We have taken great effort to being ready for the General Data Protection Regulation (GDPR) and have implemented the necessary measures to continuously improve GDPR related aspects of how we as a company and how the Desk-Net application works.
As a matter of fact we have been subjected to the extremely strict German data protection regulations before GDPR for years. Countless lawyers and data protection officers on our customers‘ side have reviewed and approved both our contractual documents and how we operate. In case of ambiguity or when a necessary improvement to these aspects had been identified we have made sure to meet the client’s requirements by implementing the necessary changes.
Desk-Net as Your Data Processor
The GDPR distinguishes between the Controller and the Processor of personal data in a customer - client relationship like we at Desk-Net have with our customers.
You as our customer are the Controller and remain the owner of your data whereas we function as your Processor.
What We Use Your Data for
The data you provide us with is being entered and used primarily inside the Desk-Net application by the users in your organisation. We also use personal data to provide support and communications services which are related to your use of the Desk-Net application.
For development and related testing purposes we anonymize data so that it no longer counts as personal data.
We do not sell any of our customers' data and do not use it in any way unrelated to the task of providing our customers with the Desk-Net application.
We have outsourced three main areas of our operations to two partner companies which are currently outside of the European Economic Area (EEA).
- Hosting of the Desk-Net application
- Maintenance and operations
- Continuous development of the application
We host at Amazon Web Services (AWS) which is the worldwide leader in hosting for Software-as-a-service solutions like Desk-Net.
While our contractual partner is Amazon Web Services, Inc. in the US we host exclusively on servers which are located in the EU (currently only in Ireland).
AWS guarantees the compliance with GDPR for these services. AWS‘ data security and protection measures have been certified numerous times.
As of July 1st, 2018 we will no longer be using Amazon Web Services, Inc., but AWS Europe (Luxembourg, EU).
The software code of the Desk-Net application is implemented by a dedicated team in the Belorussian development center of our outsourcing partner Intetics.
For this development only anonymized database copies are used when needed so that these tasks are not subject to GDPR.
The entire development center is certified according to ISO27001.
Maintenance and Operations
In day-to-day operations the application is managed by a dedicated team at our partner Intetics. Via our contractual partner Intetics GmbH (Germany, EU) these tasks are performed by Intetics‘ Belorussian development center.
While the production system and its data resides only on servers inside the EU a strictly limited and small number of members of that team has access to that system.
In order to comply with GDPR this setup is secured via EU Standard Contractual Clauses (SCC). They ensure that the team complies with European data protection standards, i.e. the GDPR. This setup has been checked numerous times by experts on the customers' side. However, as quite a few customers have a corporate policy of not allowing any data outside of the EU we are in the process of setting up a dedicated maintenance and operations team inside the EU. Once this setup process is completed in late 2018 only members of this team inside the EU will have access to the production system.
This team already works according to ISO27001 guidelines and is en route to being certified by the end of 2018.
The GDPR requires us to create and update a range of documents both for our relationship with you, the customer, as well as with our subcontractors.
Please find below a list of documents for your review. Some of them are contracts that need to be signed (or that have been signed with our subcontractors) whereas others are internal documents which we are not legally obliged to make publicly available - but we are doing it anyway, even if anonymized or restricted in parts.
- Data Processing Agreement
This document is an annex to the main Desk-Net Agreement and needs to be signed by both parties. For our German-speaking customers there is a German version (Auftragsdatenvereinbarung - ADV).
- Technical and Organisational Measures (TOMs)
An annex to the Data Processing Agreement referring to Art. 32 GDPR
- Record of Processing Activities
A high-level description of the processes we as a processor are handling for our customers, the controllers (Art. 30 (2) GDPR)
GDPR requires us to have compliant contracts with our sub-contractors. As we know that certain data protection officers like to check these contracts please find below a range of contractual and related documents and links.
- GDPR Contract Addendum
Addendum to our main software development agreement with Intetics GmbH stipulating terms so that our agreement is compliant with Art. 28 (3) GDPR.
- EU Standard Contractual Clauses (SCC)
This is an agreement pre-defined by the EU which requires the Desk-Net team at Intetics' Belorussion development center to adhere to GDPR.
- Intetics - Technical and Organisational Measures (TOMs)
Annex to the SCC signed by Desk-Net and Intetics.
- ISO27001 certificate
Intetics' Belorussian development center has been certified according to this standard.
- Record of Processing Activities - Controller
A document outlining the processes related to personal data that have been outsourced to Intetics (Art. 30 (1) GDPR).
- Record of Processing Activities - Processor
A document outlining the processes related to personal data that Intetics handles for Desk-Net (Art. 30 (2) GDPR).
Amazon Web Services (AWS)
- Data Processing Agreement including Standard Contractual Clauses
Signed between Desk-Net GmbH and Amazon Web Services, Inc.
- AWS ISO27001 Certificate
And more comprehensive information on AWS' ISO27001 and the related ISO20018 certification.
- Comprehensive information by AWS about the EU Data Protection Directive
Includes information to how AWS handles Data Protection Agreements and Standard Contractual Clauses.