This document outlines how GFI Software Ltd and its affiliates (“GFI”) comply with the European Union General Data Protection Regulation (“GDPR”).
GFI’s data protection program (the “Programme”) is designed to safeguard Personal Data (defined below) according to the GDPR requirements. In particular, this document describes the Programme elements pursuant to which GFI intends to
- Ensure the security and confidentiality of Personal Data,
- Protect against any anticipated threats or hazards to the security of Personal Data, and
- Protect against the unauthorized access or use of Personal Data in ways that could result in substantial harm to GFI’s customers and their respective clients.
At GFI, respecting and protecting privacy is of critical importance, and one of our key business principles. For more details please read our Privacy Policies.
Scope of the Programme
The Programme applies to personal data (as defined by the GDPR) that is accessed or received by GFI acting as a Data Processor on behalf of its customers (Data Controllers) in connection with providing the contracted services (“Personal Data”).
This document describes GFI’s data protection general practices. However, each product might follow specific methods.
Official GDPR Compliance Statement
GFI currently processes Personal Data lawfully by the Data Protection Directive (officially Directive 95/46/EC on the protection of individuals concerning the processing of Personal Data and on the free movement of such data). We are also Privacy Shield certified (EU and Switzerland), which allows us to transfer Personal Data from the EU and Switzerland to the U.S. lawfully.
Concerning the GDPR, which will apply from 25 May 2018, we are now moving towards compliance with its requirements. Practically speaking, we have identified our obligations as data processors and established internal teams with specific commitments, responsibilities, and deadlines. We expect to be fully compliant with those obligations by the time the GDPR enters into effect.
Appointment of a Data Protection Officer
GFI’s Data DPO (“DPO”) is responsible for coordinating and overseeing the Programme. The DPO may designate other representatives of GFI to oversee and coordinate elements of the Programme. You may direct any questions regarding the implementation of the Programme or the interpretation of this document to your account manager.
Privacy Impact Assessment
GFI identifies and assesses external and internal risks to the security, confidentiality, and integrity of the Personal Data that could result in the unauthorized disclosure, misuse, alteration, destruction or another compromise of such information.
GFI ensures the organization’s risks are appropriately addressed in a manner which is cost effective and allows GFI to balance the operational and economic costs of risk management measures. GFI has a process for the selection and implementation of security safeguards to reduce the risks of Personal Data to reasonable and manageable levels.
The DPO will, regularly, implement safeguards to control the risks identified through such assessments and to regularly test or otherwise monitor the effectiveness of such safeguards. Such testing and monitoring may be accomplished through existing network monitoring and problem escalation procedures.
Privacy by Design
At GFI, a software product typically undergoes several development life cycles, from its creation and throughout subsequent upgrades. Each such development life cycle constitutes a project. Such projects continue until the underlying technology ages to the point where it is no longer economical to invest in upgrades, and the application is considered for either continued as-is operation or retirement. GFI’s Product Development team utilizes the Agile software development methodology for development, testing, verification, and validation.
GFI understands that to be more effective; information security must be integrated into the Software Development Life Cycle (“SDLC”) from system inception. Early integration of security into the SDLC enables GFI to strengthen its information security practices, through:
- Early identification and mitigation of security vulnerabilities and misconfigurations;
- Awareness of potential engineering challenges caused by mandatory security controls;
- Identification of shared security services and reuse of security strategies and tools to reduce development cost and schedule while improving security posture through proven methods and techniques; and
- Facilitation of informed executive decision making through comprehensive risk management promptly.
Overseeing Sub-Processors of Personal Data
The DPO coordinates with those responsible for the sub-processors related activities to raise awareness of and to institute methods for selecting sub-processors that are capable of maintaining appropriate safeguards for Personal Data. Also, the DPO works with legal counsel to develop and incorporate standard contractual protections applicable to sub-processors, which will require such providers to implement and maintain appropriate data protection safeguards. Also, sub-processors may be subject to a risk assessment periodically.
Data Hosting Services
Generally, GFI utilizes data hosting services provided by Amazon Web Services, Inc. (“AWS”), and access is controlled by AWS according to its data protection policies and procedures. You can read further details on AWS’ GDPR compliance.
Note that some GFI products may utilize services other than those provided by AWS.
Protecting Access to Data
GFI has established consistency for controlled access to its computing resources and data owned or controlled by GFI. GFI enforces business process controls and data classification policies and authorization mechanisms that specify the level of access for a user, a process, or a system.
GFI has also established the requirements for ensuring authorized use of its computing resources via proper user identification and password authentication.
GFI reviews, retains, and disposes of records received or created in the transaction of its business in accordance with regulatory requirements and contractual agreements. GFI works towards eliminating accidental destruction of records and at the same time, facilitate its operations by promoting efficiency and reducing unnecessary costs of storage of documents. Customer data is retained according to legal and contractual requirements.
GFI’s services are designed to provide data security and integrity. All services are accessed through encrypted connections using industry standard SSL/TLS. Additionally, the architecture of some of the services provides further protection of data by segregating the object data, the indices, and the encryption keys on physically and logically separated systems.
- Encryption in Transit. Transmissions to and from our Customer Support Portal are encrypted. Encryption is enabled in individual products, depending on their security requirements.
- Encryption at Rest. We are in the process of ensuring that Personal Data within our hosting environment is protected utilizing industry standard encryption approaches.
Data Breach Notification
GFI has developed and implemented a data breach response plan designed to guide employees and contractors on how to report suspected data breaches. Upon becoming aware of a security issue involving Personal Data, employees and contractors must notify the matter immediately to the DPO. This plan outlines steps to be taken by compliance management to investigate potential data security breaches. These steps include performing a risk analysis of each suspected data breach to determine whether the event requires notification per applicable laws. GFI also addresses mitigation and remediation actions as part of the data breach response activities.
Training and Education
The Programme policies and procedures are communicated to relevant employees and contractors via new hire onboarding and annually after that as part of the Information Security Programme Training. Notification of significant revisions to existing policies and procedures outside of the on-boarding and the Information Security Programme Training are communicated via email to relevant employees and contractors. Also, employees and contractors are bound by confidentiality provisions.
Periodic Programme Evaluation
The DPO is responsible for evaluating and adjusting the Programme based on the risk identification and assessment activities undertaken under the Programme, as well as any material changes to GFI’s operations or other circumstances that may have a substantial impact on the Programme.
GFI’s Professional Services team is also available to assist you with customizations or configurations needed for your GDPR compliance undertakings.
Customizations or configurations are not automatically covered by our GDPR product compliance program and maintenance services. You may require a separate professional services engagement to assist you with making the necessary product changes to facilitate your GDPR compliance needs.
If you have any additional questions or need assistance, please contact your GFI Distributor or account manager.
Copyright © 2018. GFI Software IP Sarl and GFI Software Ltd (collectively, “GFI”). All Rights Reserved. These materials and all GFI products are copyrighted and all rights are reserved by GFI. GFI, GFI EndPointSecurity, GFI EventsManager, GFI FaxMaker, GFI LanGuard, and GFI MailEssentials are registered trademarks, and GFI OneConnect and GFI OneGuard are trademarks, of GFI Software IP Sarl in the United States and/or other countries. FaxMaker and LanGuard are registered trademarks of GFI Software Ltd. in the United States and/or other countries. Exinda Network Orchestrator is a registered trademark of Exinda Inc. in the United States and/or other countries. Kerio is a registered trademark of Kerio Technologies Inc. in the United States and/or other countries. All other marks contained herein are for informational purposes only and may be trademarks of their respective owners.
The information in these materials is for informational purposes only and GFI and its affiliates assume no responsibility for any errors that may appear herein. GFI reserves the right to revise this information and to make changes from time to time to the content hereof without obligation of GFI to notify any person of such revisions or changes. GFI MAKES NO EXPRESS GUARANTEES OR ANY GUARANTEES IMPLYING LEGAL INTENT WITHIN THIS DOCUMENT. The content of this document is not intended to represent any recommendation on the part of GFI. Please consult your legal and compliance advisors to confirm that your use of this document is appropriate, that it contains the appropriate disclosures for your business, and is appropriate for the intended use and audience.
This document may provide access to or information on content, products, or services from third parties. GFI is not responsible for third party content referenced herein or for any changes or updates to such third party sites, and you bear all risks associated with the access to, and use of, such web sites and third party content. GFI and its affiliates will not be responsible for any loss, costs, or damages incurred due to your access to or use of third-party content, products, or services.