Inflectra Cloud Services and the EU General Data Protection Regulation (GDPR)
On 25 May 2018, the most significant piece of European data protection legislation to be introduced in 20 years came into force. The EU General Data Protection Regulation (GDPR) replaces the 1995 EU Data Protection Directive. The GDPR strengthens the rights that individuals have regarding personal data relating to them and seeks to unify data protection laws across Europe, regardless of where that data is processed.
You can count on the fact that Inflectra is committed to GDPR compliance across Inflectra’s SpiraTest®, SpiraTeam®, SpiraPlan®, KronoDesk® and TaraVault® Cloud services (hereafter referred to as Inflectra Cloud Services). We are also committed to helping our customers with their GDPR compliance journey by providing robust privacy and security protections built into our services and contracts over the years.
What are your responsibilities as a customer?
Customers of Inflectra Cloud Services will typically act as the data controller for any personal data they provide to Inflectra in connection with their use of Inflectra Cloud Services. The data controller determines the purposes and means of processing personal data, while the data processor processes data on behalf of the data controller. Inflectra is a data processor and processes personal data on behalf of the data controller when the controller is using Inflectra Cloud Services.
Data controllers are responsible for implementing appropriate technical and organizational measures to ensure and demonstrate that any data processing is performed in compliance with the GDPR. Controllers’ obligations relate to principles such as lawfulness, fairness and transparency, purpose limitation, data minimization, and accuracy, as well as fulfilling data subjects’ rights with respect to their data.
If you are a data controller, you may find guidance related to your responsibilities under GDPR by regularly checking the website of your national or lead data protection authority under the GDPR (as applicable) as well as by reviewing publications by data privacy associations such as the International Association of Privacy Professionals (IAPP).
You should also seek independent legal advice relating to your status and obligations under the GDPR, as only a lawyer can provide you with legal advice specifically tailored to your situation. Please bear in mind that nothing on this website is intended to provide you with, or should be used as a substitute for legal advice.
Inflectra Cloud Services and the GDPR
Among other things, data controllers are required to only use data processors that provide sufficient guarantees to implement appropriate technical, process and organizational measures in such a manner that processing will meet the requirements of the GDPR. Here are some aspects you may want to consider when conducting your assessment of Inflectra and Inflectra Cloud Services.
1. Lawful Basis for Processing
Data can only be processed if there is at least one lawful basis to do so. The lawful bases for processing data are:
- the data subject has given consent to the processing of his or her personal data for one or more specific purposes.
- processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract.
- processing is necessary for compliance with a legal obligation to which the controller is subject.
- processing is necessary in order to protect the vital interests of the data subject or of another natural person.
- processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller.
- processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child.
What Inflectra Provides
Our standard Cloud Services Terms of Service (ToS) includes the appropriate clauses to articulate the responsibilities for data controllers using Inflectra Cloud Services with respect to ensuring that there is an adequate lawful for basis for data processing. Our products include the ability to add information notices to end users accessing the systems to let them know what data should (and should not) be entered into the system, so that users are fully informed as to what data may be lawfully processed.
In addition, the Inflectra Cloud platform provides workflow, audit, and electronic-signature capabilities, so that administrators of the Inflectra Cloud platform may setup rules and review processes to ensure only lawful data is processed in the system.
2. Responsibility and Accountability
It is the responsibility and liability of the data controller to implement effective measures and be able to demonstrate the compliance of processing activities even if the processing is carried out by a data processor on behalf of the controller.
What Inflectra Provides
Customers using the Inflectra Cloud Services will typically act as the data controller for any personal data they provide to Inflectra in connection with their use of Inflectra’s services. The data controller determines the purposes and means of processing personal data, while the data processor processes data on behalf of the data controller.
Any data that a customer and its users put into Inflectra Cloud Services will only be processed in accordance with the customer’s instructions, as described in our GDPR-updated Terms of Service (ToS) agreements. We have specifically updated these terms to reflect the GDPR, and have made these updated available well in advance of the entry into force of the GDPR to facilitate our customers’ compliance assessment and GDPR readiness when using Inflectra Cloud services.
All Inflectra employees and subcontractors are required to sign a confidentiality agreement and complete mandatory confidentiality and privacy trainings, as well as our Code of Conduct training. Inflectra’s Code of Conduct specifically addresses responsibilities and expected behavior with respect to the protection of information.
3. Consent
Where consent is used as the lawful basis for processing, consent must be explicit for data collected and the purposes data are used for (Article 7; defined in Article 4). Consent for children[16] must be given by the child’s parent or custodian, and verifiable (Article 8). Data controllers must be able to prove "consent" (opt-in) and consent may be withdrawn.
What Inflectra Provides
Customers using the Inflectra Cloud Services will typically act as the data controller for any personal data they provide to Inflectra in connection with their use of Inflectra’s services. The data controller determines the purposes and means of processing personal data, while the data processor processes data on behalf of the data controller.
The Inflectra Cloud Terms of Service (ToS) have been updated to include the necessary provisions for ensuring that the customer has obtained consent of the data owner before processing the data in the Inflectra Cloud Services platform. In addition, Inflectra Cloud Services provides the administrators with an option to display and informative message on the login pages to clearly describe how consent needs to be obtained prior to entering the data into the platform, simplifying the process of notifying users of their obligations.
4. Right of Access
The Right of Access (Article 15) is a data subject right.[20] This gives citizens the right to get access to their personal data and information about how these personal data are being processed. A Data Controller has to provide, upon request, an overview of the categories of data that are being processed (Article 15(1)(b)) as well as a copy of the actual data (Article 15(3)). Furthermore, the Data Controller has to inform the data subject on details about the processing such as; what the purposes are of the processing (Article 15(1)(a)), with whom the data are shared (Article 15(1)(c)) and how it acquired the data (Article 15(1)(g)).
What Inflectra Provides
Administrators can export customer data, via the functionality of the Inflectra Cloud Services platform, at any time during the term of the agreement. We have included data export commitments in our Terms of Service (ToS) for several years, and we will continue offering those after the GDPR comes into force, and working to enhance the robustness of the data export capabilities of the Inflectra Cloud Services and each of the products that makes up the suite.
5. Right to Erasure
A right to be forgotten was replaced by a more limited right to erasure in the version of the GDPR adopted by the European Parliament in March 2014.[21][22] Article 17 provides that the data subject has the right to request erasure of personal data related to them on any one of a number of grounds including non-compliance with article 6.1 (lawfulness) that includes a case (f) where the legitimate interests of the controller is overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data.
What Inflectra Provides
Administrators using the Inflectra Cloud Services platform can delete or obfuscate customer data, via the functionality of the appropriate product, at any time using the built-in tools. Inflectra support personnel are available to assist customers with questions about deleting, purging and obfuscating data in the system.
In addition, upon termination of service, in accordance with the Inflectra Cloud Hosting Terms of Service (ToS), when Inflectra receives a confirmation of subscription termination, Inflectra will delete the relevant customer data from all of its systems within a maximum period of sixty (60) days unless bespoke retention obligations apply to the contract with the customer.
6. Data Portability
A person shall be able to transfer their personal data from one electronic processing system to and into another, without being prevented from doing so by the data controller. Data that has been sufficiently anonymized is excluded, but data that have only been de-identified but remains possible to link to the individual in question, such as by him or her providing the relevant identifier, is not.[23] Both data that have been 'provided' by the data subject, and data that have been 'observed' — such as about their behavior — is within scope. In addition, the data must be provided by the controller in a structured and commonly used Open standard electronic format. The right to data portability is provided by Article 20 of the GDPR.[6] Legal experts see in the final version of this measure a "new right" created that "reaches beyond the scope of data portability between two controllers as stipulated in Article 18".[24] (Note that the Article number was updated to Article 20 in the final release version. The quotation was accurate at the time.)
What Inflectra Provides
Administrators can export customer data, via the functionality of the Inflectra Cloud Services platform, at any time during the term of the agreement. We have included data export commitments in our Terms of Service (ToS) for several years, and we will continue offering those after the GDPR comes into force.
Specifically, the Inflectra Cloud Services platform lets administrators export data in a variety of standard, open formats, including CSV, XML, HTML, Adobe Acrobat PDF, Microsoft Word, and Microsoft Excel. Upon termination of the subscription, Inflectra will make available a full database backup of the data held in the service to the customer, who in the role of data controller, can disseminate it further to requesting end users.
7. Data Protection by Design and by Default
Data protection by Design and by Default (Article 25) requires that data protection is designed into the development of business processes for products and services. This requires that privacy settings must be set at a high level by default and that technical and procedural measures should be taken care by the controller in order to make sure that the processing, throughout the whole processing lifecycle, complies with the regulation. Controllers should also implement mechanisms to ensure that personal data are only processed when necessary for each specific purpose.
A report[25] by ENISA (the European Union Agency for Network and Information Security) elaborates on what needs to be done to achieve privacy and data protection by default. It specifies that encryption and decryption operations must be carried out locally, not by remote service, because both keys and data must remain in the power of the data owner if any privacy is to be achieved. The report specifies that outsourced data storage on remote clouds is practical and relatively safe, as long as only the data owner, not the cloud service, holds the decryption keys.
What Inflectra Provides
We take data security and privacy very seriously here at Inflectra. We designed the security of our infrastructure in layers that build upon one another, from the physical security of data centers, to the security protections of our hardware and software, to the processes we use to support operational security. This layered protection creates a strong security foundation for everything we do.
For example, each hosted instance of our products runs in its own completely isolated application pool, with a separate database instance. That way the data in each customer's instance is completely separate from all other customers. In addition, we use the following proven measures to ensure data security:
- Transport Layer Security (TLS) for all network traffic
- Integrated biometric/card access control to datacenter
- Multi-level redundant firewalls
- Antivirus, anti-spyware and rootkit prevention software
- Security staff on patrol 24 hours a day, 7 days a week
- All security identifiers are one-way hashed and salted
- Data is encrypted at rest using AES-256 encrypted volumes
- Annual external penetration testing of our platform
- Annual external audit of our quality practices to ISO:9001 standards
- Annual external audit of our company security practices to ISO:27001 standards
- Formal SSAE16 SOC2 Certification of our cloud platform.
In addition, our products use customizable role-based authorization, so that administrators acting as data controllers, can manage the access to information and data with fine-grained controls, allowing information to only be available to those with a need to access it, for the documented lawful basis.
8. Records of Processing Activities
Records of processing activities must be maintained, that include purposes of the processing, categories involved and envisaged time limits. These records must be made available to the supervisory authority on request.[26] (article 30).
What Inflectra Provides
The Inflectra Cloud Services platform provides a complete audit history of data in the system. The platform comes with built-in tools to report on the history and track who entered specific data elements into the system and which users changed records. With the option to activate electronic signatures as a standard part of our suite, administrators can ensure that only lawful processing and storage occurs.
9. Data Breaches
Under the GDPR, the Data Controller will be under a legal obligation to notify the Supervisory Authority without undue delay. The reporting of a data breach is not subject to any de minimis standard and must be reported to the Supervisory Authority within 72 hours after having become aware of the data breach (Article 33). Individuals have to be notified if adverse impact is determined (Article 34). In addition, the data processor will have to notify the controller without undue delay after becoming aware of a personal data breach (Article 33).
However, the notice to data subjects is not required if the data controller has implemented appropriate technical and organizational protection measures that render the personal data unintelligible to any person who is not authorized to access it, such as encryption (Article 34).
What Inflectra Provides
As the data controller, customers of the Inflectra Cloud Services platform are required to notify any data breaches to their Supervisory Authority within 72 hours, and to end-users if the breached data is not encrypted or rendered unintelligible. To support this process, Inflectra, as data processor will notify the customer without delay in accordance with the Inflectra Cloud Terms of Service (ToS) if any data breach has occurred due to security failures in the platform itself.
In addition, should the customer, as data controller, cause a data breach by misuse of the Inflectra Cloud Services platform, Inflectra technical support personnel will be available to support the customer in minimizing the impact of the breach, and recommending steps to prevent a future reoccurrence.
10. International Data Transfers
The GDPR provides for several mechanisms to facilitate transfers of personal data outside of the EU. These mechanisms are aimed at confirming an adequate level of protection or ensuring the implementation of appropriate safeguards when personal data is transferred to a third country.
Appropriate safeguards can be provided for by model contract clauses as well as the US-EU/Swiss/UK Data Privacy Framework (DPF) that exists between the United States of America (USA) and the European Union (EU), Switzerland and the United Kingdom.
What Inflectra Provides
Inflectra offers its cloud services in different geographical regions so that customers in the EU will have their data stored on servers located within an EU country (similarly customers in the USA, Canada, and Australia have the same options). This reduces the scope or need for international data transfers.
However, as an added protection, Inflectra contractually commits under our data processing agreements to maintain a mechanism that facilitates transfers of personal data outside of the EU as required by the GDPR when necessary. The data processing agreement is included as standard in our cloud platform TOS, and we have incorporated the EU Standard Contractual Clauses (SCCs) in our agreements.
Furthermore, as described in our Privacy Policy, Inflectra complies with the EU-U.S. Data Privacy Framework (EU-U.S. DPF) and the Swiss-U.S. Data Privacy Framework (Swiss-U.S. DPF) as set forth by the U.S. Department of Commerce. Inflectra has certified to the U.S. Department of Commerce that it adheres to the EU-U.S. Data Privacy Framework Principles (EU-U.S. DPF Principles) with regard to the processing of personal data received from the European Union in reliance on the EU-U.S. DPF. Inflectra has certified to the U.S. Department of Commerce that it adheres to the Swiss-U.S. Data Privacy Framework Principles (Swiss-U.S. DPF Principles)