Aculab Cloud and the EU GDPR
The EU General Data Protection Regulation (GDPR) is important to Aculab and its customers in the EU region, and also for our non-EU customers who use Aculab Cloud for their customers who reside in the EU. This is a summary of what we have done to ensure the privacy and security of customer data on Aculab Cloud.
The GDPR is a European law that came into effect on May 25th, 2018 and is designed to ensure protection of the privacy rights of citizens in the EU region. It applies to any organisation doing business in the EU that processes the personally identifiable data of natural persons. It took over from the current EU data protection directive (DPD), which had been in force since 1995.
In running the Aculab Cloud service, Aculab process your customers’ data, and as such is acting as a data processor. The steps we have taken to make sure the Aculab Cloud service meets the GDPR and protects your data are outlined below.
Protecting your data on Aculab Cloud
As a data processor, we are obliged to support our customers (acting as a data controller) and enable you to meet your obligations under the GDPR for personal data privacy.
For Aculab Cloud, that personal data may include call or message records (CDR), application data records (ADR), and call recordings.
In terms of the data processing we carry out, compliance can be broken down into these areas:
- Access control
- Data retention and deletion
- Data security
- Auditing processes
1. Access control
Only limited key personnel have access to customer content on Aculab Cloud, and we ensure that these authorised persons are competent in and conversant with the processing of customer content required for the operation of the services. Furthermore, Aculab has data processing agreements (DPAs) in place with the third-party suppliers used to provide the services to ensure that your customer data is protected.
2. Data retention and deletion
We have set policies for storage times for different categories of customer data, and when they can be deleted. For an active account, call and message logs, speech recordings and database backups are stored for periods between 28 and 180 days. If your account is closed then we will delete the account data systematically – some of the data is deleted immediately while some is deleted as and when backup cycles end – in a matter of weeks. The only data kept for a longer period of time will be billing records which will need to be kept to meet our statutory, financial, regulatory and tax reporting commitments.
3. Data security
Aculab has designed the Aculab Cloud service with security considerations uppermost in our minds. We provide security in terms of the physical infrastructure, the cloud services that run on the infrastructure, and security for your data.
Aculab Cloud runs on Amazon's AWS infrastructure. AWS Virtual Machines are designed to be secure by default, and Aculab Cloud only opens ports and exposes services related to necessary functionality. The services you run can either use our web services APIs all accessed by HTTPS, or our UAS APIs. The UAS approach typically runs the service on the customer site and uses SSL communications to communicate with the cloud. We also undertake penetration testing using a third-party to test for system weaknesses.
Customer data is stored securely on Amazon S3, each customer having access only to their own media files and call recordings. Customers can also encrypt their media files before upload, and choose to have their media recordings on the cloud encrypted before storage. Encryption is provided free of charge to all customers.
If you pay for Aculab Cloud using a credit card, then we protect your payment data by using a third-party payment processor – Aculab neither sees nor stores credit or debit card information.
4. Auditing processes
If we are asked what we are storing and why, through the processes identified above we are able to provide the answers, and are able to show you the data we are handling on behalf of you and your customers.
Data processing agreements
To ensure your compliance with the GDPR, we are happy to enter into a DPA with you using either your own template or Aculab's template.