The European Parliament adopted the General Data Protection Regulation (GDPR) in April 2016, replacing the EU Data Protection Directive, also known as Directive 95/46/EC.
Data protection laws govern the way that businesses collect, use, and share personal data about individuals. Among other things, they require businesses to process an individual’s personal data fairly and lawfully, allow individuals to exercise legal rights in respect of their personal data (for example, to access, correct or delete their personal data), and ensure appropriate security protections are put in place to protect the personal data they process.
GDPR covers privacy data including:
- Basic identity information such as name, address and ID numbers
- Web data such as location, IP address, cookie data and RFID tags
- Health and genetic data
- Biometric data
- Racial or ethnic data
- Political opinions
- Sexual orientation
Any company that stores or processes any of the personal information above about EU citizens within EU states must comply with the GDPR, even if they do not have a business presence within the EU.
Tres Technology Solutions, LLC (“Tres”) collects and stores limited personal information (e.g. name, employer, professional title and email addresses) to deliver its subscription-related services to customers. Nonetheless, the company has still taken appropriate measures to comply with the regulation.
Who does the GDPR apply to?
The GDPR applies to all entities and individuals based in the EU and to entities and individuals, whether or not based in the EU, that process the personal data of EU individuals. The GDPR defines personal data as any information relating to an identified or identifiable natural person. This is a broad definition, and includes data that is obviously personal (such as an individual’s name or contact details) as well as data that can be used to identify an individual indirectly (such as an individual’s IP address).
What is Tres' role under GDPR?
We act as a data controller under the GDPR.
Tres collects customer information to deploy its products and services and to provide timely customer support. This customer information includes things such as customer names and contact information (business email, phone number(s) and business address).
Tres relies on a number of data processors to deliver its subscription services and to support customers. We detail these processors later and also have taken steps to ensure these providers are GDPR compliant. Proof of compliance can be readily provided upon request.
What have we done to comply with GDPR?
We have conducted an extensive analysis of our operations to ensure we comply with the requirements of GDPR. This review has encompassed our products and services, customer terms, privacy notices and arrangements with third parties for compliance. We can confirm we will be fully compliant with the GDPR by May 25, 2018.
What personal data do we collect and store from our customers?
We store data that customers have given us voluntarily. For example, in our role as data controller, we may collect and store contact information, such as name, professional title, business email address and phone number when customers sign up for our products and services or seek support help. We also may collect other identifying information from our customers, such as IP address, login times and event times within our web applications.
The stored user content is not shared with third parties and is not used for any purpose other than providing and improving Tres Solutions products and services.
Why do we collect personal data from customers?
Gathering personal data enables us to provide our services with good user experience for our customers:
- Names allow us to customize reports and give the user the feeling that they’re logging into their own space.
- Company names give us the ability to logically segregate customer data to better handle customer data security and authorization. This also gives us the ability to provide customized reports based on our customer’s company.
- Email addresses allow us to have close correspondence with the users and send them email notification alerts, performance reports and follow up on reporting and analysis. This is our usual way of interacting with our customers to provide our services.
What data processors does Tres have relationships with?
If a company collects, transmits, hosts or analyzes personal data of EU citizens, GDPR requires the company to use third-party data processors who guarantee their ability to implement the technical and organizational requirements of the GDPR. As a data controller, Tres has ensured that its data processors are GDPR compliant.
A data processor is any organization that processes personal data on behalf of the controller (Tres). Tres uses data processors including Gmail, Outlook, Zendesk, Hubspot, MailChimp, Amazon Web Services, Microsoft Azure, Github, Compose.io and Dropbox.
We have ensured that these data processors are GDPR compliant and relevant documentation (data processing agreements) has been gathered accordingly. To request a copy of DPAs in place with specific data processors, please email firstname.lastname@example.org with the request.
Does Tres transfer data internationally?
Although we are headquartered in the United States, Tres has employees, hosted web site content and customers in the EU. In certain circumstances, we will process personal data that originates from the EU in the United States. We provide a level of protection of privacy that complies with the EU rules.
When performing security risk assessments, risk of personal data privacy is also taken into account. We encrypt personal data and will take the appropriate measures using state of the art security procedures and handle all incurred costs and implementations needed to achieve that security.
Where does Tres store customer data?
Tres has data centers in two main regions in the US – US East and US West. Tres web applications are deployed on CDNs which may distribute assets across a global network for more efficient content delivery, but those assets are static assets and will not collect data. Service Data will only be stored in data centers in the US. Customers can select the region in which data centers that host certain of their Service Data are located by purchasing the Data Center Locality Add-On.
Data is stored and persisted on Compose.IO MongoDB server deployments in these regions for high availability. These databases maintain all user information and login sessions and are used for transactional processing within our web applications. Our web servers are hosted on Heroku and Amazon Web Services (AWS) in the same regions as our databases. These will often store in-memory user information for user active sessions. That storage is temporary and the data is cleared once web requests are processed and the user sessions are closed.
How is customer personal data used across Tres products?
Personal data is stored in our databases and is used by our web servers to authenticate, authorize and process user requests with vessel performance data:
- When a user logs in, the password used is hashed and checked with password in our database to authenticate the user.
- When a user navigates a Tres application, they will do so using browsers that make web requests to our servers. Upon receiving these requests, our servers will check for the correct company name and features enabled for that user to determine which web application features should be displayed. This processing is done on the backend throughout the lifetime of the request and is not shared with other external services.
- We will show the user’s name, email and company information on the page for user and vessel configuration.
- The user can request data or performance reports to be sent to his email. In that case, the user’s email address will be used to process the request. The server will build the report and use user’s email to send the report, thereby sharing user name and email address with Gmail service.
- Tres may collect user’s behavior data in our web application, if they have provided their consent, for the purpose of improving the quality of our products and services. The collected data is used solely for internal purposes and will not be shared with third parties.
- We use a support desk application to handle all inbound and outbound communication to support our customers, which are stored in the system as tickets along with user’s contact information. The contact information is the same information as usually found in a person’s email signature, such as name, company name, company email and phone number. The support desk application acts as a knowledge base for Tres, with all historical questions and answers, allowing Tres to provide best possible support to our customers. In case we receive delete instruction from customer, we will delete user profile and all his/her support tickets, which may contain personal data. The data will be permanently deleted thirty (30) days after its deletion in the system and cannot be recovered after this point. For users terminating our service we will by default delete their user profile in the support desk application sixty (60) days after termination.
How do we handle data correction, deactivation and delete instructions from customers?
Customers have the ability to correct, remove or delete personal information they have provided over the course of using Tres products and services. This can be done at any time although doing so during a subscription will impede Tres’ ability to deliver its products and services. Customers may have their personal data corrected, deactivate their account or request that all personal data we have collected and stored is permanently deleted. To do so, please email email@example.com.
Upon receipt of a request to delete a user, we will:
- Validate the identity of the requester and that he or she has the authority to delete the data
- Delete all user related information and user mappings to vessels from all databases using a script
- Process user deletion within 8 hours of the user’s request
- Confirm user deletion by sending an email to the user
Personal information may be retained in database backups that are used in case of data schema failure or security breaches. When deleting a user’s personal information from the database, we will make sure to go back to all retained backups to delete the user’s stored information.
In case of a customer contract breakup, we will delete all our customer’s persona data from Tres servers within 8 hours of the user’s request. Deleting customer personal data from all third-party data processors may take up to 60 days, which enables us to communicate to third-party data processors to purge out all the instances of emails and documents that contain the user’s personal data.
How can customers view their saved personal data?
If the user cannot access their relevant personal data using our services, we will provide reasonable cooperation to their request to edit or view the data saved about them.
How is customer personal data secured?
We implement high security standards such as data encryption in transmission and encrypted access credentials to the databases maintaining user data. We also implement several mitigation strategies in case of a security breach such as revoking database credentials, revoking IP access and 24/7 support. Tres database systems and servers have monitoring tools that allow engineers to detect breaches and act accordingly. We provide a safe and encrypted environment to manage user credentials and personal information.
How would Tres handle a data breach?
In the case of a personal data breach, we will notify the corresponding supervisory authority about the breach within 72 hours with all the information that could have been compromised. We will also provide relevant and verified information about a data breach to customers who may have been affected, which includes the information required by GDPR to allow our customers to meet their reporting obligations. This includes a description of (i) the nature of the personal data breach including where possible, the categories and approximate number of data subjects concerned and the categories and approximate number of personal data records concerned; (ii) the name and contact details of our data protection officer or other contact points where more information can be obtained; (iii) the likely consequences of the personal data breach; and (iv) the measures taken or proposed to be taken by Tres to address the personal data breach, including, where appropriate, measures to mitigate its possible adverse effects.