The EU General Data Protection Regulation (GDPR) is the most significant piece of European privacy legislation in the last twenty years. It replaces the 1995 EU Data Protection Directive (European Directive 95/46/EC), strengthening the rights that EU individuals have over their data, and creating a uniform data protection law across Europe.
Tenfold will comply with applicable GDPR regulations as a data processor when they take effect on 25th May 2018. Working in conjunction with our clients, we will explore opportunities within our services offerings to assist our customers to meet their GDPR obligations.
What are we doing?
We are committed to address EU data protection requirements applicable to us as a data processor. These efforts have been critical in our ongoing preparations for the GDPR:
Our ability to fulfill our commitments as a data processor to our customers, the data controllers, is a part of our compliance with GDPR where data controllers are using a third-party like us to process personal data. Because of this requirement, Tenfold is working to update our Master Subscription Agreement and related agreements to ensure it includes appropriate provisions for personal data we store, and balance the risks and responsibilities between data controllers and data processors.
Third-party audits and attestations:
Tenfold has successfully completed a SOC 2 Type 1 audit that reviews certain of its internal controls and processes. The audit covers internal governance, production operations, change management, data backups, and software development processes. It evaluates that we have the appropriate controls and processes in place and that they are actively functioning appropriately in accordance with related standards. We are currently in process for SOC 2 Type 2 audit.
The SOC program offers independent verification that our security practices offer a recognized standard of security measures. Furthermore, the program is designed to cover key elements of data processing and integrity, while maintaining auditing practices within our business and operational processes. As all customers are concerned with their data and its security, Tenfold has integrated its SOC controls into its operating procedures. These procedures span the organization, teams or functions that provide service or support to our clients on our platform. The key components of our SOC controls environment include:
- Corporate Governance: how we provide oversight of our business and people
- Change Management: how we make sure changes are tracked and properly reviewed
- Access Control and Management: who has access to our platform operations and how this access is managed
- Data Redundancy and Backup: how data is kept safe and stored in the event of adversity
- Software Architecture and Development: oversight of the development effort around our platform
International data transfers:
Tenfold, complies with the EU-U.S. Privacy Shield Framework and the Swiss-U.S. Privacy Shield Framework as set forth by the U.S. Department of Commerce regarding the collection, use, and retention of personal information transferred from the European Union and Switzerland to the United States, respectively. Tenfold has certified to the Department of Commerce that it adheres to the Privacy Shield Principles. To learn more about the Privacy Shield programs, and to view our certification, please visit https://www.privacyshield.gov/. Tenfold is committed to subjecting all personal data it receives from data exporters in any European Union (EU), Switzerland or European Economic Areas (EEA) member state, under the Privacy Shield Framework, to its applicable Privacy Shield Principles. To learn more about the Privacy Shield Framework and the Privacy Shield Principles, please visit the U.S. Department of Commerce’s Privacy Shield website at https://www.privacyshield.gov.
The GDPR includes certain requirements on data controllers for the portability of personal data. The data our customers store in Tenfold is theirs. We provide for portability and are continually working to enhance the robustness of our data export capabilities.
Right to be forgotten (RTBF):
The GDPR includes certain requirements on data controllers for the right of data subjects to be forgotten and have their data removed from our systems. We have established a process to facilitate these requests and will work with customers to ensure that RTBF requests received are completed within the required time period.