Raet uses several different methods to assure the privacy of your data and protect your personal details.

We process personal details in accordance with the applicable European privacy legislation and guidelines. Our information security policy is based on the European General data Protection Regulation (GDPR).

The GDPR identifies Raet as a ‘processor’, since our service provision focuses on processing personal, payroll and related data. The GDPR imposes requirements on the form and content of agreements with customers and suppliers. Furthermore, this act also stipulates a number of independent obligations and restrictions that apply to Raet in its capacity as processor.

Based on the GDPR we ensure that:

  • we and our suppliers comply with the law.
  • any data recorded only relates to our service provision.
  • the data recorded has been obtained lawfully and is consistent with the purpose of processing.
  • any provision of data to third parties results from the purpose of recording the data, is necessary in order to comply with statutory obligations or is done with the customer's approval.
  • there are sufficient guarantees as regards technical and organizational security.
  • data that is entrusted to us is kept, in your capacity as controller, i.e. the party responsible for processing, are able to comply with the obligation to report any data breaches.
  • data is processed in countries with a suitable security level;
  • a privacy officer is appointed as the internal supervisory and advisory official;
  • ‘Privacy by Design’ and ‘Privacy by Default’ development principles are being used;
  • Binding processing agreements will be agreed with controllers and sub-contractors.

The above aspects are part of our framework of standards and our information security policy, which implies that we are able to have them verified on the basis of ISAE3402 and ISO27001 standards.

Customer data

In order to be able to deliver the services agreed, Raet has customer data at its disposal. We do not use any customer data that can be traced back for other purposes, unless you give us explicit permission to do so. We have therefore imposed requirements on how customer data is handled at Raet. 


Rules and requirements governing handling customer data are laid down in the internal ‘Guideline on using customer data’. This guideline complies with the "Guidelines on personal data security" issued by the Dutch Data Protection Authority. We only use data of fictitious people to test information systems with personal data.

Returning customer data

When your contract with Raet is terminated, your data will be returned to you according to the contractually agreed procedure. We can make your data available in the form of a widely used data file and on a commonly used medium. Raet normally works with a ‘comma separated’ (.csv) file format on DVD.

Removing customer data

We remove your data from our operational systems when your contract with Raet ends based on your instructions. For technical reasons, it is not possible to remove the data from any backups that have already been stored. However, we can include agreements in the contract about saving data for later retrieval, e.g. for the tax authorities.

MKB software

Obligation to report data leaks

The obligation to report data breaches as stipulated in the GDPR requires that any data breaches are reported to the Data Protection Authority. For example, the “Guidelines on the obligation to report data breaches” issued by the Dutch Data Protection Authority provide further information about this. We will inform you, in your capacity as the controller, about relevant incidents in good time, correctly and in full, enabling you, the controller, to comply with the statutory requirements.

Data centers in the Netherlands

We use three locations where data is processed by software and stored:

  • Apeldoorn: production environment and storage location for customer data, development environment and test environment.
  • Aalsmeer: backup environment with replicated customer data and acceptance environment.
  • Lelystad: storage location for backups of encrypted customer data (off-site backup).

Youforce runs on several servers and has various hardware components. The 'Apps' and 'Options' are available to users online. The data is processed in a data center in Apeldoorn in the Netherlands. The systems are protected by means of 'hardening' as laid down in the ICT security guidelines of the Dutch National Cyber Security Center and in other related standards. You can find more details about security under 'Security'.

All computer centers and data storage comply with strict legislation.

If an emergency occurs we can switch to our second location in Aalsmeer. In order to minimize the risks of environmental factors, we have deliberately opted for a location at a considerable distance from the town of Apeldoorn. We use replication to continually keep your data in this backup environment identical to the data in the production environment. We use some of the systems in the backup environment for acceptance testing. Of course, we do not use your data for this purpose and the production data is kept physically separate from the test data.

All computer centers and data storage comply with strict European legislation on logical and physical access security and continuity.


We use services provided by KPN, one of the largest suppliers of data center services, for our computer centers. The systems and storage space we use are kept physically separate from the services KPN provides to other customers. KPN computer centers are extremely reliable and are certified for quality and information security. All the computer centers used are at least ISO9001 and ISO27001 certified. We test compliance with our requirements for suppliers in the production process every year and we report on this in our ISAE3402 type 2 report.


Youforce is protected against misuse by malware and is protected by anti-virus software to prevent any connected users from being infected by viruses. 

We do not check for viruses in the data and any attachments recorded by users, since this data is not run as software programs and cannot therefore harm Youforce. We assume that, in order to protect your own data, you use virus detection and malware protection on your own systems.