GDPR and data privacy
Data is not just part of our name.
We love helping clients manage their customer’s data to create outstanding personalized experiences.
We know that data privacy management is not only required by law, but it is also essential to nurture a good relationship with clients.
Showing commitment to handling the information customers share and respecting their preferences creates an important sense of trust that will benefit both sides.
Learn more about our initiatives to keep your data safe.
The General Data Protection Regulation (GDPR) established in Europe was a significant social innovation. It clarifies and allows individuals to manage their privacy preferences and have visibility about the information they share.
Datatrics supports clients with technology to achieve data privacy compliance and keep customers’ information updated since our Customer Data Platform automatically collects, cleans, and presents all customer data from different marketing tools in one place, in real-time.
If, for example, you remove a customer’s opt-in to a newsletter upon request, this information is automatically implemented in our system and across your tools.
Managing multiple data flows and sources manually with several spreadsheets increases your risk of failure to meet privacy protection requirements and compromises your company’s reputation.
Datatrics' Data Protection Officer
In adhering to the GDPR, Datatrics has appointed a Data Protection Officer to manage corporate compliance and act as a point of contact between the company and the competent authorities.
Datatrics Cybersecurity management
At Datatrics, we have significant experience with threat protection, privacy protection, and a wide range of compliance regulations. In addition to that, our company leverages the organizational model of its holding, Growens, to better manage its security measures.
We regularly access our infrastructure and security policies to maintain the highest data protection compliance standards following the laws and regulations requirements.
Physical and logical security measures
Datatrics has embraced the hybrid workplace: many employees work from home, adhering to specific policies and using their corporate-owned laptops equipped with a Mobile Device Management (MDM) solution.
The MDM software, augmented with an Endpoint Detection and Response (EDR) agent, allows enforcing a common security baseline, wide-spectrum protection against malware and other threats, and a detailed census of all corporate devices and their installed software.
Physical access to the offices is controlled by the use of personal badges, one for each employee. All logical accesses (e.g., cloud services accounts) are listed to manage subscriptions better and licensing costs and avoid the risk of shadow IT. Multi-Factor Authentication (MFA) is enabled for all relevant accounts.
Policies and workflow changes
Datatrics shares with Growens an internal change management tool thoroughly used for any tickets, issues, and requests for change. There is also another solution as an external issue tracker to help desk and customer care teams.
Corporate policies and the MDM agent forbid both local-only storage inside a corporate device and the use of removable storage media. We have full disk encryption implemented using Apple FileVault and Microsoft BitLocker. Activities of system administrators are logged, and computing resources are monitored continuously with InfluxDB and Telegraf.
The infrastructure is designed to be resilient to Distributed Denial of Service (DDoS) attacks through mitigation systems that can automatically detect and filter excess traffic, including auto-scaling mechanisms (e.g., Amazon CloudFront) to handle unexpected traffic volumes.
We use state-of-the-art protocols for data encryption in transit across networks, such as SSH-2 and TLS 1.2 and above. We use AWS VPN with certificate-based authentication for logging into EC2 instances.
Software development life cycle follows an Agile methodology. We keep development, staging, and production environments separated within AWS. We adopt Input sanitization techniques across all phases of software development.
Resilience against faults and targeted attacks
Vulnerability assessments and penetration testing sessions are regularly scheduled across our infrastructure. In case of disaster, the entire infrastructure can be quickly restored using snapshots and Terraform scripts. Recovery tests from backups are regularly performed. On the Amazon infrastructure, we use a PHP script to implement our data retention policy.
Data Center Located in Europe
To safeguard data confidentiality, integrity, and availability, Datatrics relies on Amazon Web Services (AWS) data centers located in the European Union. There are no on-premises servers.
We protect our data through full disk encryption at the physical level, a methodology that does not allow sensitive data to be extracted if the physical storage media is stolen. The technology used to store data on physical media is intended to increase performance, make the system resilient to the loss of one or more disks and allow hardware replacement without interruption to service.
At the application level, we have the possibility to secure the data contained in customer databases with encryption of data at rest. At the transport level, data is vulnerable to unauthorized access while traveling through the Internet or within third-party networks; for this reason, the protection of data in transit has a high priority.
We use the Transport Layer Security (TLS) cryptographic protocol that employs asymmetric and symmetric encryption algorithms to ensure secure communications across public networks and the whole Internet. To provide even greater security within the TLS protocol, we use the Advanced Encryption Standard (AES) block cipher algorithm.
We have a clear anti-spam policy. We use advanced tools to search for viruses in email (whether incoming or outgoing), detect spoofing (use of fraudulent senders), and block more advanced threats such as spear phishing. We regularly and automatically check that all our servers are up-to-date and have the latest security patches installed.
Multi-Factor Authentication and Firewalls
Multi-factor authentication requires more than one type of credentials, where at least a second level of security is added for user accesses and transactions. This method is used by system administrators and for services provided by Google and Amazon.
Monitoring and Access Control
- Advanced visibility on API calls.
- Log aggregation options to optimize surveys and compliance reporting.
- Definition, application, and management of user access policies across all services.
- Monitoring suspicious access attempts make it possible to detect potential intrusions using very solid machine learning functions.
- Warning notifications can be programmed if thresholds are exceeded or for event verifications.
- Employee access rights and levels are based on job and workplace roles using the “least-privilege” and “need-to-know” principles, depending on the responsibilities defined for the employee.
- Requests for greater access follow a formal process that requires approval by the owner of the data, or by the system, or by supervisors or other managers, according to established security criteria.
At Datatrics, we cyclically perform vulnerability tests on all infrastructure systems and clients connected to our platform. We regularly perform security penetration tests using different suppliers.
The tests include:
- High-level server penetration tests.
- In-depth tests for vulnerabilities within the application.
- Social engineering exercises.
We have a rigorous incident management process for security events that can affect the confidentiality, integrity, or availability of systems or data. If an incident occurs, the security team records and establishes a priority level based on severity. Events that have a direct impact on customers have the highest priority.
Availability and Integrity of Personal Data
To ensure data availability, backup copies are scheduled at least once per day for the most critical servers in the event of hardware malfunctions. This data is saved on systems installed in a dedicated backup site, which is also located within the European Union. Datatrics maintains a backup copy of the databases loaded by customers for the time necessary that is specified in the data retention policy, and then they are automatically deleted.
These backups are checked periodically, are organized in such a way as to ensure the separation of data for each customer, and are securely encrypted to ensure maximum confidentiality of the data.
Tracking and Disposal of Hardware
Control starts with its acquisition, follows with installation, all the way to its being taken out of service and eventual destruction.
To dispose of hardware, we rely on a highly qualified and experienced supplier that guarantees the destruction of the disk and the deletion of data. The supplier furnishes a document certifying that the destruction has taken place.
Within AWS, Datatrics uses managed services mostly but not exclusively: for example, it could be easier to deploy a database like MongoDB on an EC2 instance instead of using Amazon DocumentDB. Other services we use for running our infrastructure besides Amazon Elastic Compute Cloud (Amazon EC2) are:
- Amazon Elastic Container Registry (Amazon ECR)
- Amazon Elastic Container Service (Amazon ECS)
- Amazon Elastic Kubernetes Service (Amazon EKS)
- AWS Lambda
- Amazon Simple Storage Service (Amazon S3)
- Amazon Relational Database Service (Amazon RDS), including Amazon Aurora
- Amazon ElastiCache for Redis
- Amazon Simple Queue Service (Amazon SQS)
- Amazon CloudFront
- Elastic Load Balancing, Version 2 (including both Application Load Balancers and Network Load Balancers)
- Amazon Elasticsearch Service (Amazon ES)
We chose to follow an “infrastructure as code” approach for deploying our systems on AWS, using HashiCorp Terraform. This allows us to see what will be changed because Terraform saves what is currently deployed in a state file. It also allows managing from a central place, like our GitLab instance, in a DevSecOps fashion.
Amazon AWS complies with many international and industry-specific standards. You can find further information directly on the AWS compliance page.
The Google platform provides productivity and company security tools, while it complies with many international and industry-specific standards. You may find more information on their pages devoted to security and compliance.