GDPR and Security
Summary
- 1. What is the GDPR?
- 2. Who is concerned by the GDPR?
- 3. What is personal data?
- 4. What is personal data processing?
- 5. Ringover and the GDPR
- 6. Security
- 6.1 Network and interconnection
- 6.2 Data hosting and certification
- 6.3 Training and awareness of Ringover employees
- 6.4 Security measures applied to our premises and employees
- 6.5 Hashing and encryption
- 6.6 Separation of work environments, monitoring and vulnerability remediation
- 6.7 Updates (servers, firewalls, backup networks and anti-virus)
- 6.8 Privileges and segmentation of administrative uses
1. What is the GDPR?
The acronym GDPR refers to the General Data Protection Regulation. It covers all handling of personal data inside the territory of the European Union. Its legal context is adapted to comply with developments in technology and within companies (such as increasing use of digital technology and development of online commerce). This new European regulation compliments the 1978 French law relating to Computers and Freedom and strengthens citizens’ control over the use of their data. It harmonises European laws by offering professionals a unique legal framework, allowing them to develop their digital activities within the EU based on user trust.
2. Who is concerned by the GDPR?
Any organisation, no matter its size, country of origin or activity, can be affected. In effect, the GDPR applies to any organisation, public or private, that processes personal data on its own behalf or otherwise, as long as it is either established in the European Union or its activity directly affects European residents. The GDPR also concerns sub-processors handling personal data on behalf of other entities. Thus, if you collect or process personal data for another entity (company, collective, association, etc.) you have specific obligations to guarantee the protection of the data entrusted to you.
3. What is personal data?
The concept of "personal data" is to be understood broadly. "Personal data" is "any information that relates to an identified or identifiable living individual." A person can be identified directly (by their first and last name, for example), or indirectly through an identifier (such as a client number, a phone number, a biometric, or other element specific to their physical, physiological, genetic, psychological, economic, cultural, or social identity, as well as their voice or image). The identification of a living person can occur: from a single datum (example: social security number; DNA) from a grouping of data (example: a woman living at a certain address, born a certain day, subscribing to a certain magazine and active with a certain association). Example: a marketing database containing a large volume of precise information on consumer location, age, taste and purchasing behaviour - whether or not names are stored - is considered to be a processor of personal data allowing the identification of specific living individuals.
4. What is personal data processing?
This has a very broad definition as well. "Personal data processing" is any operation or collection of operations carried out with personal data, no matter the object or method (collection, storage, organisation, conservation, adaptation, modification, extraction, consultation, use, communication by transmission, dissemination or any other form of provision or approach). Example: keeping client files, collecting contact details on leads via survey, updating supplier files, etc. On the other hand, keeping a file with only company contact details (for example, "Company A" listed with a postal address, main phone number and generic contact email "[email protected]") is not processing personal data. Processing of personal data is not necessarily computerised either: paper documents are also affected and must be protected under the same conditions.
5. Ringover and the GDPR
Since May 2018, when the GDPR first published its official journal, Ringover has remained committed to protecting its clients’ personal data.
Among the numerous measures taken to conform with the GDPR, we cite the following:
- Designation of an internal delegate for data protection (DPO), charged with subjects related to the GDPR and reachable by email at [email protected].
- Establishment of a personal data processing register: this regularly updated register provides us with precise, real-time visibility on personal data processing.
- Creation of an agreement on the processing of personal data (DPA).
- Maintaining an exhaustive and regularly updated list of Ringover sub-processors likely to be involved in the processing of personal data.
- Continuous training of Ringover’s multidisciplinary teams on the GDPR and the protection of personal data.
Since May 2018, when the GDPR first published its official journal, Ringover has remained committed to protecting its clients’ personal data.
Among the numerous measures taken to conform with the GDPR, we cite the following:
If you have any questions regarding the GDPR, please contact our DPO at: [email protected]
6. Security
We know that your telecom is a key element in your business development. Our infrastructure is thus designed and secured in order to provide you impeccable service.
For these very reasons, we will not describe the technical nor physical modalities in effect in exhaustive detail. We verify and update as necessary the measures and procedures described herein according to developments in techniques and working environments.
We know that your telecom is a key element in your business development. Our infrastructure is thus designed and secured in order to provide you impeccable service.
For these very reasons, we will not describe the technical nor physical modalities in effect in exhaustive detail. We verify and update as necessary the measures and procedures described herein according to developments in techniques and working environments.
6.1 Network and interconnection
We manage our own network internally. Our company is a member of RIPE (European IP Networks AS201188). The Transit IP of the services is redundant in order to avoid any interruption to service. Telecom operator since 2005, we are declared with ARCEP (Regulatory Authority for Electronic Communications and Postal Services). We are interconnected with the largest international telecom operators: Orange, SFR, COLT, BICS, etc. This allows us to choose the best operator in real time to route your calls. Over 250 million minutes pass through our telecom equipment annually.
6.2 Data hosting and certification
All data centres storing the data necessary for the provision of Ringover services are hosted and located in France, therefore no data is transferred out of the European Union or European economic area. These hosts have the following certifications:
- Certification PCI-DSS for service providers
- Certification HDS (Medical data hosting)
- ISO 9001:2015
- ISO 14001:2015
- ISO 27001:2013
- ISO 50001:2011
6.3 Training and awareness of Ringover employees
We regularly implement awareness operations and training for our teams. In addition, good security practices are the subject of oral and written communications that are permanently accessible on the company’s intranet.
6.4 Security measures applied to our premises and employees
We implement physical security and protection measures in accordance with industry standards. Our offices and our staff information systems are adequately secure and subject to regular testing. For security reasons, we do not communicate the technical and physical procedures implemented in exhaustive detail.
6.5 Hashing and encryption
We systematically implement hashing technology with a salt at least as robust as the SHA-256 standard. Calls made through Ringover applications are encrypted (DTLS-SRTP). Requests to the API are made in HTTPS only (TLS).
6.6 Separation of work environments, monitoring and vulnerability remediation
Our environments are strictly separated, both physically and logically. All developments carried out in the development environments are kept separate from those of production. We also implement a strict test procedure in multiple environments before making the decision to go into production. In addition, we actively monitor the emergence and identification of new potential vulnerabilities (0-day) and we impose the implementation of new security patches on all workstations and production environments.
6.7 Updates (servers, firewalls, backup networks and anti-virus)
Our servers are updated regularly, especially at each production start. We have a physical (hardware-based) firewall with firewalling rules that allow only the flows necessary for Ringover’s needs and the provision of its services to customers. We have a backup system with automatic hot and cold backup, hardware, and database clusters. Rather than VPN, we use SSH tunnels to access the servers. All workstations and production environments are notably protected by anti-virus software.
6.8 Privileges and segmentation of administrative uses
We have implemented several levels of access privileges and permissions for our clients. These user levels ensure that each of the client’s users only has the access and privileges necessary for their use of the services, on a strict "need-to-know" and "need-to-do" basis. These levels make it possible to segment use and administrative rights within the Ringover solution.