CyberOne GDPR Statement
The General Data Protection Regulation (GDPR) (Regulation (EU) 2016/679), adopted on April 27, 2016, is a regulation intended to strengthen and unify data protection for individuals within the European Union (EU). It also addresses the transfer of personal data outside of the EU. The primary objectives of GDPR are to enhance EU residents’ control of their personal data and simplify international businesses’ regulatory environment by imposing uniform data protection requirements on all EU members. GDPR replaced the Data Protection Directive (officially Directive 95/46/EC) from 1995 and is effective 25 May 2018.
CyberOne’s Commitment
CyberOne is committed to GDPR compliance. Like existing privacy laws, including the preceding data protection directive, GDPR compliance requires a partnership between CyberOne and our customers to use our services and products. CyberOne has reviewed the requirements of GDPR and is working to enhance our services, products, documentation and contracts to support our own compliance with GDPR.
CyberOne has updated its Data Protection Policy (DPP) and supporting processes to align with GDPR requirements. This updated DPP will contain revised or additional contractual provisions, where appropriate, to assist our customers in their compliance with GDPR.
As a managed services provider, data privacy and security are at the core of CyberOne’s business and something CyberOne takes very seriously. CyberOne remains committed to protecting personal data in compliance with the highest privacy and security standards. Below is a high-level summary of CyberOne’s compliance with many of the key areas of GDPR.
Data Protection
- As the data processor, CyberOne will only process personal data on behalf of the data controller and on written authorisation from the data controller (i.e. through a contract or order).
- CyberOne expects that its customers, as the data controllers, will notify their employees and users (i.e. the data subjects) of the processing carried out by CyberOne and obtain their consent for CyberOne to do so.
- CyberOne ensures the confidentiality and availability of the personal data it processes and that appropriate technical and organisational measures are taken to protect such personal data.
- For most of CyberOne’s services and products, personal data is never stored by or accessible to CyberOne.
- Customers can obfuscate their user IDs so that they are never seen by CyberOne Operations and Support teams or their own administrators.
- Logs are never stored in clear text.
- CyberOne only allows access to personal data by personnel who are authorised administrators with appropriate privileges.
- CyberOne does not process or store any personal data that is not needed to perform the contracted services on behalf of the data controller.
- The personal data that CyberOne processes on behalf of the data controller will be accurate, complete and kept up-to-date as much as technically possible.
- Personal data will not be disclosed, made available, or otherwise used for purposes other than to perform the contracted services on behalf of the data controller, except as required by law.
- If CyberOne uses any subprocessors, it will first obtain the data controller’s consent to do so and ensure that all CyberOne’s obligations under GDPR and its contract with the data controller also flow down to any such subprocessors.
- All transfers of personal data outside of the European Economic Area (EEA) will only be done to provide the contracted services to the data controller and will be subject to EU-US and Swiss-US Privacy Shield principles.
- CyberOne retains Logs in its provided applications for at least six months, after which they are securely purged.
- At contract termination or expiration, the Logs will be purged pursuant to the six-month retention cycle, or as earlier requested in writing by the data controller.
- CyberOne will make available to the data controller all information reasonably necessary for the data controller to demonstrate its compliance with GDPR.
- CyberOne will be accountable and responsible for ensuring its own compliance under GDPR.
Security Safeguards
- CyberOne protects personal data through reasonable security safeguards against such risks as loss or unauthorised access, destruction, use, modification, or disclosure.
- CyberOne is certified to the ISO 27001 information security framework to maintain consistent and robust security controls and procedures for all customers.
- CyberOne performs robust security measures on its systems, such as antivirus, firewalls, scheduled vulnerability scanning, penetration testing and peer review of security code.
- All CyberOne personnel authorised to process personal data have committed themselves (through employment and confidentiality agreements) to the confidentiality and security of personal data.
- In addition to adhering to ISO 27001 principles, the top-tier global data centres that CyberOne uses take security just as seriously as CyberOne, through, among other protections, sophisticated entry control systems, dual power feeds with backup generators and video surveillance.
- CyberOne ensures its processing systems and services' ongoing confidentiality, integrity, availability and resilience. It also restores real-time availability and access to personal data in a timely manner in case of a physical or technical incident.
- CyberOne has an internal process for regularly testing, assessing and evaluating the effectiveness of the technical and organisational measures it uses to ensure the security of personal data processing.
- CyberOne will notify the data controller without undue delay after becoming aware of a personal data breach and will assist the data controller in reporting any personal data breaches to supervisory authorities and affected data subjects.