Data Security and GDPR Policy
Data Security
OVERVIEW
[Last updated 1 May 2024]
Affinitext prioritizes customer trust. We know that customer and user data is important to our customers’ values and operations. That is why we keep it private and safe.
Affinitext supports over 30,000 users in over 120 countries and territories. Our customers entrust us with sensitive information, stemming from a wide range of industries including healthcare, financial services, government, and technology.
Affinitext helps customers and users maintain control of their privacy and data security in a myriad of ways:
- Data Security: We provide our customers and users with confidence in our compliance with enterprise-class security standards (ISO 27001, UK Cyber Essentials, UK Cyber Essentials Plus and UK Ministry of Defence (Official Sensitive) accreditations) and a support team that is on-call 24/7.
- Disclosure of Customer Service Data: Affinitext only discloses Service Data to third parties where disclosure is necessary to provide the services or as required by law.
- Trust: Affinitext has developed security protections and control processes to help our customers ensure a highly secure environment for their information. Independent third-party experts regularly confirm Affinitext’s adherence to enterprise-class security standards.
- Data Hosting Locality: Customer data is hosted on Rackspace managed data centres in Sydney (Australia), London (United Kingdom); Oracle managed data centres in Jeddah (KSA) and Abu Dhabi (UAE), and AWS managed data centres in Canada and the USA. The data centre closest to the customer to provide the Affinitext services is generally adopted.
- Access Management: Affinitext provides an advanced set of access and encryption features to help customers effectively protect their information. We do not access or use customer content for any purpose other than providing, maintaining, supporting and improving the Affinitext services and as otherwise required by law.
What is Service Data?
Service Data is any information, including personal data, which is stored in or transmitted via the Affinitext services by, or on behalf of, our customers and their end-users.
Who owns and controls Service Data?
From a privacy perspective, the customer is the controller of Service Data, and Affinitext is a processor. This means that throughout the time that a customer subscribes to services with Affinitext, the customer retains ownership of and control over Service Data in its account.
Who are Affinitext’s sub-processors?
Affinitext maintains an up-to-date list of the names and locations of all sub-processors (including members of the Affinitext Group and third parties) used for hosting or other processing of Service Data. The list may be obtained by contacting data.protection@affinitext.com.
How does Affinitext use Service Data?
We use Service Data to operate and improve our services, help customers and users access and use our services, respond to customer and user inquiries, and send communications to customers and users related to the services.
What steps does Affinitext take to secure Service Data?
Affinitext prioritizes data security and combines enterprise-class security features with comprehensive audits of our applications, systems, and networks to ensure customer, user and business data is always protected.
For example, Affinitext servers are hosted at ISO 27001, UK Ministry of Defence, UK Cyber Essentials and UK Cyber Essentials Plus compliant facilities. Additionally, we engage third-party security experts to perform detailed penetration tests on a periodic basis, and our Support team is on call 24/7 to respond to security alerts and events.
Where will Service Data be stored?
Affinitext has Rackspace data centres in Sydney (Australia) and London (United Kingdom); Oracle data centres in Jeddah (KSA) and Abu Dhabi (UAE); and an AWS data centre in Canada and the USA. Affinitext generally uses the data centre closest to the customer to provide the Affinitext services.
Does Affinitext replicate the Service Data it stores?
Yes. Affinitext replicates the Service Data on a separate server in the same country in which the primary server is located.
How does Affinitext Respond to Information Requests
Affinitext recognizes that privacy and data security issues are top priorities for customers.
- Affinitext does not disclose Service Data except as necessary to provide its services to its customers and to comply with the law as detailed in our Privacy Policy found here.
- Affinitext promptly acknowledges and deals with information requests.
How does Affinitext respond to legal requests for Service Data?
In certain situations, we may be required to disclose personal data as required by law or in response to subpoenas, court orders, legal process or to establish or exercise our legal rights or defend against legal claims.
GDPR
OVERVIEW
Since our inception, Affinitext’s approach has been anchored with a strong commitment to privacy, security, compliance and transparency. This approach includes supporting our customers’ compliance with EU data protection requirements, including those set out in the General Data Protection Regulation (‘GDPR’), which became enforceable on May 25, 2018.
If a company collects, transmits, hosts or analyses personal data of EU data subjects, GDPR requires the company to use third-party data processors who guarantee their ability to implement the technical and organizational requirements of the GDPR. To further earn our customers’ trust, our licence terms and conditions have been updated to provide our customers with contractual commitments regarding our compliance with applicable EU data protection law and to implement additional contractual provisions required by the GDPR. Our contractual commitments guarantee that customers can:
- Respond to requests from EU data subjects to correct, amend or delete personal data.
- Be made aware of and report personal data breaches to relevant supervisory authorities and EU data subjects in accordance with GDPR timeframes.
- Demonstrate their compliance with the GDPR as pertaining to Affinitext’s Services.
What is the GDPR?
The General Data Protection Regulation (‘GDPR’) is a European privacy regulation which aims to strengthen the security and protection of personal data in the EU and harmonize EU data protection law.
To whom does the GDPR apply?
The GDPR applies to all organizations operating in the EU and processing ‘personal identifiable data’ of EU data subjects. Personal data is any information relating to an identified or identifiable natural person.
- The GDPR applies to ‘controllers’ and ‘processors’.
- A controller determines the purposes and means of processing personal data. Our customers are controllers.
- A processor is responsible for processing personal data on behalf of a controller. Affinitext is a processor.
- As a processor, the GDPR places specific legal obligations on us; for example, we are required to maintain records of personal data and processing activities. We will have legal liability if we are responsible for a breach.
- If you are a customer, as a controller the GDPR places obligations on you to ensure your contract with us complies with the GDPR.
- The GDPR applies to processing carried out by organisations, such as Affinitext, operating within the EU. It also applies to organisations outside the EU that offer goods or services to individuals in the EU.
What implications does GDPR have for organizations processing the personal data of EU data subjects?
One of the key aspects of the GDPR is that it creates consistency across EU member states on how personal data can be processed, used, and exchanged securely. Organizations must be able to demonstrate the security of the data they are processing and their compliance with GDPR on a continual basis, by implementing and regularly reviewing robust technical and organizational measures, as well as compliance policies.
How can Affinitext customers prepare for GDPR enforcement?
Affinitext encourages customers to prepare for the GDPR enforcement by reviewing their privacy and data security processes and policies to ensure compliance. Customers, as controllers, bear the primary responsibility for ensuring that their processing of personal data is compliant with EU data protection law. Below are some key points to consider for GDPR compliance:
- Geographical Application: The GDPR may apply to organizations that are established in the EU as well as certain organizations established outside the EU but which are processing the personal data of EU data subjects, depending on their activities. The GDPR applies to Affinitext.
- Rights of End-Users: Organizations should be cognizant of End-Users whose personal data they may be processing. The GDPR establishes enhanced rights for End-Users, and organizations should be able to accommodate those rights.
- Data Breach Notifications: Organizations that are controllers of personal data should have clear processes in place in order to comply with the GDPR requirement to report data breaches in accordance with the time frames set out within the GDPR. Affinitext, as processor, will notify affected customers promptly if we become aware of a data breach of our services.
- Appointment of Data Protection Officer (‘DPO’): Customers may need to appoint DPOs to manage issues relating to the processing of personal data.
Which Affinitext services and features can support customers compliance with the GDPR?
Customers can rely upon Affinitext’s ISO 27001, Cyber Essentials and Cyber Essentials Plus certifications to help conduct their risk assessments and determine whether appropriate technical and organizational measures are in place. Copies of these certifications can be obtained by submitting a request to data.protection@affinitext.com.
Does Affinitext currently provide any product specific features / functionality to assist us with our GDPR compliance program?
An Affinitext GDPR library is provided for free at https://gdpr.affinitext.com/public; or for a GDPR library with more features, register for free at www.affinitext.com/gdpr
A Client Administrator can delete or request that Affinitext delete any and all user accounts, documents, attachments and/or other data as that resides within their library.