GDPR - the protection of personal data
GDPR
The
General Data Protection Regulation
(GDPR) is the legal framework for the processing of personal data in Europe that introduces stringent requirements that set new standards in compliance, security and data protection.
CoreTech and the GDPR
In addition to ensuring its compliance, CoreTech is committed to offering services and resources that allow clients to comply with any GDPR requirements that they are required to comply with regarding their activities. In this regard, CoreTech has released new features and others will be.
Data Centre in Italy
CoreTech is a 100% Italian company and the data centers are located in Italy. For more information visit the
Datacentre page
CoreTech is a CISPE member
CoreTech recently announced its compliance with the CISPE Code of Conduct of which Amazon AWS, Aruba, Register and OVH are also members.
The CISPE Code of Conduct enables cloud customers to assess their cloud infrastructure provider's compliance with data protection obligations under the GDPR.
This further reassures customers of their ability to control their data in a safe, secure and compliant environment.
Definition of the GDPR
To avoid misinterpretations of regulatory obligations, the essential expressions for understanding the GDPR are defined below:
-
personal data: any information relating to an identified or identifiable natural person, i.e. the interested party. An identifiable natural person is a natural person who can be identified, directly or indirectly.
-
processing: any operation or set of operations performed with or without the support of automated processes and applied to data or sets of personal data (collection, registration, transmission, storage, conservation, data mining, consultation, use, interconnection, etc ...).
-
Responsible for data processing: natural or legal person, public authority, service or other body which, alone or with other subjects, determines the means and purposes of the processing. In the text of the GDPR, it is indicated as the data controller.
-
Sub responsible for data processing: natural or legal person, public authority, service, or other body that processes personal data on behalf of the data controller. In the text of the GDPR, it is indicated as the data controller.
CoreTech acts as Administrator or Sub Responsible for all treatments, while it is the owner of client contact data only
CoreTech as a sub responsible for data processing
This is certainly the case when your expectations of CoreTech are most incisive. CoreTech plays the role of "sub processor" when processing personal data on behalf of a data controller.
This is the situation that occurs when using CoreTech services and storing personal data on a CoreTech infrastructure. Within the limits of its technical constraints, CoreTech will process hosted data solely as directed by you, and on your behalf.
CoreTech's commitment as a sub responsible for data processing
In the role of data processing person, CoreTech undertakes, in particular, to carry out the following actions:
-
process personal data exclusively for the correct execution of the services:
CoreTech will never use your information for other purposes (marketing, etc ...)
-
do not transfer your data outside the EU
or outside countries recognized by the European Commission as possessing an insufficient level of protection
-
inform you of any recourse to other appointees who may process your personal data even if, to date, no service that provides access to the content stored by the user is outsourced outside of CoreTech
-
implement high-security standards in order to ensure a high level of protection for our services
-
notify you as soon as possible in the event of a data breach
-
assist you in fulfilling your regulatory obligations by providing you with adequate documentation of our services
CoreTech as the data controller
CoreTech plays the role of "data controller" when it determines the means and purposes of the processing of personal data.
This is the case where CoreTech collects data for billing, service and performance improvement, sales operations, commercial management, etc ..., but also when CoreTech processes the personal data of its employees.
In this case, "your" data hosted on CoreTech services, are not affected, unlike some information concerning you or your employees (for example information relating to the identity and contact details of your contact in CoreTech as part of a request for Support ). This is why CoreTech is keen to explain the safeguards put in place to ensure the protection of this personal data:
-
limit the collection of data to those strictly necessary: in this way, when you order a service, only the data required by CoreTech to provide services relating to billing, assistance or fulfill legal obligations in the context of data retention are entered
-
not to use personal data for purposes other than those for which they were originally collected
-
keep personal data for a limited period. For example, the data processed for purposes related to the management of relations between clients and CoreTech (surname, name, address, email, etc.), are kept by the company for the entire duration of the contract and the following 36 months. At the end of this period, they are permanently erased from all media and backups
-
not to transfer this data to third parties who are not part of the Companies connected to CoreTech that are involved in the execution of the contract. During migrations within the Group, some data may be transferred outside the European Union based on the corporate rules implemented by the CoreTech Group
-
implement adequate technical and organizational measures in order to guarantee a high level of safety
Security measures
It is essential to distinguish between the security of client hosted data and the security of the infrastructures hosting this data.
Customer-hosted data security
the client is solely responsible for the security of his own resources and of the application systems implemented for the use of the services. CoreTech provides tools to support clients in protecting their data. Each service has its own specific tools; some of them are listed below:
- Granular data backup (of specific services)
- Server instance backup (for cloud servers)
- Activity logging (to specific services)
- Access logging (to the platform)
- Sygma monitoring agent (for cloud server)
- Ticket System for tracking communications
Infrastructure security
CoreTech is committed to guaranteeing the maximum security of its infrastructures, in particular by implementing an information systems security policy and responding to the needs of numerous laws and certifications. CoreTech takes the necessary measures to preserve the security and confidentiality of the personal data processed, in particular, to prevent them from being violated, damaged, or from unauthorized third parties accessing them.
CoreTech undertakes to implement:
-
physical security measures to prevent unauthorized persons from accessing the infrastructures on which client data is stored
-
security personnel in charge of ensuring the physical security of CoreTech premises 24 hours a day, 7 days a week
-
an authorization management system to allow access to the premises and data only to people who need them in the context of their business
-
a physical and/or logical system to keep clients separate from each other (depending on the services)
-
strong authentication processes for users and administrators thanks to a strict password management policy
-
processes and devices to track all the actions performed on its information system and, in compliance with current regulations, report any incidents affecting client data
Shared responsibility
What is meant by shared responsibility?
In terms of compliance and data security, both CoreTech and the client are both responsible, albeit on different fronts.
CoreTech will then take care of the maintenance, updating and protection of the physical infrastructure on which all cloud services are run.
Only at the explicit request of the client or upon the release of access passwords, CoreTech will be able to intervene at a technical level on the service purchased.
Based on the CoreTech service used, the competencies of shared responsibility are detailed below. We invite all clients to read their responsibilities concerning the services used.
CoreTech is committed to applying all reference standards to ensure information security.
Stellar - Server Cloud
CoreTech
- Keep the software infrastructure up to date with the most stable and secure versions of the software released by the manufacturer
- Monitor the infrastructure of virtualization, hypervisor and storage systems to ensure continuity of services
- Check for any security-related anomalies that are highlighted through the system logs or alerts
- Deactivation of the service if following a report by other service providers, the server is carrying out anomalous behaviors (spam, phishing, contents relating to terrorism, fraud, hacked site)
- Inform the client if any problems are encountered on the server during the monitoring or analysis of the logs
Customer
- Set access passwords to the server and to the software installed on it with a level of difficulty in compliance with the defined policies and password change according to the reference standards (e.g. ISO 27002)
- Carefully guard server access data and limit its disclosure
- Promptly intervene in the event of CoreTech reports on problems relating to the security of your server
- Correctly configure the backup jobs of your data with the tools made available by CoreTech and ask for support in case of doubts about the configurations
- Check the results of data backups on a daily basis
- Periodically check the correct operation of the VM backup by consulting the results from the Sygma panel
- Periodically organize the VM restore tests with CoreTech in order to ensure the correct execution of the VM backups
- Periodically check the event logs and operating system logs on your server to prevent any problems
- Promptly inform CoreTech in case of anomalies that could determine a data security problem
RocketWeb - Web Hosting
CoreTech
- Daily Backup Control. Backup retention is 35 days (5 weeks)
- Keep the Web Hosting servers updated with the most stable and secure software versions released by the manufacturer
- Daily checks regarding the update status of the integrated antivirus
- Monitor the webserver to ensure continuity of service
- Check for any security-related anomalies that are highlighted through the system logs or alerts
- Inform the manufacturer of the software related to the web servers if it becomes aware of any security flaws in the system
- Deactivation of the service if following a report by other service providers, the site is behaving abnormally (spam, phishing, contents related to terrorism, fraud, hacked site)
Customer
- Set access passwords to the Plesk management panel, to the FTP site, or the website management system (e.g. WordPress admin access) with a level of difficulty in compliance with the defined policies and password change according to the reference standards (e.g. ISO 27002)
- Carefully guard your Plesk, FTP and website login data and limit their disclosure
- Promptly intervene in the event of CoreTech reports on problems relating to the security of its website
- Proceed to periodically update the elements relating to the security of your website (for example updating the version of WordPress
- Make a personal backup of your website at least once a month
- Carefully guard the access data to the RocketBox service and limit its divulgence
- Check weekly for any anomalies relating to the use of resources on your website
- Promptly inform CoreTech in case of anomalies that could determine a data security problem
Email Service
CoreTech
- Daily Backup Control. Sixty (60) days of Backup retention
- Daily checks regarding the update status of the integrated antivirus
- Daily checks for the presence of servers in public Black Lists
- Keep mail systems up to date with the most stable and secure software versions released by the manufacturer
- Monitor the mail server to ensure continuity of service
- Check for any security-related anomalies that are highlighted through the system logs or alerts
- Notify the client if, by reading the mail server logs, circumstances arise that could endanger the e-mail accounts and the data contained therein
- Inform the software manufacturer of the mail server if it becomes aware of any security flaws in the system
- Immediate password change, if the account had been hacked and was sending spam, delete all the queued emails related to the specific account (whether they are valid or spam). Notice to the client for appropriate checks and password changes
- At the client's request, willingness to export mail archives on magnetic media or in interchange areas (activity to be quantified economically)
Customer
- Set passwords to access the mail service with a level of difficulty in compliance with the defined policies and password change according to the reference standards (e.g. ISO 27002)
- Carefully guard the access data to mailboxes and limit their disclosure
- Inform your users about the good use of e-mail regarding safety and the dangers of phishing and viruses
- Promptly intervene in the event of CoreTech reports on problems relating to the mailbox
- Periodically make a backup of your mail archive on your storage systems to have a copy of the archive in case you want to change supplier
- Avoid using mailboxes for SPAM or mass sending of unauthorized emails by recipients
- Promptly inform CoreTech in case of anomalies that could determine a data security problem
- Evaluate the frequency or event for password changes in your company procedures
1Backup - Cloud Backup
CoreTech
- Daily check of the status of servers and storage 1Backup
- Keep systems updated with the most stable and secure software versions released by the manufacturer
- Monitor servers to ensure continuity of service
Customer
- Check the results of your backups daily
- Properly configure backup jobs and related retention according to your needs
- Carry out a restore test at least monthly / bimonthly
- Set complex passwords to access the service
- Safeguard the access data of Backup agents and limit their disclosure
- Carefully store the data encryption password if different from the one used for the Backup Agent
- Promptly inform CoreTech in case of anomalies that could determine a data security problem
- Promptly intervene in the event of CoreTech reports on problems relating to the service
MailArchive - Mail Archiving
CoreTech
- Daily check of the status of Mail Archive servers and storage
- Keep systems updated with the most stable and secure software versions released by the manufacturer
- Monitor servers to ensure continuity of service
- Daily backup checks to ensure data integrity
Customer
- Check the outcome of the archiving based on the needs or set times.
- Properly configure archiving jobs
- Carry out a restore test at least monthly / bimonthly
- Set complex passwords to access the service
- Carefully guard the access data to the archive boxes and limit their disclosure
- Promptly inform CoreTech in case of anomalies that could determine a data security problem
- Promptly intervene in the event of CoreTech reports on problems relating to the service
RocketBox - File Sharing
CoreTech
- Daily Backup Control. Backup retention is 35 days (5 weeks)
- Keep RocketBox servers updated with the most stable and secure software versions released by the manufacturer
- Monitor the webserver to ensure continuity of service
Customer
- Set access passwords to the RocketBox panel
- Carefully guard the access data to the RocketBox service and limit its disclosure
- Promptly intervene in the event of CoreTech reports on problems relating to the security of its website
- Carefully guard the access data to the RocketBox service and limit its divulgence
- Promptly inform CoreTech in case of anomalies that could determine a data security problem
RocketNews - EMail Marketing
CoreTech
- Daily Backup Control. Backup retention is 35 days (5 weeks)
- Keep RocketNews servers updated with the most stable and secure software versions released by the manufacturer
- Monitor the webserver to ensure continuity of service
Customer
- Set access passwords to the RocketNews panel
- Carefully guard the access data to the RocketNewsletter service and limit its disclosure
- Promptly intervene in the event of CoreTech reports on problems relating to the security of its website
- Promptly inform CoreTech in case of anomalies that could determine a data security problem
Sygma - Platform
CoreTech
- Keep systems updated with the most stable and secure software versions released by the manufacturer
- Monitor servers and data synchronization processes to ensure continuity of service
- Daily backup checks to ensure data integrity
- Additional Backup (to another datacenter in the Netherlands)
Customer
- Daily backup checks to ensure data integrity
- Export data at least monthly / bimonthly
- Set complex passwords to access the service
- Carefully guard the access data to Sygma and all the services included and limit their disclosure. With particular attention to the password encryption used for storing credentials in Sygma.
- Promptly inform CoreTech in case of anomalies that could determine a data security problem
- Promptly intervene in the event of CoreTech reports on problems relating to the service
Sygma Connect - Remote Control
CoreTech
- Daily check of the status of MailArchive servers and storage
- Keep systems updated with the most stable and secure software versions released by the manufacturer
- Monitor servers to ensure continuity of service
- Daily backup checks to ensure data integrity
- Monitor servers to ensure continuity of service
Customer
- Check the outcome of the archiving based on the needs or set times
- Properly configure archiving jobs
- Carry out a restore test at least monthly / bimonthly
- Set complex passwords to access the service
- Carefully guard the access data to the archive boxes and limit their disclosure
- Promptly inform CoreTech in case of anomalies that could determine a data security problem
- Promptly intervene in the event of CoreTech reports on problems relating to the service
Document information
Document title: |
GDPR |
Document version: |
V.1 |
Date of last adjustment: |
16/04/2020 |