On May 25th 2018, the new European Union General Data Protection Regulation (“GDPR”) will be implemented. That has important repercussions for any IT service, especially cloud-based applications, whether they store data or process it. Here’s how nForm remains compliant.
nForm doesn’t keep any of the submitted data on its server permanently. Only the user profiles and field associations (“mappings”) are saved on our servers.
The user profiles is limited to a first name and an email address, for identification purpose, as well as some localization options such as the preferred language, date format and timezone. The user may also an optional image of their choice to their profile. Client Administrators also provide billing information, such as an address and payment method. nForm does not store credit card information, as payments are processed through third party financial services.
The only moment nForm stores submitted data is upon the reception of such data from an external source, such as enterprise software or Excel. This data is store temporarily to allow enough time for the user to retrieve it once logged in the nForm application, which is typically within a few seconds. The data is stored for a moment ranging from 5 minutes to a full day, determined by the external source as data is sent. The data is automatically scrubbed by a routine on our servers.
To secure the submitted data, we hide it behind a unique ID, which is only valid for the user account specified by the external source, such as the target user must log in the nForm application to gain access to the data. Along with the expiration time and global transmission encryption (“HTTPS”), this makes the submitted data as safe as possible.
GDPR has four applicable principles in our situation, for which we are complying and accounting for.
1. Privacy by design
As explained above, nForm does not permanently store personally identifiable information. When nForm stores or transfers personally identifiable information, it is done securely.
nForm is a cloud application, hosted on Azure. If required by ous clients, we are also able to channel specific users to specific servers from specific regions. Obviously, we are limited to opening servers where Microsoft Azure have active servers.
2. Privacy by default
As explained above, only publicly available information is permanently kept on our servers. By default, the expiration time on temporary saved data behind a login and a unique ID is 5 minutes. Secure, encrypted data transfer is automatically enforced and cannot be circumvented.
3. Right to be forgotten
When a client requests it, we are able to completely remove their data from our servers: profiles, field associations (“mappings”), client corporate information. nForm does not keep backups, as this is managed by Azure. We rely on Azure’s compliance to the GDPR for that matter.
4. Right to be informed
This article is the first step to informing our customers and partners of the steps we take to secure their data. Corporate Data Protection Officers and any patron are welcome to contact us to get more information. We will collaborate on our clients and partners data impact assessments.