Data Security and EU Data Protection
Software2 understand the importance of data security to our customers. Trust is the foundation of all good relationships, and we value the trust that you place in us, and in turn the importance of your end-users having confidence in the security of the IT services that you provide to them.
Software2 support over 150 customers worldwide, delivering apps to over 1.5 million students and staff. Delivering apps and desktops to all of these service users generates a large amount of data, and we want to be transparent about how this data is stored and processed, and to do so in accordance with legal requirements such as the EU General Data Protection Regulations (GDPR).
What constitutes Personal Data?
Personal Data is defined under Article 4.1 of the EU General Data Protection Regulations as:
"any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person."
Within the range of available Software2 products and services, a natural person may be identified by a username or in some cases, by IP address. In both cases, further access to customer systems is required in order to identify the individual to whom the data relates.
What Personal Data is recorded by AppsAnywhere?
AppsAnywhere records personal data pertaining to user access in the system database, as well as in log files both on the server and end-user device.
Server-side data includes:
- Logged on username and AD Display Name (for the duration of the session)
- Device ID (system generated), local and remote IP and determined region
- Personal data on the launching of applications and duration of use
Client-side personal data includes:
- Records of the launching of applications on the end-user device
- Configuration of the end-user device (e.g. Logged on username, IP address, operating system, installed applications)
What Personal Data is recorded by Cloudpaging?
Cloudpaging records personal data pertaining to user access in the system database, as well as in log files both on the server and end-user device.
Server-side personal data includes:
- Records of the launching of Cloudpaged applications and duration of use
Client-side personal data includes:
- Records of the launching of Cloudpaged applications on the end-user device
- Configuration of the end-user device (e.g. Logged on username, IP address, operating system, system memory)
Who owns and controls Personal Data?
AppsAnywhere and Cloudpaging are installed to servers owned and controlled by the customer. The customer therefore retains ownership of and control over this data. From a GDPR perspective, the customer is the controller of the data, and Software2 is a data processor.
What Personal Data is processed by Software2?
In the provision of support and in the course of fulfilling our contractual obligations to our customers, Software2:
- Access log files and databases on supported customer systems.
- Process end-user log files that customers provide.
- View user account details via the AppsAnywhere LDAP browser.
- Store contact details and information related to individual customer contacts.*
How does Software2 store this data?
Software2 does not copy any personal data outside of customer systems without explicit consent.
In the provision of support and in the course of fulfilling our contractual obligations:
- a) Customers may transfer log files containing personal data to Software2.
- b) Software2 may take copies of log files containing personal data.
- c) Log files containing personal data may be copied to sub-processor’s systems.
Software2 use a range of secure systems to store data including:
- Support Ticket System – Zendesk
- E-mail and file storage – Microsoft Office 365
- FTP Storage – Rackspace
- Encrypted Disks in Secure Systems
Contact details and related information for individual customer contacts are also stored within our Support Ticket System.
What do we do with the data?
Software2 only use this data in the provision of support and in the course of fulfilling our contractual obligations to our customers.
How long is the data retained?
Where personal data has been transferred to Software2 from customer systems, our policy is to securely erase this data as soon as possible after processing is complete.
Where data has been transferred into our Support Ticket System (Zendesk), we'll keep this data securely for no more than 6 months following the expiration of our contract with the customer.
What organizational and technical measures do you have in place?
To ensure the security and integrity of personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage; Software2 have adopted a comprehensive set of policies, procedures and processes, including measures to:
- Pseudonymize and encrypt personal data.
- Ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and services.
- Restore the availability and access to personal data in a timely manner in the event of a physical or technical incident.
- Regularly test, assess and evaluate the effectiveness of technical and organizational measures for ensuring the security of processing.
All Software2 staff receive training in data security and compliance with legal requirements such as the EU General Data Protection Regulations.
By default, all personal data resides on customer systems. We do not transfer personal data outside of these systems without consent.
Who are Software2’s sub-processors?
Software2 maintains an up-to-date list of the names and locations of all sub-processors used for hosting or other processing of personal data, which can be found here. The list also may be obtained by contacting firstname.lastname@example.org.
Does Software2 transfer any personal data outside of the EEA?
Software2 stores all personal data pertaining to EU customers within the EEA.
Occasionally, in the provision of support and in the course of fulfilling our contractual obligations to our customers; Software2 may transfer log files to:
Numecent Inc. (a US based company).
Before such data transfers are made, the original log files are redacted, such that it is no longer possible for the natural individual to be identified either directly or indirectly. Pursuant to this, personal data is not transferred to Numecent Inc.
Software2 Americas Inc. (part of the Software2 Group)
In this case, transfers are made subject to the Standard Contractual Clauses approved by the European Commission for transfers from Controllers in the European Economic Area to Controllers outside the European Economic Area.