As an early adopter of cloud technologies, we have recognized the demand for a trusted partner that place respect for privacy, confidentiality, and data security at the core of its products and services. At the same time, we have recognized the need for prudent and harmonized regulatory landscape for governing personal data processing. That is why, prior to the GDPR entry into force, we have launched a project to strengthen and re-design our processes, systems, and information security controls to protect personal data. By doing so, we ensured that GDPR compliance is a part of our business culture and the way we develop and provide our products.
However, we acknowledge that GDPR compliance is a continuous effort. And therefore, to ensure continuous data protection and fulfillment of GDPR requirements we are conducting regular privacy impact assessments of our products and services, monitoring guidelines from data authorities and workgroups, reviewing relevant case law, and of course, reviewing the feedback provided by our partners. The implemented measures are being verified at regular intervals by internal and external auditors. In addition, we maintain compliance with internationally recognized information security and privacy standards which include ISO 27001, ISO 27017, and ISO 27018.
GDPR COMPLIANCE ROADMAP
During the AppXite GDPR-Ready Project we have successfully implemented the following measures:
- Identified and analyzed all systems holding personal data to make sure (i) our partners are informed about the means of processing applied to their data; (ii) all systems are GDPR Ready according to ISO 27001 Access Control and Operations Security requirements.
- Implemented new data subject request management processes (e.g. process for timely processing of data subject's requests, data breach notification process). By doing so, we process any request in a timely manner, to make sure our partners comply with their own data subject request requirements.
- Adjusted processes handling personal data across the entire organization to make processes holding personal data to be GDPR Ready. This involves the application of the data minimization, retention, and purpose limitation principle. We minimize the risk exposure by processing personal data only to the extent required to fulfill specific obligations.
- Evaluated services where we process personal data on behalf of our partners and introduced the Data Processing Agreements where applicable. As a result, prior to becoming our partner we enter into the data processing agreement which formalizes legal requirements, such as requiring us to follow partner instructions and adhere to data protection standards appropriate to the data we process.
- Evaluated vendors and sub-contractors to implement Data Processing Agreements and Standard Contractual Clauses (where applicable).
- Implemented the technical and organizational measure to safeguard personal data, including but not limited to, operations security controls fulfilling the following objectives:
- Minimization of risk of systems failures;
- Prevention of unauthorized access, disclosure, modification or destruction of data, assets;
- Availability of software and information processing facilities;
- Availability of security logs and the ability to review logs and manage security events.
- Ensured that access to any data is granted in accordance with the following guidelines:
- Access is granted on a "need to know" and "least privilege" basis;
- Access revocation when required is conducted in a timely manner;
- Physical access controls are implemented (e.g. alarm systems, access control system).
DATA PROCESSING DETAILS
We protect the data of our partners while empowering our partners to own and control data within the AppXite’s products.
Types and categories of data:
We store user data related to our partners and their end-customers.
Personal Data includes name, surname, business email address, phone number, IP address.
Data retention & Data Subject requests management
- We process the partner data for the term of the contract and remove the data upon expiry or termination of a contract.
- We support the user management functionality which allows partners to exercise its own data retention management policies. Functionality includes managing user roles and permissions; (ii) blocking and deleting the user, authentication management which allows a partner to configure SSO which enables user management from a single directory. This functionality extends to the partner and its end-customer platforms (if any). By doing so, partners can manage personal data management while ensuring that business-related data is not affected.
- We fulfill the partner’s requirements for data subject request management by processing the requests submitted through firstname.lastname@example.org.
We also encourage our partners to reach out to us at email@example.com if you have any specific requests or ideas that would help to accelerate your compliance even further.