Frequently asked Questions

Here you will find the most frequently asked questions about the GSE® System platform. The FAQ database is regularly updated.

Frequently Asked Questions

Stack privacy and encryption

The security of your data is very important to us at NDi, which is why the data on our STACK is encrypted with a 256-bit AES key. Regardless of which client you use, the connection also runs via https so that the traffic to and from your STACK is always encrypted.

We can only use server-side encryption and no end-to-end encryption. This means that the encryption key is in the possession of our Stack supplier and this is stored separately from the storage server. When you request the data, it is decrypted on the fly on the servers where we make the data available.

Privacy Policy

How to get permission for upload documents to private secured stack
  1. Fill in the request form (link at the bottom of this item)
  2. You will receive a web url and password to log in by e-mail. *Keep this in a safe place! In the event of loss, you must resubmit the application for permission via the application form. 
  3. Upload your documents? Simply drag the required documents to your private secured stack. When you are done, close the browser window.
* NOTE: GSES is in no way responsible for the loss or careless handling of the transmitted login data.

Permission for upload documents form click here.

What is the connection between the GSE® System and OECD Guidelines?

The OECD has developed Due Diligence Guidance for Responsible Business Conduct, which provides practical support to enterprises on the implementation of the OECD Guidelines for Multinational Enterprises. These are guidelines for companies on how to deal with issues such as supply chain responsibility, human rights, child labor, the environment and corruption. 

GSES applies the OECD Due Diligence Guidance for Responsible Business Conduct to its five pillars and supply chain approach. 

Are the the Sustainable Development Goals (SDGs) measured in the GSE® System?

The NDI and SGS Search co-developed the Circular Footprint (CF), part of the overarching Sustainable Footprint. End users of products and projects can see exactly how circular their end product is by scanning a QR code or NFC tag. 

The CF is generic, workable, scalable and based on existing standards such as Cradle to Cradle (C2C) and EMF of the Ellen MacArthur Foundation. Differences between CF and EMF include: 

  • The distinction between product components in the supply chain and the product itself makes it possible to determine the index in complex chains. The CPF index can be determined for a (product) component. This index can be passed on in the chain, so that ultimately the total CF index for the product can be determined. This provides a scalable CF index determination, which can be calculated in this way for complex systems. This is not possible with the EMF and C2C standard;
  • The CF takes production waste / loss into consideration;
  • In another comparison with EMF: CF includes recyclable and compostable material;
  • In contrast to EMF, CF does not take the lifespan into account, because claims regarding the lifetime are difficult to prove. Moreover, they are highly dependent on the use and user. The NDI is currently working to include the time element in its CFs.
What is the link between GSE® System and Ellen Mc Arthur Foundation (EMF)?

Yes, The GSES Circular Footprint index (part of the Sustainable Footprint is based on the circularity index of the Ellen MacArthur Foundation (EMF) and the Cradle to Cradle standard.

Differences between CF and EMF include: 

  • The Cradle to Cradle standard includes five categories: material health, reuse of materials, renewable energy, water management and social justice. The CF deals solely with the second category of C2C: reuse of materials. 
  • C2C doubles the performance value at the end of the “W” cycle, while CF and EMF do not. 
  • C2C makes certain biodegradable forms possible.
Are the Cradle to Cradle (C2C) principles integrated in the GSE® System on product level?

The 17 Sustainability Goals of the United Nations Agenda 2030 provide a shared blueprint for peace and prosperity for people and the planet, now and into the future. GSES provides insight into your organization’s contribution to these sustainability goals and sub-goals (targets) of the UN.

Each of your sustainability efforts, which increase your score on the five GSES pillars (CSR, SP, CO2 reduction, Circular Economy, and Health & Safety) and the Sustainable Footprints, also contribute to one or more sustainability goals of the UN.

What is the relationship between GSE® System and CO2 Prestatieladder (Dutch for ‘CO2 Performance Ladder’)?

The CO2 pillar in the GSES System is based on ISO 14064-1: 2012 Guidance at the organization level for quantification and reporting of greenhouse gas emissions and removals. This ISO standard contains requirements for design, development, management, reporting and verification of the greenhouse gas emissions ‘accounting’ of the organization.

Organizations that already have a valid CO2 Prestatieladder certificate also automatically receive points on the GSES CO2 pillar and, depending on the level of the certificate, even an exemption on the GSES CO2 pillar.

What is the relationship between GSE® System and the MVO Prestatieladder (Dutch for CSR Performance Ladder)?

The CSR pillar in the GSES System is based on ISO 26000 guidelines, the HLS, GRI and OECD guidelines. Because the MVO Prestatieladder offers a practical addition to the ISO 26000 guideline, the CSR performance ladder is included as an exemption in the GSES System.

The MVO prestatieladder is included in the Sustainable MetaStandard that is integrated into the GSES System. Therefore organizations that already have a valid MVO Prestatieladder certificate automatically receive points (and even exemptions) for the score on the GSES CSR pillar, depending on the level of the certificate.

Can GSE® System be used as a procurement tool?

Yes, the GSES system can be used as a procurement tool. The supplier functionality on the online GSES platform offers participants the opportunity to invite and rank their suppliers on standardized and internationally accepted sustainability themes such as CSR, Sustainable Procurement, CO2 Reduction, Circular Economy, Health & Safety and Chain transparency and collaboration.

After the suppliers publish their scores of the themes of your choice in the form of a validated assessment, a ranking of suppliers appears on your supplier dashboard.

How do we change the rules: a Coalition of the Willing?

How does NDI wants to change the rules of existing economies that are not sustainable enough?

Change can be only achieved through collaboration and joining forces, both locally, nationally and internationally. One willing organization (unless very large) does not have the ability to change the rules on its own. The NDI has a multi-stakeholder approach and organizes multi-stakeholder consultations.
The NDI is active in creating a Coalition of the Willing.

The strength of the GSES system is that it stimulates and influences stakeholders inside and outside the value chain. Furthermore, change will come by involving consumers, who can scan QR codes to view the sustainability performance of organizations and products on the GSES ScoreCard.

How does the GSE® System help to increase the sustainable market share?

By enabling sustainable entrepreneurs to measure and visualize their performance on the various themes of sustainability, we are offering them the tools to increase their market share and impact – in the B2B and B2C markets. This way, we are constantly expanding the new economy on both a national and an international level.

Product - Services & responsibilities

GSES will provide the customer with a product that is continuously developed further with new functions, improvements and legal amendments. This product is called GSES System Platform and is made available as standard through the GSES online system. This section contains information about development, version management, system requirements, product support.

Services and responsibilities

GSES develops and delivers the software (GSES System Platform) and can, in most cases, take care of the implementation of this software at its customers. Customers are themselves responsible for the correct configuration of the application. If the application requires adjustment because of performance or security issues, GSES will contact the customer to implement the required adjustment. This service is included.

GSES ensures a correct delivery of applicable legislation in the software, for example, in relation to taxation matters and collective bargaining agreements (also known as collective labour agreements). The customer is responsible for correct application.

GSES is not responsible for the correct operation of links of additional software packages or additional services of third parties.

Property rights

The intellectual property right of the products is vested and will continue to be vested on GSES. If a third party should claim that the intellectual property right of the software is vested on him or her, the customer shall indemnify the customer. A condition in relation to this is, however, that the customer informs GSES as soon as possible, cooperates with the investigation and leaves the settlement of the issue completely to GSES from this point on.

The property right with regard to the entered data and the data generated by the application is vested on the customer. GSES may not and shall not appropriate customer data.

A licence does not entitle the customer to what is commonly referred to as the source code. A separate agreement can be concluded for an escrow agreement.

Development and version management

The software is continuously developed further and supplied with new functions, improvements and legal amendments. The delivery policy can be found on the customer portal.

Broadly speaking, GSES uses the following delivery schedule:

– Version: 2-3 times a year;
– Patch: On a daily basis if applicable.

Every version comes with release notes. They describe which components have been changed.

The migration date will be made definitive at least five days in advance. The total migration duration of the version is six to eight weeks. The data will not be available temporarily with regard to the migration from one version to the next.

The time

during which the data will not be available is very dependent on a number of factors such as data conversion, size of the database and the quantity of records to be changed. Experience has shown that the maximum time is between 5 minutes and 2.5 hours. These activities are performed as much as possible outside office hours (Monday to Friday: 7 a.m. to 6 p.m.) and customers are notified well in advance.


General support

Every report made to the Support Centre is referred to as an ‘incident’. An incident can be an error, fault, preference, set-up issue or user question.

Customers may be referred to Service Management with regard to set-up issues (for more information, see Service Management).

The administrator of the customer portal can determine who may contact the Support Centre on be- half of their organization through the “employee" or “administrator" authorisation role. The support employee will check whether the contact has been given authorisation with regard to this with regard to each incident. If a user is not a contact with the organization, support is not given by the support employee. GSES expects that the customer maintains this issue because the customer is best placed to determine who are authorised.

Registration and response time

If the Help Centre does not offer a solution, the customer can submit an incident to the Support Centre. The customer can contact the Support Centre immediately with regard to an immediate problem situation after registering the incident on the customer portal. After entering the incident number on the telephone, the customer will be connected directly with the support employee who is processing the incident.
The customer can follow the settlement of the incident through the customer portal. The customer will receive an update by email every time the status changes. The customer will be involved in the settlement of the incident and can add his or her response and other additional information. The re- store time with regard to a problem will depend on the seriousness and duration of the situation and the degree in which GSES depends on third parties for the performance of restore or repair activities.

Priorities and restore times

The priority of the issue determines the response time. Most incidents are about issues that are related to knowledge about the product. These issues are often resolved the same day. If the issue is related to functionality that does not yet exist, that is, a preference, this is submitted to Product Management. It cannot always be indicated when and whether the preference will be fulfilled.

Every incident will be assigned a priority. It will be assigned by the support employee who processes the incident. The guidelines that we use for this are as follows:

– Priority 3: Informative issues/preferences: In 90% of cases, the same or the next day (if it is ex- ceptionally busy, the customer will be informed about this).

– Priority 2: Problems that do not disrupt production: Restore time/workaround within one month insofar as this is possible.

– Priority 1: Production-disrupting problems: Restore time/workaround within five working days in- so far as this is possible. A restore time/workaround within one working days insofar as this is possible applies with regard to production-disrupting problems for First Class customers.

Opening times and additional support

The Help Centre can always be consulted through the customer portal that will provide an answer to the asked questions in 90% of cases. If the Help Centre does not offer a solution, an incident can be submitted through the customer portal. The Support Centre will answer these questions from Monday to Thursday between 8 a.m. and 6 p.m. and on Fridays between 8 a.m. and 4 p.m. unless specified otherwise on the customer portal. The Support Centre can also be reached by telephone during these hours.

In addition, we offer an emergency service every working day from 6 a.m. to 8 a.m. and from 6 p.m. to 11 p.m. On Fridays, the emergency service is available from 4 p.m. to 11 p.m. as well as in the early morning. Emergencies can be submitted through the Support Centre where the person who submitted the emergency incident will be contacted within the hour.

Availability, Maintanence & Performance of the GSES Platform

GSES Platform is reliable, secure and fast. GSES works together with external parties to make GSES Platform available. In addition, GSES Platform works with professional parties to safeguard security. GSES has made clear agreements with its supplier and customers for the required maintenance. Optimum backup procedures guarantee an optimum continuity where we assume a fair use procedure of our customers.


GSES Platform is hosted on systems of professional Dutch data centres. These top-tier data centres have a network availability of 99.9999%. The availability and performance of GSES Platform are monitored continuously.
GSES Platform may not be available in the following situations:

– Preventive maintenance;
– When a new version of GSES Platform is installed;
– When faults are resolved with regard to the software that fall under the responsibility of the customer;
– Maintenance that has been discussed and agreed with the customer;
– Emergencies or disasters as a result of natural disasters and other force majeure situations.


The customer shall be informed at least five days in advance if it is possible that GSES Platform may not be available. The activities will be performed between 9 p.m. and 7 a.m. or during weekends. Incidental patches and hot fixes are implemented automatically and without prenotification at night.


The GSES Platform performance should be good, but is dependent on the Internet connection and set- up of the environment of the customer.

Backup & restore

A backup is created four times a day of the entire production environment:

– The day backup is deleted after one day.
– The night backup is kept for 30 days and can be restored upon request. The average length of time
required to restore an environment is four hours.
If required, a backup of the environment can be requested through an incident for local use or archiving. GSES has a fair use policy with regard to these requests to prevent large data streams.


Systems, processes and users are monitored continuously on GSES Platform in the own Cyber Operations Centre where the objective is the following:
– Prevent interruptions and faults or resolve them at an early stage. Monitoring focuses on the timely discovery of faults and unwanted behaviour. An GSES employee is always available to re- solve faults and other emergencies immediately even at night. Checking on abuse is part of the (daily) standard monitoring activities.
– Collecting general user statistics such as response times. This information is analysed and may be discussed with the customer for improvement purposes.
– Collection of anonymous statistics from the customer environment to improve our products and services.


GSES Platform has emergency procedures to prevent the loss of data through the system being down, physical destruction or some other way and to promote restoring this data. Every customer is assigned a data centre. The data centres have redundant technologies so that some servers or storage being down will not lead immediately to an emergency. If required, contingency measures to use another data centre are in place.

RPO/RTO with regard to emergencies

If a data centre should be down completely, computer resources are no longer available. This would then affect half of customers roughly. At that moment, additional computer capacity will be made available in the other data centre. The RPO (recovery point objective) is the maximum time that data loss can occur when a system goes down fully. RTO = max. 12 hours. The RTO (recovery time objective) is the time that is required to make the available backup available. The time that is required for this is not known. The different failures and faults have their own solutions and therefore also their own RPO and RTO.

Data center continuity upon bankruptcy

Additional (contractual) agreements have been made with the data centre that must contribute to GSES’ customers continuing to have access to their data in case of bankruptcy:

– The data centre will not stop services to GSES in case of bankruptcy of the data centre before a
continuity plan has been agreed with the receiver.
– If GSES is declared bankrupt, the data centre will not stop services up to at least a period of two
weeks after the bankruptcy date. Before the services are stopped, the data centre will consult the receiver about the retention of services and safeguarding financial obligations.

Liability & Online Processing

GSES guarantees that GSES platform complies with all specifications that it specifies. GSES shall always try to repair any errors should they occur. GSES takes great care in ensuring that GSES platform works correctly and that its services are provided appropriately. Despite these efforts, things can go wrong that may lead to damage or losses to the customer. GSES aims at achieving a suitable solution every time in consultation with the customer.


Liability issues in Europe shall run through GSES Management. (no platform or software owner/manager/developer) based in the Netherlands. GSES cannot rely on liability restrictions if intent and/or wilful recklessness in its actions or of its employees or the third parties that it engages are involved.

GSES excludes its liability with regard to any form of consequential losses such as lost sales or profits and missed opportunities. The liability of GSES is also excluded if the customer or third parties engaged by the customer have made changes to the GSES products that are not allowed.

GSES and the customer are not liable with regard to each other if force majeure is involved. Force majeure is deemed to mean the following: Force majeure in the sense of the law including at suppliers of parties, unsound fulfilment of supplier obligations that are prescribed by the customer to GSES, interruptions to the electrical grid and faults or interruptions that impede data traffic insofar as the cause thereof cannot be blamed on the parties themselves.

The combined professional and business liability insurance

GSES has combined professional and business liability insurance for exceptional emergencies that GSES cannot or does not wish to cover. This insurance is appropriate. For more information about the content and scope of this insurance, please request information.


GSES requires that the customer reports a complaint or claim as soon as possible to GSES. Not only can GSES then immediately work with the customer on a solution, but GSES must also report a claim to its insurer. For that matter, it continues to apply that GSES shall aim to find a suitable solution in consultation with the customer regardless of this complaint and/or claim.

Delivery periods

If GSES should not meet a delivery period, the customer must first give GSES notice of default and give GSES a reasonable period any way to comply with its obligations,


GSES is fully aware that the information that the customer shares with GSES and saves within GSES Platform is confidential and is of a business-sensitive nature. All GSES employees must keep any data of the customer strictly confidential contractually

Employees with access to customer data

Only GSES Platform system administrators have full access to customer data for:

• Installing a new version;
• Implementing patches and hot fixes;
• Creating a backup;
• Moving data within the GSES Platform domain.

Consultants, Support Assistants and other GSES employees only have access to customer data if they have received permission for this from the customer and for as long as they have permission of the customer. Customers are themselves responsible for this through their own authorisation tool within the application.


GSES takes suitable technical and organisational measures continuously to ensure that the customer’s personal data is secure against loss related to any form of unlawful processing. The customer is entitled to check compliance with this in consultation with GSES during the duration of the agreement by an independent expert, for example, by having an audit carried out. The customer shall bear all the costs in relation with this audit.


GSES shall process the customer data in data centers of TransIP and it is therefore a subprocessor. The data centers that GSES uses are only located in the Netherlands (Schiphol Rijk and Haarlem) and fall under the legislation and regulations of the Netherlands and comply with strict Dutch and European legislation with regard to logical and physical access security and continuity. The data centers are at least ISO 27001 certified.

GSES shall not have new subprocessors process data without informing the customer about this in a timely manner. The customer can inform GSES that the customer objects about the subprocessor. GSES shall settle these objections on a management level. If GSES should want to have data processed by the new objected subprocessor, the customer shall have the opportunity to terminate the agreement.

Data subjects

The customer is responsible for the entered data of data subjects and therefore for informing and assisting with regard to the rights of data subjects. GSES shall never respond to requests from data subjects and shall always refer them to the data controller. GSES shall cooperate insofar as this is possible within the application with the customer so that the customer can comply with the customer’s legal obligations in the case that a data subject exercises his or her rights based on the GDPR or other applicable regulations regarding the processing of personal data.

Obligation to report data leaks

The GDPR requires that any data leak be reported to the Dutch or Belgian Data Protection Authority (DPA) by the data controller of the data. GSES shall therefore not submit any reports to the relevant Data Protection Authority. GSES shall, naturally, inform the customer correctly, on time and in full about relevant incidents so that the customer can comply with the customer’s legal obligations as the data controller. The Policy rules with regard to the obligation to report data leaks of the Data Protection Authority provide more information about this.

If the customer makes a (provisional) report to the Data Protection Authority and/or the data subject(s) about a data leak at GSES without the customer having informed GSES, the customer shall be liable for the losses and damage that GSES has suffered and the costs of this report. If it is shown that a data leak at GSES is not involved in any way, the customer must retract the report immediately.

Determining the data leak

For determining an infringement in relation to personal data, GSES uses the GDPR and the Policy rules with regard to the obligation to report data leaks as guidelines.

Reports made by customers

If it shown that a security incident or data leak has occurred at GSES, GSES shall inform the customer regarding this as soon as possible after GSES has become aware of the data leak. To realise this, GSES shall ensure that all its employees are capable and continue to be capable of observing a data leak and GSES expects its contractors to allow GSES to comply with this. For the purpose of clarity: if a data leak occurs at an GSES subprocessor, GSES shall, naturally, also report this. GSES is the contact point for the customer. The customer does not need to contact the GSES subprocessors.

Providing information

GSES shall try to provide the customer with all the information that the customer requires to make a report to the Data Protection Authority and/or the data subject(s).

Informing period

The GDPR indicates that reporting must be ‘immediate’. According to the Data Protection Authority, this must be without any unnecessary delay and, if possible, no later than 72 hours after its discovery by the data controller. If a security incident occurs, GSES shall inform the customer as soon as possible, but no later than within 48 hours. The customer shall have to make the assessment himself or herself whether the security incident falls under the term ‘data leak’ and whether it must be reported to the Data Protection Authority. The customer has 72 hours for this after the customer has been informed about this.

Progress and measures

GSES shall continue to inform the customer about the progress and measures that are being taken. In any case, GSES shall keep the customer informed with regard to any change in the situation, when further infor- mation becomes known and about the measures that are taken.

Removing data

GSES shall remove all customer data after the agreement has ended as described in “Termination of the agreement". If the customer should wish the data to be removed before, a request for this can be submitted. GSES undertakes to comply with this.