In this article, you can find information related to how Servitly manages the privacy of its customers and end users in compliance with GDPR.
This includes internal controls, agreements between parties, and technical controls.
Internal Procedures
The internal procedures put in place by Servitly to manage data privacy are described below.
Privacy by Design
To ensure the privacy of the data recorded within the DPS, we at Servitly have adopted the principle of privacy "by design" when developing new features. Where "new technologies" or new ways of transmitting/managing/viewing data are going to be used, a Data Protection Impact Analysis (DPIA) is performed to identify possible issues in advance.
DPIA is a process for systematically considering the potential impact that a feature or technology might have on privacy, so that we can identify potential privacy issues before they arise, allowing us to find a way to mitigate them before releasing new features.
Data Privacy Officer
Even though we do not handle sensitive data, given the large number of users registered in our DPS applications and the large amount of personal data handled, in accordance with GDPR regulations, we have appointed a data protection officer (DPO) to oversee that any new implemented functionality or introduced technology complies with the regulations.
Contracts & Privacy Documentation
The GDPR focuses on transparency and fairness, Data Controllers and Processors must review their privacy notices, privacy statements, and any internal data policies to ensure that they meet the requirements of the GDPR.
Servitly as a Data Processor of the Client, who is the Data Controller, requires that a Data Protection Agreement (DPA) be entered into between the Client and Servitly or the third-party System Integrator, if any.
Accountability
Servitly's own staff are also trained and kept up-to-date on privacy matters, as well as having signed a code of conduct and confidentiality if they become aware of Servitly's customer data.
Reporting Breaches
In the event of a data breach, Servitly agrees to notify the Data Controller within 72 hours of becoming aware of the breach, unless the data has been anonymized or encrypted. If it is not possible to inform the Data Controller in time, Servitly will notify the data subjects if the breach may cause serious harm to the data subject, such as identity theft or breach of confidentiality.
Scope
The GDPR also applies to non-EU companies that market their products to people in the EU. This means that even if the location is outside the EU but controls or processes data of EU citizens, the GDPR is still applied.
Cloud
How security and privacy is ensured on the cloud side.
Security
Refer to the Security article for more information about DPS applications security.
Data Storage
To grant GDPR compliance, all the data belonging to European accounts are stored in European data centers.
Provider | Region | Datacenter | Availability Zones |
Amazon EC2 | UE | Ireland | eu-west-1a, eu-west-1b, eu-west-1c |
Microsoft Azure | UE | Frankfurt | Germany West Central (az-1) |
GDRP Compliance
For a complete overview of how the cloud providers deal with the GDPR compliance, visit these pages: