As of the 25th of May 2018, the General Regulation on Data Protection (GDPR) has taken effect for businesses operating or located within the European Union.
What is GDPR?
The GDPR increased oversight for global privacy rights and compliance. A regulation such as the GDPR is a binding act, which must be followed in its entirety throughout the EU. The GDPR is strengthening, harmonizing, and modernizing EU data protection law and also enhancing individual rights and freedoms.
Among other things, it regulates how individuals and organizations may obtain, use, store, and erase personal data.
Clustdoc complies with the GDPR, this guide is intended to help our customers understand what we worked on to make sure they stay safe with Clustdoc.
Team training
At Clustdoc, employees have all been trained about the GDPR principles. New joiners, employees, consultants or freelancers joining forces with us are also strongly advised if not required to complete this training.
Data Protection Officer
In accordance with the CNIL instructions we designated and officially registered a DPO (Data Protection Officer).
This is also mentioned in our DPA, Data Privacy Agreement) that each of our clients is invited to sign.
Our DPO is responsible for the following:
Informing and advising Clustdoc teams on good practices required under the GDPR
Monitoring compliance with Data Protection laws
Advising Clustdoc as to the possibilities of carrying out impact studies and to follow its smooth running;
Cooperating with the CNIL and remaining its official point of contact
Impact assessment
We keep up to date confidential maps and impact assessment on:
How the data collected about Clustdoc users is processed securely
The type of data collected
The objectives of these operations as part of our business
Who has access to this data
We also carried out a Privacy Impact Assessment, to make sure this process is made following the regulations.
Good practices and data security
Communications using our services use the Transport Layer Security (TLS) protocol, which is updated regularly to use the latest encryption configurations and TLS configurations.
In addition, we encrypt all customer data using the AES 256-T algorithm. We have also established in-house 10 key rules in terms of access and protection of users and security data.
We provide our employees with this information and good practices to maintain a reliable and regulated environment within our premises.
All employees of Clustdoc who are likely to manipulate personal data are held to the strictest confidentiality by a contractual confidentiality clause.
Clustdoc undertakes not to use or transfer user data for any purpose other than for the purposes of design, execution, maintenance, and improvement of the company's services.
Data transfer
Your data is kept on multiple servers to ensure that our systems remain operational and efficient even if one of our servers fails. Our dedicated physical servers are distributed in many Data centers on each continent. The data of US customers are processed in the United States. The data of our customers are encrypted and even our host does not have access to it.
Cyber-security and risk management
We work with an International Cyber-security company based in France. This company carries out regular audits on our site in order to control the risks of vulnerability and to maintain good compliance with the regulations.
Product and integration development
Our technical teams systematically develop new software features, taking into account the OWASP requirements for IT security.
Similarly, at the operational level, the:
Feature requests;
Software testing and quality assurance
Integration of technical partners
Established and forthcoming sub-contractors
Are selected/conducted/controlled with respect to the customer data Protection regulations. As such, we have also established rules about how we believe is the best way of selecting/working with subcontractors:
Sharing our GDPR commitments to all our subcontractors
Establishing a specific list of pre-qualifying questions for potential candidates
Defining contractual commitments aligned with the GDPR
Implementing and strictly following our approach when it comes to developing features or coding.
Customer Information
We modified both our Terms of Service and Privacy Policy. Through the Security Center, users can learn more about their rights when it comes to GDPR when to comes to:
Accessing their Data
Correcting their data
Deleting data
Exporting data to digital medium, in a "structured" format (e.g.,. xls,. csv,. xml file)
Limiting and opposing themselves to the processing of their data
These rights also apply to the customers of our users.
This means that upon request from their customers, our users (who are responsible for the processing of what they collect using Clustdoc), can obtain access, rectification, deletion, export and limitation to the data.
Data Protection Act
Under the GDPR, there must be a written contract when one business processes personal data on behalf of another business.
In other words, the law requires that we (Clustdoc) define in written agreement this business relationship in order for your business to be compliant with the GDPR.
You can sign the DPA here (Customers only).
Helping you comply with GDPR
We encourage you to update as well your Privacy policy in order to specify to your clients that you're using Clustdoc to collect securely personal data about your clients.
Once that's done, you'll be able to add the URL of your Privacy Policy onto the secure client portal to make sure they read it before uploading their documents.