Data Protection and GDPR
- Security by design is one of our fundamental principles in our decision-making process. It is applied on all levels: from choosing among available document management systems for internal use, to imposing minimum encryption key length to the users of our products.
- Accountability comes with ownership. In order to enforce security and compliance, we’ve designated specific roles with clearly defined rights and responsibilities, such as a Data Protection Officer.
- Cooperating with supervisory authorities is something we’ve defined and put procedures in place already with the Commission nationale de l’informatique et des libertés (CNIL).
- Balancing technical and organizational security measures allows us to achieve the best results with limited resources.
Stratumn as Data Controller
We do collect some personal data. Names, emails, IP addresses and other information that can be used to uniquely identify a person is collected, stored and processed internally by our services, such as Stratumn Account. Stratumn acts as a data controller for this kind of information. The right to control comes with the responsibility to securely manage the data.
- Prior to data processing we explicitly require consent from data subjects.
- We are transparent with data subjects on how they can exercise the rights of:
– modifying the data (right of rectification)
– deleting the data (right to be forgotten)
– revoking previously given consent (right of restriction of processing)
– getting the data back (right of data portability)
- We maintain the registry of processing activities for all kinds of controlled personal data
- In case of significant changes in the way of how personal data is processed, we do perform data protection impact assessment (DPIA) in order to ensure the safe transition to a new environment.
- It is never possible to completely eliminate the risk of data breaches. And if that happens, we have corresponding procedures to notify data subjects and supervisory authorities to reduce the consequences of the breach.
Stratumn as Data Processor
In some cases we process personal data which we do not obtain directly from data subjects. We get it through other data controllers. Our partners and customers use the solutions, such as Trace, to manage their internal processes. Those processes contain various kinds of valuable data, including personal data. Stratumn acts as data processor for this particular type of information. By doing so we commit to protect the data up to the same standard as the original controller protects it. In addition, we will:
- never engage other subcontractors as data processors without prior agreement with the controller;
- never perform any transfer of personal data outside designated area (such as European Union) without prior agreement with the controller;
- process data only within the terms defined in the contract and/or agreement with the controller;
- remain transparent with the controller on the way how the data is processed;
- perform modification and deletion of personal data by request of the data controller;
- provide all necessary certifications and attestations, ensuring the safety of our internal processes; and
- return data to the controller upon the termination of contract / provision of services.
Ensuring the appropriate level of data protection requires implementing of various security measures. We approach the security from both the organizational and technical angles.
- Stratumn’s management plays crucial role by allocating resources and taking active leadership in security and compliance projects.
- We implement strict access control policy by assigning roles to users and right to access to roles.
- We perform independent external audits, such as penetration tests to ensure the desired level of security of our products and solutions.
- Our development process is built around modern practices: continuous delivery, mandatory code review and unit & integration testing.
- For our IT infrastructure, we rely on Amazon Web Services and apply its best practices.
- Various authentication policies, such as password policy and mandatory two-factor authentication are applied internally and also imposed on external users.
- Extensive use of encryption to protect the data in transit (SSL) and ensure its authenticity and integrity (digital signatures).
- Regular backups ensure data availability and business continuity.