SECURITY AND COMPLIANCE

Security | GDPR Overview | GDPR DPA

Effective May 25, 2018

GDPR Overview

Passed in 2016, the new General Data Protection Regulation (GDPR) is the most significant legislative change in European data protection laws since the EU Data Protection Directive (Directive 95/46/EC), introduced in 1995. The GDPR, which becomes enforceable on May 25, 2018, seeks to strengthen the security and protection of personal data in the EU and serve as a single piece of legislation for all of the EU. It will replace the EU Data Protection Directive and all the local laws relating to it.

What is the GDPR?

The General Data Protection Regulation (GDPR) is a new European privacy law that goes into effect on May 25, 2018. The GDPR will replace the EU Data Protection Directive, also known as Directive 95/46/EC, and will apply a single data protection law throughout the EU.

Data protection laws govern the way that businesses collect, use, and share personal data about individuals. Among other things, they require businesses to process an individual’s personal data fairly and lawfully, allow individuals to exercise legal rights in respect of their personal data (for example, to access, correct or delete their personal data), and ensure appropriate security protections are put in place to protect the personal data they process.

Who does the GDPR apply to?

The GDPR applies to all entities and individuals based in the EU and to entities and individuals, whether or not based in the EU, that process the personal data of EU individuals. The GDPR defines personal data as any information relating to an identified or identifiable natural person. This is a broad definition, and includes data that is obviously personal (such as an individual’s name or contact details) as well as data that can be used to identify an individual indirectly (such as an individual’s IP address).

What is Arcustech’s role under GDPR?

We act as both a data processor and a data controller under the GDPR.

Arcustech as a data processor: When customers use our products and services to process EU personal data, we act as a data processor. For example, we will be a processor of EU personal data and information that gets uploaded into a virtual server. This means we will, in addition to complying with our customers' instructions, need to comply with the new legal obligations that apply directly to processors under the GDPR.

Arcustech as a data controller: We act as a data controller for the EU customer information we collect to provide our products and services and to provide timely customer support. This customer information includes things such as customer name, contact information, and billing details.

What personal data do we collect and store from our customers?

We store data that customers have given us voluntarily. For example, in our role as data controller, we may collect and store contact information, such as name, email address, phone number, or physical address, when customers sign up for our products and services or seek support help.

We separately act as a data processor when customers use our products and services to process EU personal data, such as uploading personal data to a virtual server. Customers decide what personal data, if any, is uploaded to our products and services.

Does the GDPR apply to an individual developer?

Yes, if the individual developer is a customer of Arcustech and they are processing the personal data of EU individuals when using our products and services.

What is the Arcustech Data Processing Agreement ("DPA")?

Customers that handle EU personal data are required to comply with the privacy and security requirements under the GDPR. As part of this, they must ensure that the vendors they use to process the EU personal data also have privacy and security protections in place. Our DPA outlines the privacy and security protections we have in place. We are committed to GDPR compliance and to helping our customers comply with the GDPR when they use our services. We have therefore made our DPA available to all our customers and it can be found here: Data Processing Agreement.

Are customers required to sign the Arcustech DPA?

In order to use our products and services, you need to accept our Master Service Agreement, which among other things, includes our DPA. By agreeing to our terms of service, you are automatically accepting our DPA and do not need to sign a separate document.

Can a customer share the Arcustech DPA with its customers?

Yes. The DPA is a publicly available document and customers who wish to share it with their customers to confirm our security measures and other terms may feel free to do so.

Do customers need to notify anyone upon accepting our DPA?

No. You are not required to notify us or any third party upon accepting our DPA though, as mentioned above, you are free to do so.

Do we transfer data internationally?

The GDPR replicates the Data Protection Directive restrictions on transferring data outside the EU and prohibits the export of personal data outside of the EU to non-EU recipients unless the export meets certain criteria.

Although we are headquartered in the United States, Arcustech has data centers and customers in the EU. In certain circumstances, we will process personal data that originates from the EU in the United States. We provide a level of protection of privacy that complies with the EU rules. To confirm this, we are working to certify the company under the Privacy Shield, this section will be updated to a link directly to the Privacy Shield web site once the process is completed.

How do we handle delete instructions from customers?

Customers have the ability to remove or delete information they have uploaded to our products. Likewise, customers may deactivate their account and request that all personal data we have collected and stored is deleted, baring any legal need to keep data for longer, such as financial record keeping, legal requests, etc. Contact corporate@arcustech.com for deletion requests, or further details.

How can a customer view and download content from our services and transfer it to another provider?

If you need to access and download content from your virtual servers, you can do so in the same manner data was placed on the virtual servers. Tools such as ssh, sftp, git, svn, rsync, and other data transfer methods can be used. If you are unsure the best method for your specific needs please contact our support team.

Follow @ArcustechUSA on Twitter!

Copyright 2012-2018 Arcustech, LLC. All rights reserved. MSP

Fully managed NVMe SSD VPS hosting for Craft CMS, Statamic, WordPress, Laravel, ExpressionEngine and other popular php/mysql web applications and frameworks.

Logos/trademarks are the property of their respective owners and do not constitute an association, affiliation or sponsored relationship with the entities in any way.