DropVault Ireland:34 Christchurch Place,
General Data Protection Regulation (GDPR)
On 25 May 2018, the most significant piece of European data protection legislation to be introduced in 20 years will come into force. The EU General Data Protection Regulation (GDPR) replaces the 1995 EU Data Protection Directive. The GDPR strengthens the rights that individuals have regarding personal data relating to them and seeks to unify data protection laws across Europe, regardless of where that data is processed.
We are committed to helping our customers with their GDPR compliance by providing robust privacy and security protections built into our services and contracts over the years.
What are your responsibilities as a customer?
DropVault customers will typically act as the data controller for any personal data they provide to DropVault in connection with their use of DropVault's services. The data controller determines the purposes and means of processing personal data, while the data processor processes data on behalf of the data controller.
DropVault is a data processor and processes personal data on behalf of the data controller when the controller is using DropVault Platform.
Data controllers are responsible for implementing appropriate technical and organisational measures to ensure and demonstrate that any data processing is performed in compliance with the GDPR. Controllers’ obligations relate to principles such as lawfulness, fairness and transparency, purpose limitation, data minimisation, and accuracy, as well as fulfilling data subjects’ rights with respect to their data.
If you are a data controller, you may find guidance related to your responsibilities under GDPR by regularly checking the website of your national or lead data protection authority under the GDPR (as applicable), as well as by reviewing publications by data privacy associations such as the International Association of Privacy Professionals (IAPP).
You should also seek independent legal advice relating to your status and obligations under the GDPR, as only a lawyer can provide you with legal advice specifically tailored to your situation. Please bear in mind that nothing on this website is intended to provide you with, or should be used as a substitute for, legal advice.
As a current or future customer of DropVault Cloud, now is a great time for you to begin preparing for the GDPR. Consider these tips:
Familiarize yourself with the provisions of the GDPR, particularly how they may differ from your current data protection obligations.
Consider creating an updated inventory of personal data that you handle. You can use some of our tools to help identify and classify data.
Review your current controls, policies, and processes to assess whether they meet the requirements of the GDPR, and build a plan to address any gaps.
Consider how you can leverage the existing data protection features on DropVault as part of your own regulatory compliance framework.
Monitor updated regulatory guidance as it becomes available, and consult a lawyer to obtain legal advice specifically applicable to your business circumstances.
DropVault Platform commitments to the GDPR
Among other things, data controllers are required to only use data processors that provide sufficient guarantees to implement appropriate technical and organisational measures in such a manner that processing will meet the requirements of the GDPR. Here are some aspects you may want to consider when conducting your assessment of DropVault Platform services.
Any data that a customer and its users put into our systems will only be processed in accordance with the customer’s instructions, as described in our current as well as our GDPR-updated data processing agreements.
Personnel Confidentiality Commitments
All DropVault employees are required to sign a confidentiality agreement and complete mandatory confidentiality and privacy training, as well as our Code of Conduct training. DropVault's Code of Conduct specifically addresses responsibilities and expected behavior with respect to the protection of information.
DropVault directly conducts the majority of data processing activities required to provide the DropVault Cloud Platform services. However, we do engage some third-party vendors to assist in supporting these services. We make information available about DropVault subprocessors supporting DropVault Platform services, as well as third-party subprocessors involved in those services, and we include commitments relating to subprocessors in our current and updated data processing agreements.
According to the GDPR, the controller and the processor shall implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk.
DropVault operates an infrastructure designed to provide state-of-the-art security through the entire information processing lifecycle. This infrastructure is built to provide secure deployment of services, secure storage of data with end-user privacy safeguards, secure communications between services, secure and private communication with customers over the Internet, and safe operation by administrators.
DropVault Platform runs on this infrastructure.
We designed the security of our infrastructure in layers that build upon one another, from the physical security of data centers, to the security protections of our hardware and software, to the processes we use to support operational security. This layered protection creates a strong security foundation for everything we do.
DropVault uses encryption to protect data in transit and at rest. Data in transit to DropVault is protected using HTTPS, which is activated by default for all users. DropVault Platform services encrypt customer content stored at rest, without any action required from customers, using one or more encryption mechanisms. A detailed discussion of how we encrypt data is available on request.
For DropVault employees and contractors, access rights and levels are based on job function and role, using the concepts of least-privilege and need-to-know to match access privileges to defined responsibilities. Requests for additional access follow a formal process that involves a request and an approval from a data or system owner, manager, or other executives, as dictated by DropVault's security policies.
Administrators can export customer data, via the functionality of the DropVault Platform services, at any time during the term of the agreement. We have included data export commitments in our data processing terms for several years, and we will continue offering those after the GDPR comes into force, and working to enhance the robustness of the data export capabilities of the DropVault services and each of the DropVault Platform services (consult the DropVault Platform documentation for further information).
You can also delete customer data, via the functionality of the DropVault Platform services, at any time. When DropVault receives a complete deletion instruction from you , DropVault will delete the relevant customer data from all of its systems within a maximum period of 90 days unless retention obligations apply.
Data controllers can use the DropVault Platform administrative consoles and services functionality to help access, rectify, restrict the processing of, or delete any data that they and their users put into our systems. This functionality will help them fulfill their obligations to respond to requests from data subjects to exercise their rights under the GDPR.
DropVault Platform have provided contractual commitments around incident notification for many years. We will continue to promptly inform you of incidents involving your customer data in line with the data incident terms in our current agreements and the updated terms that will apply from 25 May 2018, when the GDPR comes into force
The GDPR provides for several mechanisms to facilitate transfers of personal data outside of the EU. These mechanisms are aimed at confirming an adequate level of protection or ensuring the implementation of appropriate safeguards when personal data is transferred to a third country.
DropVault does not transfer any data outside the EU. All data is stored in data centres located in Northern Europe.