This article will outline our data storage policies and GDPR compliance as well as SSCs required by the EU.
1. Data storage/introduction
This article will provide a better and more transparent method, in which we can answer our customers easier, by structuring our policy in the data storage area. This article mostly relates to the KGB, ITSM.
1.1 Plandisc data is kept where?
Data is stored in Ireland. Using MS Azure Data Centers. Failover DBs are located in the Netherlands. Some subprocesses are handled outside EU, see attachment: https://plandisc.com/da/sikkerhed-og-gdpr/.
1.2 Data transfer?
Fail over to the Netherlands. Some different types of DBs can failover to Netherlands. Failover is live failover. Full backup is performed every night and they are stored in the same location. Copy of the data is also stored in Amazon as cloud provider (also in Ireland). If Azure Data Center fails, the data will still be available in a different location (Netherlands).
1.3 Data content
Plandisc do not store any sensitive information. Users can possibly insert free text, but no sensitive text is required, it isn't mandatory. Plandisc cannot recognize sensitive data, all data is stored the same way. The direct data content must rely on the purpose that the controller and processor agree on.
2. Data access and technicalities
2.1 The controller's acces to Plandisc data
By using Azure AD login identities can be handle by the customer. It is also possible to use Plandisc's older standard, where they have an internal database on their own. How, the management should be done, can be included in the CSLA.
Furthermore, there will be no need for customization of the cloud service.
2.2 Utilization of Open Standards
With OAuth 2.0 and OpenID Plandisc can authenticate accounts provisioned through Azure AD.
2.3 Provisioning by the controller
Automation, add isn't possible to do. When feature implemented when our own Azure AD can be done. Defulat restrictions for all users, and then can change for specific users.
2.3.1 Automatic Account Provisioning / De-Provisioning
Not fully implemented yet, not full audit when adding users. It it is on the roadmap.
2.4 Automation technology
User provisioning is currently not an automated task. The Plandisc administrator will add users manually. Tighter integration with Azure AD will come in the future for more possibilities.
2.5 Data Modification and Access Auditing
This is not fully implemeted yet. It is on the roadmap. It will be possible to see what data has been changed and who has done the change.
2.6 Role Based Permission Management
Roles are administrator and user. Plandisc are just about to allow restrictions to specific users with enterprise license. Sharing Plandisc community sharing machanism. You can share edit or read rule.
3. Auditing and data breach policy
3.1 Right to audit
Please refer to Data Processing Agreement pt. 6.0
https://Plandisc.com/en/terms-and-conditions-of-use-4/
3.2 Right to penetration and vulnerability testing
External penetration tests to be ordered in the future. Images are being patched, MS Azure, guarentee that the patches are added as they are using Azure services. It is service based so there are not missing any updates. For further information: https://Plandisc.com/en/terms-and-conditions-of-use-4/ pt. 6.0
3.3 Systems Access Removal Metrics
Plandisc is able to look up the speed of each metrics, that is set to remove data access. through Mads.
3.4 Disaster Recovery and Incident Response
Some of the information is within the standard CSLA. Additions can be done to the agreement if required. Internally Plandisc uses Azure Monitoring services. There is currently no automated way to make customers aware of service failure.
4. Agreement questions
4.1 Negotiation
Our contract lasts for a year, and we are able to discuss agreements. Plandisc is willing to add clauses if required in the agreement. Contract will be signed on a yearly basis. 2-4 weeks before the expiration of the agreement period, there will be a new agreement or the possibility to end the agreement.
4.2 Exit clause in agreements
We can extract all the data from DBs and hand it over in the most raw format. JSON format or XML or Excel sheet. Most raw format is the best one to use, usually JSON.
4.3 Ownership Cost and Service Lifecycle
?