Ground Alliance Commitment to the GDPR
The European Union has taken a monumental step in protecting the fundamental right to privacy for every EU resident with the General Data Protection Regulation (GDPR) which will be effective from May 25, 2018. The GDPR (General Data Protection Regulation) is an important piece of legislation that is designed to strengthen and unify data protection laws for all individuals within the European Union.
Few general questions and answers regarding personal data:
Where will be data stored?
We store the personal data in RDS which is all encrypted. We are using Amazon RDS encrypted instances which use the industry standard AES-256 encryption algorithm to encrypt the data on the server that hosts your Amazon RDS instance. Our primary data center is Oregon and secondary/DR is Northern Virginia.
How long will be data stored?
The data is stored in the database until client deletes his data. We can also delete clients data but only when a request is generated from client’s end.
Who will have access to data?
Client(Companies) can only access their own data. Companies are provided with access control so that they can set permissions for employees for data manipulation(add/edit/view).
What type of security controls will be utilized to protect the data?
We are using Amazon RDS encrypted instances which use the industry standard AES-256 encryption algorithm to encrypt the data on the server that hosts your Amazon RDS instance.
Following are the key actions which we have taken to secure data in AWS to become GDPR ready.
- The application is hosted on private instances which have no direct public access.
- EBS of the instance is encrypted.
- Security Groups are properly maintained, only required ports are open.
- VPN is implemented and only authorized persons have ssh access to the servers.
- MFA is implemented on ssh and AWS console login.
- RDS is encrypted.
- KMS is being used to encrypt sensitive customer information to be stored in Database.
Third Parties Who May Receive Personal Data
We may use a limited number of third-party service providers to assist us in providing services to our customers or to meet internal business needs.
Currently, we are using two third-party tools
Sendgrid – used for sending emails and Twilio – used for sending SMS through the application. These third parties may access, process, or store personal data in the course of providing their services. We maintain contracts with these third parties to restrict their access, use, and disclosure of personal data in compliance with our Privacy Shield obligations, and we may be liable for such parties if they fail to meet these obligations.
There are many different steps that organizations should take in anticipation of the GDPR effective date (May 25, 2018), which may include:
- Upgrading physical security (e.g. using biometrics and CCTV)
- Educating staff (about 80 percent of all breaches have a root cause in some type of employee negligence)
- Developing strong passwords and changing them every 90 days
- Using encryption
- Using multi-factor authentication
- Performing routine penetration testing to identify vulnerabilities in your website, network, etc.
- Creating parameters on who can access critical data
- Creating mobile device security policies (e.g. using data wiping tools if a device is stolen)