GDPR Commitment Statement
The EU General Data Protection Regulation (GDPR) is the most significant piece of European privacy legislation in the last twenty years. It replaces the 1995 EU Data Protection Directive (European Directive 95/46/EC), strengthening the rights that EU individuals have over their data, and creating a uniform data protection law across Europe.
EveryCloud will comply with applicable GDPR regulations when they take effect on 25th May 2018. Working in conjunction with our clients, we will explore opportunities within our services offerings to assist our customers to meet their GDPR obligations.
What are we doing to ensure compliance?
At EveryCloud, we are committed to protecting and respecting the privacy of individuals, and take our obligations under data protection legislation seriously. We already manage personal data in accordance with the industry standards.
In order to ensure our readiness for GDPR, we have the following key priorities:
Modify and fine tune our existing management systems, processes and policies to ensure that we are GDPR compliant.
Ensure that our employees and consultants are fully aware of the new obligations that GDPR will introduce, and ensure that there is accountability and shared responsibility for ensuring compliance, from Board level and throughout the company.
Some of the specific initiatives that we are currently progressing include:
Data Review – An extensive review of all personal data we hold, as we prepare a detailed data roadmap which outlines where this data is held, why we hold it and for how long.
Data Encryption – All information stored in our propriety CRM system, used for the processing, support and management of our customer accounts is now fully encrypted.
Contractual Updates – A full-scale analysis of third parties who process data on our behalf, and updates to contractual positions to ensure that we (and our customers) are protected as best as is possible. In addition to this, we are updating our current business terms and conditions to give our customers the assurances required under GDPR.
Process Updates – Updates to our existing procedures to ensure we have the tools to maintain compliance with GDPR. This includes the review of our existing policies such as our data security and incident response plans.
Improved Subject Access – Updates to our existing subject access request processes to ensure that it is easier and quicker for data subjects to exercise their rights.
Review of consents – Review of our existing marketing practices, and associated consents, to ensure that these are transparent, fair and GDPR-ready.
We will be issuing GDPR wording which will serve as GDPR contract amendments to our reseller and customer agreements before May 25th, 2018
- Who is the Data Controller?
Where we deal with a Reseller, both the Reseller and EveryCloud will be considered independent Data Controllers of the Personal Data in respect Customers and both will Process such Customer data on their own behalf.
Where EveryCloud deals directly with an end Customer, both the end Customer and EveryCloud are independent Data Controllers of the Customer Personal Data.
- Who is the Data Processor and what type of information is Processed?
EveryCloud, in Processing Personal Data on its own behalf which has been provided to it by the Reseller or end Customer, will Process it in order to provide the Services (scanning emails which hit its system for spam and viruses). EveryCloud’s system Processing (in respect of Spam Filtering, ATP, Archiving, Continuity and Encryption) is provided by a Technology Partner based within the EEA, with Data Centres in the EEA who would act as a Processor.
The type of data which is Processed is:-
Customer and Reseller email header information, meaning email addresses, recipient email addresses and the scanning of emails (but not retention of emails) sent to the EveryCloud system. Where Archiving or Continuity services are purchased, the full content of emails is kept at the request of the Customer or Reseller.
Where a Reseller sets up Customers on the EveryCloud partner portal.
The type of data which is Processed by EveryCloud as a Controller is:-
Customer and Reseller email addresses, Names, Address, Email address, IP address and Location data
- What are the Technical and Organisational Measures taken to protect the Personal Data?
Upon receipt of emails into the EveryCloud system, these are scanned for viruses and spam, where they are clean messages, these will be sent to the Customer’s mail server for delivery and unless Archiving or Continuity are purchased, the delivered emails will no longer be on the EveryCloud system. All data within the EveryCloud CRM system is stored in the EEA and is encrypted.
- Technical measures to secure the Email Archive
The following technical and organisational measures taken by EveryCloud and it's technology Partner, besides the measures from the technical description:
- Physical access control
- Control of identity by official identification; is performed by the staff of the respective data centre in the control room prior to entering the data centre. Monitoring of data centre rooms by video system (daylight and infrared cameras).
- Access to the data centre is provided via two entry controls:
door intercom system to the control room with electric door openers,
door locking system with a magnetic card.
- In addition, rack towers are provided with their own key system.
- Entry is logged, noting the time of acquisition, the name and company, as well as end of the entry.
- System access control
- Password policy: at least eight characters, at least three of four criteria met (uppercase letter, lowercase letter, number, special character); change interval: six months.
- There is one user master record per employee.
- User rights are limited to areas of activity.
- All systems are protected against unauthorised access by appropriate firewall systems; access to systems is limited to narrowly defined IP address ranges.
- The archive is extensively encrypted if emails have not already been encrypted by the customer:
- Hard drive encryption: This acts as a protection against access when hard drives are removed as scheduled or due to criminal activities.
- Email encryption: Data is encrypted before being stored in the archive. Header and body of the email are encrypted separately using AES-256. Each customer is assigned a random 16-character alphanumeric key. This key is stored in a key table. The key table is stored on a system with separate entrances that are physically separate from the archive data system. The key table is redundantly replicated and backed up on a daily basis.
- Data access control
- Access permissions only for areas that are needed for specific activities (role-based authorisation).
- Controls related to unauthorised access attempts (IDS / IPS).
- Transaction logging of any system changes.
- Four-eye principle requirement for software changes.
- Transfer control
- External access to data takes place exclusively via VPN.
- Offline work files (notebooks etc.) are available only on encrypted disks.
- Input control
- The traceability or documentation of data management and maintenance is ensured.
- Any data change is logged in a transaction-oriented manner. It is not possible to change the log. This makes it possible to determine subsequently whether and by whom data was entered, changed or removed (deleted)
- Order control
- The processing of customer data is performed by EveryCloud or its technology partner and not subcontracted.
- Only data centre operators with the following services are supported for the provision of services: physical building security, operation of the extinguishing system, uninterruptible power supply, air conditioning, Internet connection, provision of racks, partial assembly and disassembly of systems, partial restart via reset or power button, operation of the local data centre network to connect the network segments, including router or switch operation.
- All data processing systems used by EveryCloud or its technology partner - apart from network components such as routers and switches - are owned by EveryCloud or the technology partner and are built up and operated by their own staff. Network connections are always encrypted. Data centre operators are not given access to customer data.
- Separation requirement
- All data is stored separately in dedicated databases based on clients.
- For internal purposes (e.g. development, test and backup), separate systems with their own data structure are used
- Will Personal Data be Processed outside of the EEA?
All Personal Data of Customers who are based within England, Europe and all other countries other than those listed below, will only have their Personal Data Processed within the EEA by EveryCloud. EveryCloud is not responsible for where emails are sent in the world, but the provision of Services is within the EEA.
Personal Data of Customers based in the US, Canada is Processed in the United States. Personal Data of Australian Customers is Processed in Australia.
- Who needs to get the appropriate consent and notify Customers of what happens to their Personal Data?
It is the responsibility of the Data Controller to ensure that they have got the appropriate permissions/rationale to permit the Processing of Personal Data by EveryCloud. The Data Controller should have the appropriate Fair Processing notice with its Data Subjects.
- Where does EveryCloud store Personal Data?
Where Email Continuity or Email Archiving has been purchased, the full content of Customer’s emails will be held securely and encrypted on servers in the EEA (Britain, Europe and rest of world (except US, Canada and Australia).
Data is encrypted before being stored in the archive. Header and body of the email are encrypted separately using AES-256. Each customer is assigned a random 16-character alphanumeric key. This key is stored in a key table. The key table is stored on a system with separate entrances that are physically separate from the archive data system. The key table is redundantly replicated and backed up on a daily basis.
- How long is Personal Data stored for?
For spam filtering, ATP and encryption services, data for clean emails which are sent to Customers are not stored on the EveryCloud system but the logs of such emails (including email address) are retained for up to a maximum of 120 days (depending upon the date such email is sent).
For Email Continuity, all emails are kept for a rolling period of up to 120 days and thereafter are automatically deleted from the EveryCloud system.
For Email Archiving all emails are kept for the period of time specified by the Customer and set out in the Control Panel, thereafter, the emails are capable of being automatically being deleted where this option is chosen by the Customer.
- How and when is Personal Data deleted?
The automatic deletion occurs within 120 days of emails being sent unless Email Archiving is purchased in which case the deletion timescale and whether such deletion is automatic or manual is set down by the Customer. However, the EveryCloud system can be set or requested by either the Reseller or Customer to automatically delete Personal Data for any period from 3 months to 30 years.
- Do you share Personal Data?
EveryCloud will share Personal Data to enable it to provide the Services with its third party Technology Partner (sub-processor).
EveryCloud will not share Personal Data unless instructed to do so by the Data Controller.