GDPR - the protection of personal data

 

gdpr

GDPR

The General Data Protection Regulation (GDPR) is the legal framework for the processing of personal data in Europe that introduces stringent requirements that set new standards in compliance, security and data protection.

CoreTech and the GDPR

In addition to ensuring its compliance, CoreTech is committed to offering services and resources that allow clients to comply with any GDPR requirements that they are required to comply with regarding their activities. In this regard, CoreTech has released new features and others will be.

Data Centre in Italy

CoreTech is a 100% Italian company and the data centers are located in Italy. For more information visit the Datacentre page

Datacenter

CoreTech is a CISPE member

CoreTech recently announced its compliance with the CISPE Code of Conduct of which Amazon AWS, Aruba, Register and OVH are also members.
The CISPE Code of Conduct enables cloud customers to assess their cloud infrastructure provider's compliance with data protection obligations under the GDPR.
This further reassures customers of their ability to control their data in a safe, secure and compliant environment.

Cispe

Definition of the GDPR

To avoid misinterpretations of regulatory obligations, the essential expressions for understanding the GDPR are defined below:





  • Responsible for data processing: natural or legal person, public authority, service or other body which, alone or with other subjects, determines the means and purposes of the processing. In the text of the GDPR, it is indicated as the data controller.
Responsabile GDPR
  • Sub responsible for data processing: natural or legal person, public authority, service, or other body that processes personal data on behalf of the data controller. In the text of the GDPR, it is indicated as the data controller.


Incaricato GDPR

CoreTech acts as Administrator or Sub Responsible for all treatments, while it is the owner of client contact data only

CoreTech as a sub responsible for data processing

This is certainly the case when your expectations of CoreTech are most incisive. CoreTech plays the role of "sub processor" when processing personal data on behalf of a data controller.
This is the situation that occurs when using CoreTech services and storing personal data on a CoreTech infrastructure. Within the limits of its technical constraints, CoreTech will process hosted data solely as directed by you, and on your behalf.

CoreTech's commitment as a sub responsible for data processing

In the role of data processing person, CoreTech undertakes, in particular, to carry out the following actions:

CoreTech as the data controller

CoreTech plays the role of "data controller" when it determines the means and purposes of the processing of personal data.

This is the case where CoreTech collects data for billing, service and performance improvement, sales operations, commercial management, etc ..., but also when CoreTech processes the personal data of its employees.
In this case, "your" data hosted on CoreTech services, are not affected, unlike some information concerning you or your employees (for example information relating to the identity and contact details of your contact in CoreTech as part of a request for Support ). This is why CoreTech is keen to explain the safeguards put in place to ensure the protection of this personal data:

Security measures

It is essential to distinguish between the security of client hosted data and the security of the infrastructures hosting this data.

gdpr_dati

Customer-hosted data security

the client is solely responsible for the security of his own resources and of the application systems implemented for the use of the services. CoreTech provides tools to support clients in protecting their data. Each service has its own specific tools; some of them are listed below:

  • Granular data backup (of specific services)
  • Server instance backup (for cloud servers)
  • Activity logging (to specific services)
  • Access logging (to the platform)
  • Sygma monitoring agent (for cloud server)
  • Ticket System for tracking communications
Infrastrutture GDPR

Infrastructure security

CoreTech is committed to guaranteeing the maximum security of its infrastructures, in particular by implementing an information systems security policy and responding to the needs of numerous laws and certifications. CoreTech takes the necessary measures to preserve the security and confidentiality of the personal data processed, in particular, to prevent them from being violated, damaged, or from unauthorized third parties accessing them.

CoreTech undertakes to implement:

  • physical security measures to prevent unauthorized persons from accessing the infrastructures on which client data is stored
  • security personnel in charge of ensuring the physical security of CoreTech premises 24 hours a day, 7 days a week
  • an authorization management system to allow access to the premises and data only to people who need them in the context of their business
  • a physical and/or logical system to keep clients separate from each other (depending on the services)
  • strong authentication processes for users and administrators thanks to a strict password management policy
  • processes and devices to track all the actions performed on its information system and, in compliance with current regulations, report any incidents affecting client data

Shared responsibility

What is meant by shared responsibility?

In terms of compliance and data security, both CoreTech and the client are both responsible, albeit on different fronts.
CoreTech will then take care of the maintenance, updating and protection of the physical infrastructure on which all cloud services are run.
Only at the explicit request of the client or upon the release of access passwords, CoreTech will be able to intervene at a technical level on the service purchased.
Based on the CoreTech service used, the competencies of shared responsibility are detailed below. We invite all clients to read their responsibilities concerning the services used.
CoreTech is committed to applying all reference standards to ensure information security.

Stellar - Server Cloud

CoreTech

  • Keep the software infrastructure up to date with the most stable and secure versions of the software released by the manufacturer
  • Monitor the infrastructure of virtualization, hypervisor and storage systems to ensure continuity of services
  • Check for any security-related anomalies that are highlighted through the system logs or alerts
  • Deactivation of the service if following a report by other service providers, the server is carrying out anomalous behaviors (spam, phishing, contents relating to terrorism, fraud, hacked site)
  • Inform the client if any problems are encountered on the server during the monitoring or analysis of the logs

Customer

  • Set access passwords to the server and to the software installed on it with a level of difficulty in compliance with the defined policies and password change according to the reference standards (e.g. ISO 27002)
  • Carefully guard server access data and limit its disclosure
  • Promptly intervene in the event of CoreTech reports on problems relating to the security of your server
  • Correctly configure the backup jobs of your data with the tools made available by CoreTech and ask for support in case of doubts about the configurations
  • Check the results of data backups on a daily basis
  • Periodically check the correct operation of the VM backup by consulting the results from the Sygma panel
  • Periodically organize the VM restore tests with CoreTech in order to ensure the correct execution of the VM backups
  • Periodically check the event logs and operating system logs on your server to prevent any problems
  • Promptly inform CoreTech in case of anomalies that could determine a data security problem

RocketWeb - Web Hosting

CoreTech

  • Daily Backup Control. Backup retention is 35 days (5 weeks)
  • Keep the Web Hosting servers updated with the most stable and secure software versions released by the manufacturer
  • Daily checks regarding the update status of the integrated antivirus
  • Monitor the webserver to ensure continuity of service
  • Check for any security-related anomalies that are highlighted through the system logs or alerts
  • Inform the manufacturer of the software related to the web servers if it becomes aware of any security flaws in the system
  • Deactivation of the service if following a report by other service providers, the site is behaving abnormally (spam, phishing, contents related to terrorism, fraud, hacked site)

Customer

  • Set access passwords to the Plesk management panel, to the FTP site, or the website management system (e.g. WordPress admin access) with a level of difficulty in compliance with the defined policies and password change according to the reference standards (e.g. ISO 27002)
  • Carefully guard your Plesk, FTP and website login data and limit their disclosure
  • Promptly intervene in the event of CoreTech reports on problems relating to the security of its website
  • Proceed to periodically update the elements relating to the security of your website (for example updating the version of WordPress
  • Make a personal backup of your website at least once a month
  • Carefully guard the access data to the RocketBox service and limit its divulgence
  • Check weekly for any anomalies relating to the use of resources on your website
  • Promptly inform CoreTech in case of anomalies that could determine a data security problem

Email Service

CoreTech

  • Daily Backup Control. Sixty (60) days of Backup retention
  • Daily checks regarding the update status of the integrated antivirus
  • Daily checks for the presence of servers in public Black Lists
  • Keep mail systems up to date with the most stable and secure software versions released by the manufacturer
  • Monitor the mail server to ensure continuity of service
  • Check for any security-related anomalies that are highlighted through the system logs or alerts
  • Notify the client if, by reading the mail server logs, circumstances arise that could endanger the e-mail accounts and the data contained therein
  • Inform the software manufacturer of the mail server if it becomes aware of any security flaws in the system
  • Immediate password change, if the account had been hacked and was sending spam, delete all the queued emails related to the specific account (whether they are valid or spam). Notice to the client for appropriate checks and password changes
  • At the client's request, willingness to export mail archives on magnetic media or in interchange areas (activity to be quantified economically)

Customer

  • Set passwords to access the mail service with a level of difficulty in compliance with the defined policies and password change according to the reference standards (e.g. ISO 27002)
  • Carefully guard the access data to mailboxes and limit their disclosure
  • Inform your users about the good use of e-mail regarding safety and the dangers of phishing and viruses
  • Promptly intervene in the event of CoreTech reports on problems relating to the mailbox
  • Periodically make a backup of your mail archive on your storage systems to have a copy of the archive in case you want to change supplier
  • Avoid using mailboxes for SPAM or mass sending of unauthorized emails by recipients
  • Promptly inform CoreTech in case of anomalies that could determine a data security problem
  • Evaluate the frequency or event for password changes in your company procedures

1Backup - Cloud Backup

CoreTech

  • Daily check of the status of servers and storage 1Backup
  • Keep systems updated with the most stable and secure software versions released by the manufacturer
  • Monitor servers to ensure continuity of service

Customer

  • Check the results of your backups daily
  • Properly configure backup jobs and related retention according to your needs
  • Carry out a restore test at least monthly / bimonthly
  • Set complex passwords to access the service
  • Safeguard the access data of Backup agents and limit their disclosure
  • Carefully store the data encryption password if different from the one used for the Backup Agent
  • Promptly inform CoreTech in case of anomalies that could determine a data security problem
  • Promptly intervene in the event of CoreTech reports on problems relating to the service

MailArchive - Mail Archiving

CoreTech

  • Daily check of the status of Mail Archive servers and storage
  • Keep systems updated with the most stable and secure software versions released by the manufacturer
  • Monitor servers to ensure continuity of service
  • Daily backup checks to ensure data integrity

Customer

  • Check the outcome of the archiving based on the needs or set times.
  • Properly configure archiving jobs
  • Carry out a restore test at least monthly / bimonthly
  • Set complex passwords to access the service
  • Carefully guard the access data to the archive boxes and limit their disclosure
  • Promptly inform CoreTech in case of anomalies that could determine a data security problem
  • Promptly intervene in the event of CoreTech reports on problems relating to the service

RocketBox - File Sharing

CoreTech

  • Daily Backup Control. Backup retention is 35 days (5 weeks)
  • Keep RocketBox servers updated with the most stable and secure software versions released by the manufacturer
  • Monitor the webserver to ensure continuity of service

Customer

  • Set access passwords to the RocketBox panel
  • Carefully guard the access data to the RocketBox service and limit its disclosure
  • Promptly intervene in the event of CoreTech reports on problems relating to the security of its website
  • Carefully guard the access data to the RocketBox service and limit its divulgence
  • Promptly inform CoreTech in case of anomalies that could determine a data security problem

RocketNews - EMail Marketing

CoreTech

  • Daily Backup Control. Backup retention is 35 days (5 weeks)
  • Keep RocketNews servers updated with the most stable and secure software versions released by the manufacturer
  • Monitor the webserver to ensure continuity of service

Customer

  • Set access passwords to the RocketNews panel
  • Carefully guard the access data to the RocketNewsletter service and limit its disclosure
  • Promptly intervene in the event of CoreTech reports on problems relating to the security of its website
  • Promptly inform CoreTech in case of anomalies that could determine a data security problem

Sygma - Platform

CoreTech

  • Keep systems updated with the most stable and secure software versions released by the manufacturer
  • Monitor servers and data synchronization processes to ensure continuity of service
  • Daily backup checks to ensure data integrity
  • Additional Backup (to another datacenter in the Netherlands)

Customer

  • Daily backup checks to ensure data integrity
  • Export data at least monthly / bimonthly
  • Set complex passwords to access the service
  • Carefully guard the access data to Sygma and all the services included and limit their disclosure. With particular attention to the password encryption used for storing credentials in Sygma.
  • Promptly inform CoreTech in case of anomalies that could determine a data security problem
  • Promptly intervene in the event of CoreTech reports on problems relating to the service

Sygma Connect - Remote Control

CoreTech

  • Daily check of the status of MailArchive servers and storage
  • Keep systems updated with the most stable and secure software versions released by the manufacturer
  • Monitor servers to ensure continuity of service
  • Daily backup checks to ensure data integrity
  • Monitor servers to ensure continuity of service

Customer

  • Check the outcome of the archiving based on the needs or set times
  • Properly configure archiving jobs
  • Carry out a restore test at least monthly / bimonthly
  • Set complex passwords to access the service
  • Carefully guard the access data to the archive boxes and limit their disclosure
  • Promptly inform CoreTech in case of anomalies that could determine a data security problem
  • Promptly intervene in the event of CoreTech reports on problems relating to the service

Documents

Document information

Document title: GDPR
Document version: V.1
Date of last adjustment: 16/04/2020