On May 25, 2018, the GDPR (General Data Protection Regulation) is entered into force in the European Union (European Regulation No.2016/679, dated April 27, 2016).
Since the creation of the Adictiz Box platform, our teams have used all means available to ensure the protection of our customers' data.
Some of the rules have changed and, thanks to our constant commitment to data protection measures, we are ready for the May 25 deadline. In order to demonstrate our compliance, we invite you to discover all the measures we have taken in seven different areas: governance; physical, organizational and technical security; data breaches; auditability; and the exercise of individual rights.
The staff is regularly made aware of these rules.
Summary
1 Governance
1.1 Privacy Policy
We have a clear privacy policy which is documented and communicated internally.
1.2 Data Security Policy
A formal, documented data security policy has been implemented.
1.3 Internal rules
Ethical rules on the use, exploitation and security of personal data are shared and applied internally: User's charter, security policy, confidentiality agreements, procedural rules.
1.4 Subcontracting rules
Agreements with subcontractors include, where appropriate, instructions regarding sensitive, confidential and personal data:
- Data Hosting: Google Cloud Platform (GCP). See : https://cloud.google.com/security/gdpr?hl=en
- IT developments: Adictiz is developing its own SaaS platform, but it may occasionally hire subcontractors for the creation and development of third-party applications connected to the platform. These subcontractors do not have access to personal data.
1.5 Controller
There is a specific employee in our organisation appointed to ensure compliance with the legislation on the protection of personal data (DPO: [email protected]).
1.6 Contractual clauses
The Adictiz GTCs comprise a clause with the requirements of the European General Data Protection Regulation (GDPR), including all aspects pertaining to subcontracting and process auditability.
Any use of subcontractors (excluding hosting) is subject to customer consent, with the specification that Adictiz exploits the developments created by its subcontractors and that the latter do not have access to personal data.
2 Physical security
2.1 Internal
Physical access to the premises is secured by name badges (3 locks and video surveillance). No direct view from the outside, physical grids at every opening, tracing and logging of all entries/exits.
2.2 Subcontracting
Located in the European Union (Belgium), the hosting services offered by Google Cloud Platform GCP provide a high level of physical security - see: https://cloud.google.com/security?hl=en
Access to data centers complies with international security standards (secure data center with fire detection/extinguishing systems, 24/7 video surveillance, visitor registration, badge access system, power inverters, emergency power supply, etc.).
2.3 Data
Client data is never stored on PCs or external media (disks, USB key,...).
All backups remain at the host; such backups are encrypted, isolated and can be deleted when the business relationship is over.
3 Organizational security
3.1 Internal permissions
Administrators' access rights are assessed on a case-by-case basis and modified as necessary.
Verification is carried out using strong passwords with double authentication factors. Authorization is subject to a review process (departures/arrivals/annual analyses) and access is limited to what is strictly necessary (platform/servers/gdrive).
3.2 External authorization
There are different administrator accounts for each user/client on the platform.
3.3 Adictiz infrastructure
No personal data is hosted on the premises of Adictiz, except for staff data (contracts and payroll). All customer personal data is located at the GCP host.
3.4 Hosting infrastructure
The security of customers' personal data is ensured and managed by GCP. Every action on the platform is logged and can be checked in case of any incident.
3.5 Privacy by design
Privacy by design is part and parcel of the platform's design: it provides the controller with all the necessary means to ensure the protection of personal data.
4 Technical security
4.1 Access to personal data
All access and key operations on the platform are logged.
4.2 Compartmentalization of environments
Development, test, acceptance, and production environments are physically separated from the platform.
Development environments are located on developers' machines.
Pre-production and production environments are isolated in logical ways. (Virtualization).
4.3 Internal networks
On the local network, servers, internal and public WiFi and workstations are separated through different VLANs.
4.4 External networks
Confidential data is encrypted during online communications with customers. Customers are required to choose strong passwords. An account lockout occurs after a number of failed login attempts.
4.5 Internal infrastructure
Access to personal computers requires authentication.
Network access requires authentication.
Network stations are monitored remotely (MDM)
Workstations can be remotely erased and locked.
4.6 External infrastructure
The host's responsibility includes the platform's security (PaaS).
Adictiz' responsibility is limited to application security.
All data generated by the platform is stored on state-of-the-art encrypted storage media.
There are monitoring tools for auditing.
4.7 Availability
Several measures have been implemented to ensure maximum platform availability: redundancies, backups, etc... (cf. PAS).
4.8 Continuity management
Disaster recovery at the host is achieved through identical, duplicate data centers in continuous replication.
5 Security breaches
5.1 Notification of violations
In the event of an incident or personal data breach, we measure its impact on our customers and notify them as soon as possible in accordance with Article 33.3 of the Regulations, which stipulates a maximum period of 72h.
5.2 Incident management
We provide support as soon as incidents are detected on our platform.
We have an internal incident ticket system with a resolution commitment that is always given priority over the development of the platform.
6 Auditing and compliance
6.1 Data Security Audits
The company and its infrastructure are subject to audits with one-month notice. The company is transparent regarding the processing, storage and deletion of personal data.
6.2 Internal control
Process compliance is regularly controlled by team leaders.
6.3 Monitoring Subcontractors
None of the subcontractors - except for the host (GCP), which has a reliable security policy - can access personal data.
7 Data Processing and Exercise of Rights
7.1 Impact Analysis (DPIA - Data Protection Impact Assessment)
There is currently no formal impact analysis because our risk level is considered 'negligible to limited' under the Regulations.
7.2 Sensitive processing
There is no ¨sensitive processing¨ putting the rights and freedoms of individuals at critical risk as defined by the GDPR (profiling, etc.).
7.3 Processing register
A data processing register is maintained for each customer ("Subcontractor Registry") is set up for each client, in accordance with Article 30.2 of the GDPR.
It includes: the description of processing purposes, categories, location of personal data (GCP Belgium), rules for the retention and deletion of data (automatic deletion at the end of the contract), any possible data transfers (no transfer), and sensitivity of the processing with regard to data subjects (negligible to limited risk level)
7.4 Storage locations
The data is hosted by GCP (Google Cloud Platform) provider located in the European Union. According to the agreement, no data is transferred or transferable.
7.5 Retention period
The platform has a procedure for the automatic deletion of personal data, which is customizable by the customer.
We also delete personal data belonging to customers whose contracts are terminated.
7.6 Access and correction rights
The platform gives data controllers (the customers) the means to exercise their access and correction rights.
7.7 Portability, erasure
The platform gives data controllers (the customers) the means to exercise their portability, limitation and erasure rights.
Need help?
Get help from online support by clicking on the chat bubble 💬