EU General Data Protection Regulation
Effective May 25, 2018, The EU General Data Protection Regulation ("GDPR") replaces the 1995 EU Data Protection Directive. The GDPR strengthens the rights that individuals have regarding personal data relating to them and seeks to unify data protection laws across Europe, regardless of where that data is processed.
AppComputing is committed to GDPR compliance across AppComputing websites and services. We are also committed to helping our customers with their GDPR compliance journey by providing privacy and security protections built into our websites and services.
What are your responsibilities as a customer?
AppComputing customers will typically act as the data controller for any personal data they provide to AppComputing in connection with their use of AppComputing website and services. The data controller determines the purposes and means of processing personal data, while the data processor processes data on behalf of the data controller. AppComputing is a data processor and processes personal data on behalf of the data controller when the controller is using AppComputing websites and services.
Data controllers are responsible for implementing appropriate technical and organisational measures to ensure and demonstrate that any data processing is performed in compliance with the GDPR. Controllers' obligations relate to principles such as lawfulness, fairness and transparency, purpose limitation, data minimisation, and accuracy, as well as fulfilling data subjects' rights with respect to their data.
If you are a data controller, you may find guidance related to your responsibilities under GDPR by regularly checking the website of your national or lead data protection authority under the GDPR (as applicable), as well as by reviewing publications by data privacy associations such as the International Association of Privacy Professionals (IAPP).
You should also seek independent legal advice relating to your status and obligations under the GDPR, as only a lawyer can provide you with legal advice specifically tailored to your situation. Please bear in mind that nothing on this website is intended to provide you with, or should be used as a substitute for legal advice.
Where should you start?
1. Familiarize yourself with the provisions of the GDPR, particularly how they may differ from your current data protection obligations.
2. Consider creating an updated inventory of personal data that you handle. You can use some of our tools to help identify and classify data.
3. Review your current controls, policies, and processes to assess whether they meet the requirements of the GDPR, and build a plan to address any gaps.
4. Consider how you can leverage the existing data protection features on AppComputing services as part of your own regulatory compliance framework.
5. Monitor updated regulatory guidance as it becomes available, and consult a lawyer to obtain legal advice specifically applicable to your business circumstances.
AppComputing's commitments to the GDPR
Among other things, data controllers are required to only use data processors that provide sufficient guarantees to implement appropriate technical and organizational measures in such a manner that processing will meet the requirements of the GDPR. Here are some aspects you may want to consider when conducting your assessment of AppComputing services.
Data protection expertise
AppComputing has dedicate security and privacy team, whom can be contacted via email security@appcomputing.com. This team is tasked with maintaining the company's defence systems, developing security review processes, building security infrastructure, and implementing AppComputing's security policies. AppComputing also employs an team of lawyers, regulatory compliance experts, and public policy specialists who look after privacy and security compliance for AppComputing. These teams engage with customers, industry stakeholders, and supervisory authorities to shape our services in a manner that helps customers meet their compliance needs.
Data processing agreements
Our privacy statement and terms of services for AppComputing services defines our privacy commitments to customers.
Processing according to instructions
Any data that a customer and its users put into our systems will only be processed in accordance with the customer's instructions, as described in our GDPR-updated terms of services for AppComputing services.
Personnel confidentiality commitments
All AppComputing employees are required to sign a confidentiality agreement and complete mandatory confidentiality and privacy training, as well as our code of conduct training. AppComputing's code of conduct specifically addresses responsibilities and expected behavior with respect to the protection of information.
Use of subprocessors
AppComputing directly conduct the majority of data processing activities required to provide the appComputing services. However, we do engage some third-party vendors to assist in supporting these services. Each vendor goes through a rigorous selection process to ensure it has the required technical expertise and can deliver the appropriate level of security and privacy. We make information available about AppComputing subprocessors supporting AppComputing services, as well as third-party subprocessors involved in those services, and we include commitments relating to subprocessors in our current and updated data processing agreements.
Security of the services
According to the GDPR, the controller and the processor shall implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk. AppComputing operates global infrastructure designed to provide state-of-the-art security through the entire information processing life cycle. This infrastructure is built to provide secure deployment of services, secure storage of data with end-user privacy safeguards, secure communications between services, secure and private communication with customers over the Internet, and safe operation by users running on this infrastructure.
We designed the security of our infrastructure in layers that build upon one another, from the physical security of data centers, to the security protections of our hardware and software, to the processes we use to support operational security. This layered protection creates a strong security foundation for everything we do.
Availability, integrity, and resilience
AppComputing designs the components of our platform to be highly redundant.In the event of hardware, software, or network failure, services will be shifted from one facility to another so that operations can continue without interruption. Our highly redundant infrastructure helps customers protect themselves from data loss.
Encryption
AppComputing uses encryption to protect data in transit and at rest. Data in transit to AppComputing services is protected using HTTPS, which is activated by default for all users. AppComputing services encrypt customer's sensitive content stored at rest, without any action required from customers, using one or more encryption mechanisms.
Access controls
For AppComputing employees, access rights and levels are based on job function and role, using the concepts of least-privilege and need-to-know to match access privileges to denied responsibilities. Requests for additional access follow a formal process that involves a request and an approval from a data or system owner, manager, or other executives, as dictated by AppComputing's security policies.
Vulnerability management
We scan for software vulnerabilities using a combination of commercially available and purpose- built in-house tools, intensive automated and manual penetration testing, quality assurance processes, software security reviews, and external audits. We also rely on the broader security research community and greatly value their help identifying vulnerabilities in AppComputing services.
AppComputing product security
AppComputing customers can leverage product features and configurations to further protect personal data against unauthorised or unlawful processing:
1. 2-step verification greatly reduces the risk of unauthorized access by asking users for additional credential when signing in.
2. Suspicious Login Monitoring helps detect suspicious logins and automatically disable account access upon certain number of failed login attempts.
3. Data loss prevention protects sensitive information within AppComputing services from unauthorized sharing.
4. Information rights management in AppComputing services allows you to restrict access to certain data and files.
Data return & deletion
You can export customer data, via the functionality of the AppComputing services, at any time during the term of the agreement. We have included data export commitments in our GDPR updated data processing terms.
You can also delete customer data, via the functionality of the AppComputing services, at any time. When AppComputing receives a complete deletion instruction from you, AppComputing will delete the relevant customer data from all of its systems within a maximum period of 30 days unless retention obligations apply.
Assistance to the controller - Data subject's rights
Data controllers can use the AppComputing services to help access, rectify, restrict the processing of, or delete any data that they and their users put into our systems. This functionality will help them fulfill their obligations to respond to requests from data subjects to exercise their rights under the GDPR.
Assistance to the controller - Data protection team
AppComputing has a dedicated team where data protection related inquiries can be directed. You can contact us via email security@appcomputing.com
Assistance to the controller - Notifications
AppComputing will promptly inform you of incidents involving your customer data in line with the data incident terms in our GDPR updated terms of services.
International data transfers
The GDPR provides for several mechanisms to facilitate transfers of personal data outside of the EU. These mechanisms are aimed at confirming an adequate level of protection or ensuring the implementation of appropriate safeguards when personal data is transferred to a third country.
Appropriate safeguards can be provided for by model contract clauses. An adequate level of protection can be confirmed by adequacy decisions such as the ones that supports the EU-U.S. Privacy Shields.
We contractually commit under our current terms of services for AppComputing services to maintain a mechanism that facilitates transfers of personal data inside and outside of the EU as required by the GDPR which came effective on May 25, 2018.