What is the GDPR

The General Data Protection Regulation (GDPR) is a new European privacy law aimed to harmonize data privacy laws across Europe, to protect and empower all EU citizens' data privacy and to reshape the way organizations across the region approach data privacy. The new policy provides specific guidelines regarding data transparency and dictating the control that users have over data they upload to solution providers. It will be enforceable on May 25, 2018, replacing the current EU Data Protection Directive, also known as Directive 95/46/EC.

How will you be affected by the GDPR

As an individual user, you will benefit from the increased security and privacy protection from cloud service providers; companies/organizations will also benefit from the same security and privacy protection when they use a cloud service.

For organizations established in the EU and all companies that process personal data of EU data subjects in connection with either the offering of goods or services to data subjects in the EU, they will need to comply with the new law or otherwise could face severe penalties.

DriveHQ's role under the GDPR

DriveHQ is both a data processor and a data controller under the GDPR.

  • As a data processor:

    When customers and Partners (resellers) use DriveHQ services to process personal data, DriveHQ acts as a data processor. Customers and Partners can use the tools available in DriveHQ cloud IT system for handling personal data. The customer or Partner may also act as a data controller or data processor, and DriveHQ acts as a data processor or sub-processor.

  • As a data controller:

    DriveHQ collects and stores customers' personal data and determines the purposes and means of that personal data as part of offering Cloud IT service. For example, DriveHQ stores customers' account information for account registration, administration, services access, or contact information to provide assistance through customer support activities.

The shared responsibility model

When DriveHQ acts as a data processor or sub-processor, The GDPR responsibility is shared by multiple parties. The shared responsibility model illustrates the different responsibilities of DriveHQ and customers / Partners (as either data controllers or data processors) under the GDPR.

DriveHQ's Responsibilities as a data processor

DriveHQ is responsible for protecting its cloud IT system, both in the infrastructure level and the application level. DriveHQ is also responsible for offering some security tools that can help customers/partners meet the GDPR requirements.

Customer and Partner responsibilities as data controllers:

DriveHQ offers cloud storage and cloud file server, FTP server, email server and web server without a physical or virtual machine. Customers and partners can provision their accounts and access these features in minutes.

They can store and process data on DriveHQ cloud IT system as if they own the system. DriveHQ team is not involved except in the case of providing customer or technical support.

We recommend customers and Partners protect their account credentials and set up sub accounts so that each user has his or her own credentials. Each sub-user can be assigned with a role; and folders can be shared to users with fine granular access control.

We also recommend using two-factor authentication (2FA) with each account, requiring the use of SSL/TLS to access cloud data, setting up event logging and protect confidential data with client side encryption. Customers and Partners can also use advanced security services, such as IP address restriction.

For more info about DriveHQ security technologies and tools, please visit DriveHQ security page.

Does DriveHQ have sub-processors?

DriveHQ is an enterprise cloud IT service provider. Our revenue is not dependent on advertisement business. We don't sell customer data, including data (files) uploaded by customers and customer account, billing, contact and usage information.

DriveHQ uses 3rd party services for website analysis and report such as Google Analytics; DriveHQ may also use 3rd parties for software and hardware related development, system monitoring and consulting services. However, no personal data is shared with any 3rd party.

DriveHQ will inform customers and Partners of any subcontractors who have access to customers and partners' personal data if that happens in the future. We will certainly be very cautious and ensure any subcontractors comply with the same standards and rules, and we will limit the scope of access to a minimum.

Control access to personal data within DriveHQ Cloud Storage

DriveHQ has many features and tools to control access to personal data stored in our Cloud Storage:

  • Security by Default means DriveHQ services are designed to be secure by default. With the default setup, your data and account info are protected by your username and password. Other users cannot access your files and account info unless you provide them with your login credentials or explicitly share or publish your files. In a group account case, the group owner can control all sub-accounts, their files and personal data.
  • The Group Admin Tool enables organizations to create and manage users and subgroups as well as assign user roles, set granular access permissions on shared data. The Group Admin Tool is offered at no additional charge.
  • Two-Factor Authentication adds an extra layer of protection on top of regular username and password. Customers can manage their own trusted devices (after passing 2-factor authentication).
  • The Active Directory Integration Service allows customers and Partners to integrate and federate with corporate directories to reduce administrative overhead and improve end-user experience.
  • The Event Log Feature allows customers and Partners to log and retain information about account and file activities. Customers can query events and generate reports to detect unauthorized activities or data breaches.
  • The Cloud-to-cloud Backup Feature can help customers prevent data loss by automatically backing up a customer's data to another account. This can prevent data loss in the case of accidental or malicious file deletion by an employee. It can also protect customer data in the case of a customer's local computer infected with ransomeware / Crytowall virus.

Does DriveHQ actually delete a file after it is deleted by a customer?

When a customer deletes a file, usually it is moved to the Recycle Bin folder first, if the Recycle Bin option is enabled. It will be kept in the Recycle Bin folder for about 2 weeks. After 2 weeks, it will be purged from the Recycle Bin. At this point, the file is no longer be accessible to the customer.

The DriveHQ system will keep the data for additional 3 to 4 days. After that, all physical copies of the file will be deleted. The file/folder metadata will be kept for about 2 weeks.

The design is to prevent data loss due to accidental deletion. A customer may request to permanently delete a file immediately.

How can I prove to a data protection regulator that my use of DriveHQ complies with GDPR?

  • Non-advertising business model: DriveHQ's revenue is completely not dependent on advertising. We have absolutely no incentive to sell customer data, including data (files) uploaded by customers and customer account, billing, contact and usage information.
  • 15-years of track record on data security and reliability: Since DriveHQ was founded in 2003, We have never had any security breaches or down time of longer than 5 hours. DriveHQ can achieve 99.99% up-time.
  • Customer testimonials: DriveHQ has over 3 million users and tens of thousands of business customers, incl. many Fortune 500 companies. We also have numerous partners or resellers in the world.
  • Security technologies, processes and documentation: DriveHQ has created a lot of documents about our data protection (and security/privacy) technologies and processes. For more info, please visit the DriveHQ security page or download our security white paper.