GDPR Compliance

CloudMQTT and the GDPR

Introduction

The General Data Protection Regulation (GDPR) is an EU regulation on data security and privacy related to personal data, applying to all organizations operating within the EU (as well as non-EU organizations with customers who are individuals in the EU zone). The definition of personal data under GDPR has been boiled down into “any information relating to an identified or identifiable person”. The purpose of GDPR is to harmonize the data protection laws across all member countries of the EU to strengthen the integrity of the individual.

Data Controller vs. Data Processor

GDPR applies to both Data Controllers and Data Processors. The Data Controller is the party who determines the purposes and the manner in which personal data is processed. While the Data Processor is a third-party processing personal data on behalf of the Data Controller.

This means that CloudMQTT is both a Data Controller and a Data Processor. We are a Data Controller in the sense that we are storing personal data such as your email address and billing address etc. But as a cloud hosting company providing a service (SaaS) where your data resides on, our main responsibility is as a Data Processor, processing your data.

CloudMQTT as a Data Controller

We are following GDPR’s rules regarding how to store personal data, and are honoring the rights of the individual, such as the right to be informed, the right of access, the right of rectification, and the right to be forgotten. Our ambition is to constantly work with integrity, honesty, transparency, and responsibility towards our customers. We have a simple Privacy Policy where we state how we handle your information. If you no longer want to be a customer with us, you can delete or change the information at any time in our console (as long as you don’t have any unpaid invoices).

CloudMQTT as a Data Processor

As a customer at CloudMQTT, we have made sure that you can follow GDPR. You decide for yourself where you want to host your data by choosing the region of your data center. CloudMQTT is compliant w ith GDPR and has executed Data Processing Agreements (DPAs) with our subcontractors (including our cloud infrastructure providers), and other suppliers. We also provide a DPA for GDPR, which allows our customers to continue to lawfully transfer EU personal data to CloudMQTT. The DPA is available for agreement in the customer console under the “Agreements”-section.

If you are a customer from another provider (Heroku, Azure Marketplace, IBM cloud, etc.), please send us an email to request access to our DPA.

How CloudMQTT handles your Data

CloudMQTT doesn’t know what kind of data you are handling while using our service. We don't look at your data, we don't copy your data to other server others than yours, and all data are encrypted in transit and can be encrypted for additional security of data at rest, but such an encryption has to be handled by you. Therefore, we don't (and will not) "manage" personal data, which means that if you would send personal data in your messages - we will not know. However, we temporarily store the data you send us. The data you send us is only stored in RAM or on the hard drive until you've consumed the data again. This can be for a millisecond or a month, depending on when you decide to consume the data. Once the data has been consumed - it's gone.

CloudMQTT's Commitment to GDPR Compliance and Data Privacy

We take GDPR seriously, and we’re applying GDPR standards to all our data processing, and not just EU personal data. That way, you will be well positioned with data protection regulatory frameworks around the world when using CloudMQTT.

We have taken several measures to comply with GDPR. Some of them are found below.

Policies and Processes

We have reviewed our internal policies and processes and updated them to be compliant with GDPR’s regulations. This concerns everything from our Data Retention Policy to Business Continuity Plan to how we train our staff in security and how to handle personal data. We have also made an inventory of what personal data we handle in our business, as well as a data flow mapping of personal data.

Data Processing Agreement (DPA)

For all our customers who collect personal data from individuals in the EU, we offer a DPA. Our DPA offers terms that meet GDPR requirements and that reflect our data privacy and security commitments to our customers and their data. The DPA is available for all our customers in their control panel under the section “Agreements”.

Data Protection Officer (DPO)

A DPO is a person at company/organization who is responsible for reviewing and reporting internal procedures regarding the handling of personal data. According to article 37 under the GDPR, a DPO must be appointed if:

  • you are a public authority (except for courts acting in their judicial capacity);
  • your core activities require large-scale, regular and systematic monitoring of individuals (for example, online behavior tracking); or
  • your core activities consist of large-scale processing of special categories of data or data relating to criminal convictions and offenses.

84codes doesn’t apply to any of these criteria, but because of our dedication to the integrity of our customers, we have decided to appoint a DPO even though we’re not legally obligated to do so. Our DPO is Lovisa Johansson, she has more than 10 years of experience in programming and has been working with the GDPR implementation at 84codes. She can be reached at compliance@84codes.com .

Security

A certain amount of confidence is needed when relying on third party-vendors to manage and handle your online data securely. We understand that even small gaps in security coverage can put everything at risk including your data, customer information, uptime, and potentially a company’s reputation. Therefore, we want to ensure you that security is something we prioritize above anything else.

A well-built environment start with high coding standards that guard against attempted security breaches. Our system components undergo tests and source code reviews to assess the security before we are adding our code to production. We use SSL/TLS to secure data in transit. SSL certificates are updated on a regular basis or in an event of a security advisory from external security centers. Data can be encrypted for additional security of data at rest. IP whitelisting is also an option.

If you want to know more about how we’re dealing with your data, please read our Security Policy. In which you can also find the Technical and Organizational Measures (TOMS) we have taken for GDPR compliance.

Breach Management

We have updated our internal breach management plan in regards to the GDPR regulations concerning the escalation process and requirements for notification.

Third Party Selection

When we work with external suppliers or subcontractors, we require them to apply at least the same security standards as us. We also make sure that they are GDPR compliant and establish a DPA with them when applicable.

Data Centers

When using CloudMQTT, you are located on the AWS data center. Below you find a link to what AWS is working with, in regards to GDPR:

GDPR FAQ

What is the GDPR?

The General Data Protection Regulation (GDPR) is a new European privacy law that goes into effect on May 25, 2018. The GDPR will apply a single data protection law throughout the EU.

The law governs the way that businesses collect, use, and share personal data about individuals of the EU. Among other things, it requires firms to process an individual’s personal data fairly and lawfully and allowing individuals to exercise legal rights in respect of their data. For example, to access, correct or delete their personal data. The law also ensures that appropriate security protections are put in place to protect the personal data they process.

Who does the GDPR apply to?

The GDPR applies to all entities and individuals based in the EU and to entities and individuals, whether or not based in the EU, that process the personal data of EU individuals.

The GDPR defines personal data as any information relating to an identified or identifiable natural person. This includes data that is obviously personal, such as an individual’s name or contact details, as well as data that can be used to identify an individual indirectly (such as an individual’s IP address).

Does the GDPR apply to an individual developer?

Yes, if the individual developer is a customer of CloudMQTT and they are processing the personal data of EU individuals when using our products and services.

What is CloudMQTT’s role under GDPR?

CloudMQTT is both a Data Controller and a Data Processor. We are a Data Controller in the sense that we are storing (customer related) personal data such as your email address and billing address etc. But as a cloud hosting company providing a service (SaaS) where your data resides on, our main responsibility is as a Data Processor, processing your data.

What have we done to comply with GDPR?

We have conducted an analysis of our operations to ensure we comply with the new requirements of the GDPR. We have, with the help of external advisors, reviewed our services, terms, privacy policy and arrangements with third parties for compliance with the GDPR.

What personal data do we collect and store from our customers?

In our role as data controller, we may collect and store contact information, such as email address, and physical address, when customers sign up for our services or seek support help. We also may collect other identifying information from our customers, such as IP address, Paypal ID, SSH public keys or Oauth tokens for external services.

We separately act as a Data Processor when customers use our service to process personal data belonging to individuals in the EU. Our customers decide what personal data (if any) that is sent via our services.

Do you provide a data processing agreement (DPA)?

Yes. Our DPA offers terms that meet GDPR requirements and that reflect our data privacy and security commitments to our customers and their data. The DPA is available for all our customers in their control panel under the section “Agreements”.

Are customers required to sign the DPA?

Yes, if the customer is using CloudMQTT to process personal data belonging to individuals of the EU, a DPA has to be in place between CloudMQTT and the customer according to Article 28(3) in the GDPR.

Can a customer share the DPA with its customers?

Yes. Customers who wish to share the DPA with their customers to confirm our security measures are allowed to do so.

Do customers need to notify anyone upon accepting our DPA?

No. You are not required to notify any third party or us upon accepting our DPA.

Do you have a DPO?

Yes. Her name is Lovisa Johansson, and she can be reached at compliance@84codes.com

Further Information

If you have any questions in regards to GDPR and your use of CloudMQTT, or other legal or security-related questions, feel free to email compliance@84codes.com

Please note that this page is for informational purposes only, and should not be considered legal advice.