Security policy: Conformity (GDPR)

Wimi Conformity (GDPR)

1. Introduction

Although the obligation is not formally established in the GDPR, it is essential that software, software packages, and other applications (that we call ‘products’) allow their users (companies or public actors) to respect the obligations imposed by the GDPR.

We have identified 3 types of constraint:

  • the constraints relative to the product itself
  • the constraints related to the usage of the product
  • the constraints related to the security of the product

It has outlined that as a client of Wimi, you are responsible for the changes with respect to the GDPR, and that you should respond directly to the demands that it refers to.

This document provides a list of these demands, and outlines how Wimi allows you to respond to them.

2. Points concerning the product

This section is essentially about the endogenous constraints linked to the product itself.

2.1 Up-to-date data

  • Art.16 GDPR : The right to rectification “The data subject has the right to obtain from the controller without undue delay the rectification of inaccurate personal data concerning him or her. Taking into account the purposes of the processing, the data subject shall have the right to have incomplete personal data completed, including by means of providing a supplementary statement.”
  • Wimi’s response
    Each Wimi user can at any time modify and rectify their personal data (in the My account section) and receive a message that indicates that the modifications have been saved and have replaced the previous data.

2.2 Access and copying of data

  • Art. 15.1 GDPR: The right to obtain a copy “The data subject shall have the right to obtain from the controller confirmation as to whether or not personal data concerning him or her are being processed…”
  • Art. 15.3 GDPR: The right of access
    “The controller shall provide a copy of the personal data undergoing processing. For any further copies requested by the data subject, the controller may charge a reasonable fee based on administrative costs. Where the data subject makes the request by electronic means, and unless otherwise requested by the data subject, the information shall be provided in a commonly used electronic form.”
  • Wimi’s response
    The data subject’s right of access : The personal data protection policy lists processing of personal data that is carried out by Wimi. The controller can at any point send this document to the person who exercises the right to obtain it.
    The right to obtain a copy : The data susceptible to being used for processing is filed in the « My account » section of your Wimi (accessible, modifiable, and copiable by the final user).

2.3 Data Portability

  • Art.20 GDPR: The right to data portability : “The data subject shall have the right to receive the personal data concerning him or her, which he or she has provided to a controller, in a structured, commonly used and machine-readable format and have the right to transmit those data to another controller without hindrance from the controller to which the personal data have been provided…”
  • Wimi’s response
    Wimi allows the export of all activities related to the user and allows the copying of personal data on the ‘My Account’ section of your Wimi.

2.4 Full or partial removal

  • Art. 5 e) GDPR: deletion of data after a certain period of time
    :
     “kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed; personal data may be stored for longer periods as long as the personal data will be processed solely for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes in accordance with Article 89(1) subject to implementation of the appropriate technical and organisational measures required by this Regulation in order to safeguard the rights and freedoms of the data subject (‘storage limitation’);”
  • Wimi’s response
    Personal data is retained no longer than is necessary for processing (transparent team work, project management, traceability)
    From the point a Wimi account is deleted (processing purposes becoming obsolete) all personal data of the users associated with that account is deleted within 30 days following account deletion.

2.5 Restrictions

  • Art.18 GDPR: Right to the restriction of processing 
    1. The data subject shall have the right to obtain from the controller restriction of processing where one of the following applies:
    (a) The accuracy of the personal data is contested by the data subject, for a period enabling the controller to verify the accuracy of the personal data;
    (b) The processing is unlawful and the data subject opposes the erasure of the personal data and requests the restriction of their use instead;
    (c) The controller no longer needs the personal data for the purposes of the processing, but they are required by the data subject for the establishment, exercise or defence of legal claims;
    (d) The data subject has objected to processing pursuant to Article 21(1) pending the verification whether the legitimate grounds of the controller override those of the data subject.The notion of « restriction” is stated in article 4 “definitions” of the GDPR that defines the ‘restriction of processing’ as the marking of stored personal data with the aim of limiting their processing in the future.”
  • Wimi’s response
    Wimi can put in place processing restrictions following a simple written request from the user (data subject) specifying the desired restrictions, the data or the users concerned to dpo-wimi@racine.eu.

2.6 Erasure

  • Art.17 GDPR: the right to erasure (« the right to be forgotten »)
    “1.The data subject shall have the right to obtain from the controller the erasure of personal data concerning him or her without undue delay and the controller shall have the obligation to erase personal data without undue delay where one of the following grounds applies:
    (a) The personal data are no longer necessary in relation to the purposes for which they were collected or otherwise processed; 4.5.2016 L 119/43 Official Journal of the European Union EN
    (b) The data subject withdraws consent on which the processing is based according to point (a) of Article 6(1), or point (a) of Article 9(2), and where there is no other legal ground for the processing;
    (c) The data subject objects to the processing pursuant to Article 21(1) and there are no overriding legitimate grounds for the processing…”
  • Wimi’s response
    Wimi is able to delete the personal data of a user who wishes to exercise the right to be forgotten following a simple written request from the data subject to the address dpo-wimi@racine.eu specifying the user or users concerned.

2.7 User Acccount

  • Art.13 et 14 GDPR: Information to be provided where personal data are collected from the data subject
    Where personal data relating to a data subject are collected from the data subject, the controller shall, at the time when personal data are obtained, provide the data subject with all of the following information:
    –The identity and the contact details of the controller and, where applicable, of the controller’s representative;
    –The purposes of the processing
    –The recipients or categories of recipients of the personal data, if any;
  • Wimi’s response
    Any Wimi user is able to consult our personal data privacy policy found on the site www.wimi-teamwork.com that provides the user with all required information regarding the GDPR.

2.8 Consent

  • Art. 7 : Conditions for consent
    « 1.Where processing is based on consent, the controller shall be able to demonstrate that the data subject has consented to processing of his or her personal data. »
  • Wimi’s response
    When a new user is added to a Wimi account, they give their consent to the processing of the personal data that they put on Wimi.

3. Points regarding Security

3.1 Security of Processing

  • Article 32 « security of processing »:
    the controller and the processor shall implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk, including inter alia as appropriate.
  • Wimi’s response
    The front end server codes all of the external connections with a web security policy mechanism (HTTP Strict Transport Security aka HSTS). This protects our services against active and passive network attacks. A ‘man-in-the-middle’ attacker has an extremely reduced capacity to intercept the queries and the responses between a user and our web application servers.
    As well as this, Wimi has network isolation. Network isolation means that all of the servers in our infrastucture are isolated in the data center and connected by private, dedicated networks.

3.2 Product Access Conditions

  • Consideration 57 GDPR:
    « Identification should include the digital identification of a data subject, for example through authentication mechanism such as the same credentials, used by the data subject to log-in to the on-line service offered by the data controller. ».
  • Wimi’s response
    Wimi offers reinforced authentication when you activate the option ‘Advanced password policy.’
    In this case, the passwords should satisfy the following conditions :
    -At least 8 characters long
    –A lower case letter and an upper case letter
    –A number or a symbol
    –Has not been used before
    As well as this, Wimi offers authentication through existing clients via SAML V2. In this case, the logins are strictly identical to those of the responsible client.

3.3 Product Access Conditions

  • Art. 5 f) GDPR:
    Personal Data should be processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures (‘integrity and confidentiality’).
  • Wimi’s response
    Wimi has history logs and alerts that are able to trace suspicious activity. Access to these history logs is strictly controlled and limited. Generally, all access to the Wimi infrastructure is done through VPN- only certain, predefined PPs are authorized to establish a tunnel with the help of a RSA 4096 key. This communication tunnel is then coded in AES-256-CBC and broken down in SHA-512. The administrators must self-authenticate in SSH using their private key (ED25519 ou ECDSA) that is protected by a passphrase. All local access is strictly controlled. To protect against intrustions and risk, the data centers are inside barbed wire fences. Motion detection and video surveillance systems are in place and in continuous use. Activity that takes place outside of the data centers is controlled and registered on secured servers, and a surveillance team is on site 24/7.

3.4 Technical and Organisational Security

  • Art.32 1. GDPR:
    « (…) the controller and the processor shall implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk (…) »
    Art. 39 GDPR:
    « Personal data should be processed in a way that guarantees security and an appropriate level of confidentiality, including the prevention of unauthorized access and use of the data and processing equipment ».
  • Wimi’s response
    The number of Wimi employees that have access to the infrastructure is extremely limited. Those that have access must sign a specific confidentiality agreement and agree to a confidentiality clause under their employment contract.
    All access to the Wimi infrastructure is controlled, monitored and is done so by VPN- only certain predefined Ips are authorized to establish a tunnel (white list of IP addresses) with the help of an RSA 4096 key.
    This communication tunnel is therefore encrypted in AES-256-CBC and broken up in SHA-512.
    Administrators must therefore self-authenticate in SSH with their private key (ED25519 ou ECDSA) that is protected by a pass phrase.
    The database is backed up every 3 hours. Replicated files are backed up every night. The backup servers are secure, isolated, and accessible only by backup applications.

3.5 Managing Security Failures

  • Repository: Security Obligation of the GDPR.
  • Implementation
    Our infrastructure relies heavily on open-source technologies that align with an extremely vast community of contributors and users whose security failures are discovered quickly. We systematically apply approved security patches that are considered stable.