Easy8 takes personal data protection seriously. European regulation known as General Data Protection Regulation (GDPR) brings a number of challenges to all organizations and became one of the most resonated business topics.
Our mission is to provide Easy8 clients and basically all Project community with a reliable software which allows fulfilling all duties of Data Processors efficiently.
This document shall provide answers to:
- I am Data Processor, how can I get GDPR compliant with Easy8
- I am using Easy8 cloud, is this service compliant with GDPR?
- I need to know if Easy Software has all security processes in place.
1. Terminology
Easy Software is a manufacturer of Easy8.
Data Controller – the entity that determines the purposes, conditions, and means of the processing of personal data. For the purpose of this document, it is your organization.
Data Processor - the entity that processes data on behalf of the Data Controller; in this document:
- Cloud clients of Easy8: Easy Software is the Data Processor and data are processed in our cloud services based on rules setup by you, Data Processor, in your Easy8 cloud application.
- Own server users of Easy8: Easy Software is not a Data Processor. But Easy8 will help you to organize your data properly.
Easy8 is an application which may or may not be used to process data by Data Controller.
Contact is Easy8 feature facilitating the use of Custom Fields (specifically in the “Personal Contact” and “Entity Lead” data entity) to differentiate between personal data and other random data uploaded to Easy8.
2. Introduction
Easy Software as a manufacturer of Easy8 introduces updates of Easy8 in order to help Data Controllers to fulfill their duties arising out of the GDPR regulation.
At the same time, for our cloud clients, this document brings general information concerning Easy Software acting as a Data Processor.
Also, Easy Software declares that as a company with its headquarters in the European Union it shall facilitate that all processes, contracts, suppliers, data access and others are fully compliant with GDPR requirements.
For the avoidance of doubt, this document is purely informational and does not include any binding provisions. This document has been drafted in English and shall be considered the only relevant version. Any version of the document translated into other languages is provided solely for the convenience of the User through machine translation and does not carry legal weight. In the event of any discrepancies or conflicts between the English version and any translated version, the English version shall prevail in all matters.
3. Easy8 for all Data Controllers
Easy8 brings the following features to Data Controllers to increase data security and meet specific demands of GDPR.
- Extended Password policy enforcement
- Definition to use minimum length, usage of big letters, numbers and special characters in the password
- GDPR specific features:
- Right to be Forgotten: Deleting the Contact is a traditional feature but it may disturb data consistency, reports etc. as there is a possibility to have Contact linked to projects, Tasks, CRM and other entities. It can, however, corrupt data about your customer profiling.
- Limited data visibility – it is a critical requirement of GDPR asking Data Controllers to limit access to personal data only to those people who need to have access to such data. Easy8 brings couple approaches to this problem:
- A limitation to access Contacts in general.
How to use Easy8 in line with GDPR
- Identify what Personal Data you collect in Easy8.
- Make internal regulation that all personal data needs to be filled in Custom fields, not native fields of Easy8. But recommended approach is to make a decision that all personal data has to be stored on Contacts only.
- If you would like to use Anonymization, Right to be Forgottten and Right to Access you shall have a regulation that all personal data has to be on Contacts.
- Identify what custom fields outside Contacts needs to be protected and set data visibility accordingly.
- Increase password policy enforcement of Easy8.
- Right to be Forgotten and Right to Access:
- We recommend defining a Project Template which would formalize all steps to delete personal data from all systems in great details. Once a request comes you can simply document that all steps were done according to your internal process.
- Create regulation for how long you need to keep user action audit data (logs) and configure accordingly in Easy8.
4. Easy8 in cloud
Easy Software provides Easy8 as a service in the cloud. For cloud clients, Easy Software acts as Data Processor. As a Data Processor we fulfill GDPR requirements thanks to following:
- Easy Software implemented technical and process measures to limit potential access to data only to exceptional and requested occasions as well as other required technical, administrative and organizational to be fully compliant with GDPR. The specific list of the measures and other terms of data Processing is subject to a duly concluded Data Processing Agreement.
- If you are an EU organization, it is guaranteed that your Easy8 instance (and so data and their backups at disaster recovery sites) are stored within the EU.
- Easy Software uses only verified Data Centers with high-end security and all relevant ISO certifications. Details can be provided upon request.
- Regular backups, https for browsers, SSH-2 encryption is used for the backup transfer. Firewall limited to HTTPS and other regular settings are meeting GDPR requirements. You may learn more about clouds here.
- Security can be further increased with Private Cloud service where individual security can be extended by an individual configuration of the dedicated server (HW). In such cases, you are fully responsible for all security and organizational features.
5. Easy Software and your personal data
Easy Software is a manufacturer of Private WorkOps platform. Easy Software is business to business commercial organization. It means that all data collected serves to support Easy Software’s business and services for organizations.
As per GDPR regulation, there are data of individuals collected as well and those are considered as data under the protection of GDPR.
5.1. Personal data collected
- Name and surname
- Telephone
- Company
- Position at the company
- Achieved trainings and certifications gained for products of Easy Software
- History related to visiting of Easy8 product pages.
- IP Address
5.2. Purpose of data collection, processing, and profiling
Easy Software collects data for following purposes:
Easy Software collects data for following purposes:
- Setup a commercial co-operation with organizations. And for that purpose, Easy Software may collect data about contact persons in such organizations.
- Provide service for existing customers (organization and for that purpose Easy Software may collect data about contact persons in such organizations.
- Inform customers and potential customers about new features functions, releases and other messages of both informational and marketing character.
Collection:
- All information collected about individuals are gathered through contact forms, proper communication channels directly from the organizations and/or persons, and/or publicly available data (e.g. data from commercial registers).
Data combination and profiling:
- Easy Software processes data through automated means but does not profile any individuals nor are any individuals subject to automated decisions making that would have impact on the respective individuals. All data collected serves only as a contact information within an organization and is used accordingly with such purpose.
- Easy Software profiles organizations for statistical, marketing and business purposes. Personal Data are not subject to these analyses.
- Easy Software combines all data in the own information system (Easy8) on Entity Contact or Entity CRM.
