What is the GDPR
The General Data Protection Regulation (GDPR) is a new European privacy law aimed to harmonize data privacy laws across Europe,
to protect and empower all EU citizens' data privacy and to reshape the way organizations across the region approach data
privacy. The new policy provides specific guidelines regarding data transparency and dictating the control that users
have over data they upload to solution providers. It will be enforceable on May 25, 2018, replacing the current EU Data
Protection Directive, also known
as Directive 95/46/EC.
How will you be affected by the GDPR
As an individual user, you will benefit from the increased security and privacy protection from cloud service providers;
companies/organizations will also benefit from the same security and privacy protection when they use a cloud service.
For organizations established in the EU and all companies that process personal data of EU data subjects in connection with either
the offering of goods or services to data subjects in the EU, they will need to comply with the new law or otherwise could face
severe penalties.
DriveHQ's role under the GDPR
DriveHQ is both a data processor and a data controller under the GDPR.
- As a data processor:
When customers and Partners (resellers) use
DriveHQ services to process personal data, DriveHQ acts as a data processor. Customers and Partners
can use the tools available in DriveHQ cloud IT system for handling personal data. The customer
or Partner may also act as a data controller or data processor, and DriveHQ acts as
a data processor or sub-processor.
- As a data controller:
DriveHQ collects and stores customers' personal data and
determines the purposes and means of that personal data as part of offering Cloud IT service.
For example, DriveHQ stores
customers' account information for account registration, administration, services access, or
contact information to provide assistance through customer support activities.
The shared responsibility model
When DriveHQ acts as a data processor or sub-processor,
The GDPR responsibility is shared by multiple parties. The shared responsibility model illustrates the
different responsibilities of DriveHQ
and customers / Partners (as either data controllers or data processors) under the GDPR.
DriveHQ's Responsibilities as a data processor
DriveHQ is responsible for protecting its cloud IT system, both in the infrastructure level
and the application level. DriveHQ is also responsible for offering some security tools that can
help customers/partners meet the GDPR requirements.
Customer and Partner responsibilities as data controllers:
DriveHQ offers cloud storage and cloud file server, FTP server, email server and web server
without a physical or virtual machine. Customers and partners can provision their accounts and
access these features in minutes.
They can store and process data on DriveHQ cloud IT system as if they own the system. DriveHQ team
is not involved except in the case of providing customer or technical support.
We recommend customers and Partners protect their account credentials and set up sub accounts so that
each user has his or her own credentials. Each sub-user can be assigned with a role; and folders
can be shared to users with fine granular access control.
We also recommend using two-factor authentication (2FA) with each account, requiring the use of SSL/TLS
to access cloud data, setting up event logging and protect confidential data with client side encryption.
Customers and Partners can also use advanced security services, such as IP address restriction.
For more info about DriveHQ security technologies and tools, please visit DriveHQ security page.
Does DriveHQ have sub-processors?
DriveHQ is an enterprise cloud IT service provider. Our revenue is not dependent on advertisement business.
We don't sell customer data, including data (files) uploaded by customers and customer account, billing,
contact and usage information.
DriveHQ uses 3rd party services for website analysis and report such as Google Analytics; DriveHQ may also use
3rd parties for software and hardware related development, system monitoring and consulting services.
However,
no personal data is shared with any 3rd party.
DriveHQ will inform customers and Partners of any subcontractors who have access to customers and
partners' personal data if that happens in the future. We will certainly be very cautious and ensure any
subcontractors comply with the same standards and rules, and we will limit the scope of access to a minimum.
Control access to personal data within DriveHQ Cloud Storage
DriveHQ has many features and tools to control access to personal data stored in our Cloud Storage:
-
Security by Default means DriveHQ services are designed to be secure by default. With the default setup,
your data and account info are protected by your username and password. Other users cannot access your
files and account info unless you provide them with your login credentials or explicitly share or
publish your files. In a group account case, the group owner can control all sub-accounts,
their files and personal data.
- The Group Admin Tool enables organizations to create and manage users and subgroups as well as
assign user roles, set granular access permissions on shared data. The Group Admin Tool is offered
at no additional charge.
-
Two-Factor Authentication adds an extra layer of protection on top of regular username and password.
Customers can manage their own trusted devices (after passing 2-factor authentication).
-
The Active Directory Integration Service allows customers and Partners to integrate and federate with corporate
directories to reduce administrative overhead and improve end-user experience.
-
The Event Log Feature allows customers and Partners to log and retain information about account and file activities.
Customers can query events and generate reports to detect unauthorized activities or data breaches.
-
The Cloud-to-cloud Backup Feature can help customers prevent data loss by automatically backing up a customer's
data to another account. This can prevent data loss in the case of accidental or malicious file deletion by
an employee. It can also protect customer data in the case of a customer's local computer infected with
ransomeware / Crytowall virus.
Does DriveHQ actually delete a file after it is deleted by a customer?
When a customer deletes a file, usually it is moved to the Recycle Bin folder first, if the Recycle Bin option is enabled.
It will be kept in the Recycle Bin folder for about 2 weeks. After 2 weeks, it will be purged from the Recycle Bin.
At this point, the file is no longer be accessible to the customer.
The DriveHQ system will keep the data for additional 3 to 4 days. After that, all physical copies of the file will be deleted.
The file/folder metadata will be kept for about 2 weeks.
The design is to prevent data loss due to accidental deletion. A customer may request to permanently delete a file immediately.
How can I prove to a data protection regulator that my use of DriveHQ complies with GDPR?
-
Non-advertising business model: DriveHQ's revenue is completely not dependent on advertising.
We have absolutely no incentive to sell customer data, including data (files)
uploaded by customers and customer account, billing, contact and usage information.
- 15-years of track record on data security and reliability: Since DriveHQ was founded in 2003,
We have never had any security breaches or
down time of longer than 5 hours. DriveHQ can achieve 99.99% up-time.
-
Customer testimonials: DriveHQ has over 3 million users and tens of thousands of
business customers, incl. many Fortune 500 companies. We also have numerous partners or resellers in the world.
-
Security technologies, processes and documentation:
DriveHQ has created a lot of documents about our data protection (and security/privacy) technologies and processes. For more info,
please visit the DriveHQ security page or download our security white paper.