On May 25, 2018, the GDPR (General Data Protection Regulation) is entered into force in the European Union (European Regulation No.2016/679, dated April 27, 2016).

Since the creation of the Adictiz Box platform, our teams have used all means available to ensure the protection of our customers' data.

Some of the rules have changed and, thanks to our constant commitment to data protection measures, we are ready for the May 25 deadline. In order to demonstrate our compliance, we invite you to discover all the measures we have taken in seven different areas: governance; physical, organizational and technical security; data breaches; auditability; and the exercise of individual rights.

The staff is regularly made aware of these rules.

We have a clear privacy policy which is documented and communicated internally.

A formal, documented data security policy has been implemented.

Ethical rules on the use, exploitation and security of personal data are shared and applied internally: User's charter, security policy, confidentiality agreements, procedural rules.

Agreements with subcontractors include, where appropriate, instructions regarding sensitive, confidential and personal data:

- Data Hosting: Google Cloud Platform (GCP). See : https://cloud.google.com/security/gdpr?hl=en

- IT developments: Adictiz is developing its own SaaS platform, but it may occasionally hire subcontractors for the creation and development of third-party applications connected to the platform. These subcontractors do not have access to personal data.

There is a specific employee in our organisation appointed to ensure compliance with the legislation on the protection of personal data (DPO: [email protected]).

The Adictiz GTCs comprise a clause with the requirements of the European General Data Protection Regulation (GDPR), including all aspects pertaining to subcontracting and process auditability.

Any use of subcontractors (excluding hosting) is subject to customer consent, with the specification that Adictiz exploits the developments created by its subcontractors and that the latter do not have access to personal data.

Physical access to the premises is secured by name badges (3 locks and video surveillance). No direct view from the outside, physical grids at every opening, tracing and logging of all entries/exits.

Located in the European Union (Belgium), the hosting services offered by Google Cloud Platform GCP provide a high level of physical security - see: https://cloud.google.com/security?hl=en

Access to data centers complies with international security standards (secure data center with fire detection/extinguishing systems, 24/7 video surveillance, visitor registration, badge access system, power inverters, emergency power supply, etc.).

Client data is never stored on PCs or external media (disks, USB key,...).

All backups remain at the host; such backups are encrypted, isolated and can be deleted when the business relationship is over.

Administrators' access rights are assessed on a case-by-case basis and modified as necessary.

Verification is carried out using strong passwords with double authentication factors. Authorization is subject to a review process (departures/arrivals/annual analyses) and access is limited to what is strictly necessary (platform/servers/gdrive).

There are different administrator accounts for each user/client on the platform.

No personal data is hosted on the premises of Adictiz, except for staff data (contracts and payroll). All customer personal data is located at the GCP host.

The security of customers' personal data is ensured and managed by GCP. Every action on the platform is logged and can be checked in case of any incident.

See: https://cloud.google.com/security?hl=en

Privacy by design is part and parcel of the platform's design: it provides the controller with all the necessary means to ensure the protection of personal data.

All access and key operations on the platform are logged.

Development, test, acceptance, and production environments are physically separated from the platform.

Development environments are located on developers' machines.

Pre-production and production environments are isolated in logical ways. (Virtualization).

On the local network, servers, internal and public WiFi and workstations are separated through different VLANs.

Confidential data is encrypted during online communications with customers. Customers are required to choose strong passwords. An account lockout occurs after a number of failed login attempts.

Access to personal computers requires authentication.

Network access requires authentication.

Network stations are monitored remotely (MDM)

Workstations can be remotely erased and locked.

The host's responsibility includes the platform's security (PaaS).

Adictiz' responsibility is limited to application security.

All data generated by the platform is stored on state-of-the-art encrypted storage media.

There are monitoring tools for auditing.

Several measures have been implemented to ensure maximum platform availability: redundancies, backups, etc... (cf. PAS).

Disaster recovery at the host is achieved through identical, duplicate data centers in continuous replication.

In the event of an incident or personal data breach, we measure its impact on our customers and notify them as soon as possible in accordance with Article 33.3 of the Regulations, which stipulates a maximum period of 72h.

We provide support as soon as incidents are detected on our platform.

We have an internal incident ticket system with a resolution commitment that is always given priority over the development of the platform.

The company and its infrastructure are subject to audits with one-month notice. The company is transparent regarding the processing, storage and deletion of personal data.

Process compliance is regularly controlled by team leaders.

None of the subcontractors - except for the host (GCP), which has a reliable security policy - can access personal data.

There is currently no formal impact analysis because our risk level is considered 'negligible to limited' under the Regulations.

There is no ¨sensitive processing¨ putting the rights and freedoms of individuals at critical risk as defined by the GDPR (profiling, etc.).

A data processing register is maintained for each customer ("Subcontractor Registry") is set up for each client, in accordance with Article 30.2 of the GDPR.

It includes: the description of processing purposes, categories, location of personal data (GCP Belgium), rules for the retention and deletion of data (automatic deletion at the end of the contract), any possible data transfers (no transfer), and sensitivity of the processing with regard to data subjects (negligible to limited risk level)

The data is hosted by GCP (Google Cloud Platform) provider located in the European Union. According to the agreement, no data is transferred or transferable.

The platform has a procedure for the automatic deletion of personal data, which is customizable by the customer.

We also delete personal data belonging to customers whose contracts are terminated.

The platform gives data controllers (the customers) the means to exercise their access and correction rights.

The platform gives data controllers (the customers) the means to exercise their portability, limitation and erasure rights.