. We recommend that this is done one event at a time, as anonymisation can not be undone.
Lyyti in numbers
55+
Employees around Europe
2100+
Clients globally
50+/98+
NPS/CSAT
22
Registration languages
100+K
Events created annually