At InvGate, securing customer data is, and always has been, a top priority. We know the data you manage through our software is key to your business, and that is why we are committed to keeping it private and safe. To that end, we comply with industry best practices related to cloud security standards and certifications; and, as of May 25th 2018, we will also be complying with the General Data Protection Regulation (GDPR), which strengthens the rights that European individuals have over their personal data.
The GDPR is a big step in terms of respect of privacy for individuals, and we’ve been preparing ourselves as well. Today, we want to share the news on how we are approaching the GDPR: new features, updated policies, and strengthened data controls for you.
Our commitment to GDPR
As Data Processors, we take care of data in the following ways:
- We implemented appropriate technical and organizational measures according to GDPR, such as encryption of data over public networks and periodical controls, among others.
- Our servers comply with Code of Conducts and have several certifications and accreditations, such as ISO 27001, ISO 27018, ISO 9001, SOC1, SOC2, SOC3, PCI DSS Level 1, and many more.
- We are committed to applying any other measure related to privacy or security required by the regulations.
- Our products are designed in such a way that they allow our customers to be compliant with GDPR (more on that below).
- All data transfers comply with GDPR. You can choose the region where you want to host your Data (US or UK regions).
- We do not disclose data to third parties, unless it is needed to provide our services, expressly consented by the customer, or required by public authorities on lawful basis.
We help you comply as well
At InvGate, it’s our mission to help our customers help their users, so we also approached the GDPR with that in mind. We not only comply as a company, protecting our own customers’ data, but we also help your company comply.
We developed the features necessary to allow you to grant the right to be forgotten to any of your users, and to have a diligent data management that allows to erase historical data that is no longer useful.
How InvGate addresses the main GDPR requirements
We created a new tab at Admin > System > Privacy. Here, InvGate Service Desk administrators can apply a predefined mask to certain fields of requests, in case one of their users wants to exercise the right to be forgotten. So, if someone asks you to blank their profile, their data and the content of their requests, you can do so.
Additionally, our clients will be able to select which info they want to erase, in the event they have a legal ground for processing certain information. Therefore, you will be able to keep the shortest possible amount of information in the system, balancing the right to be forgotten of the individual and your legitimate right to processing data. This follows the privacy by default and by design GDPR principle.
We also introduced the ability to pseudonymise massive data (for example, old data) in order to comply with the data minimization principle. The best part of it? You’re still going to keep your metrics without any identifiable data!
We also thought on the security needed behind these actions. To perform any of these procedures, the admin will necessarily have to re-confirm their identity through a one-time use code that will be sent by email. We applied this additional step to improve security and avoid accidental loss of information.
Users will be warned of the irreversibility of these actions and will be suggested to take all necessary actions before proceeding with it.
Privacy will remain a top concern
As you can see, we’ve been working hard on putting the necessary measures in place to protect your data. We have taken a smart approach that allows you to anonymize all the personal data of a user and their requests, as well as old tickets, without losing the metrics you need for reports.
While doing so, we have taken security into account, since the deletion of data in an unforeseen way could also affect the business of our customers.
We are here for you, so if you have any questions or comments, you can contact us by sending an email to firstname.lastname@example.org. If you want more details, read our policies.