ConnectyCube Shares its Ways to GDPR Compliance

ConnectyCube
Jul 10, 2018 · 9 min read

This year many companies struggle to comply with GDPR (General Data Protection Regulation). You’ve heard about it most probably at some point.

The regulation took effect on May 25th, 2018 and is aimed to give control back to EU citizens over their personal data.

Who should care about this change?

GDPR applies to both companies operating in the EU and non-EU companies that have users in the EU. The regulation identifies two roles: data controllers (person or organisation that determines the purpose and means of personal data processing) and data processors (person or organisation processing data on behalf of the controller). Both of them should comply with its requirements.

As a UCaaS provider ConnectyCube provides backend and SDKs to simplify chat and video calling application development. Therefore, we deal with 2 types of user data:

  1. Account owner (our client) data
    We are data processors for our customers, so we needed to take some steps to comply with the regulation.
  2. API users (client’s customers) data
    Our customers are also data processors for their end users, so we took care of their compliance and added features they might need for that purpose as well.

So, what should be done to comply with the regulation?

First of all, let’s identify what personal data means. According to the law, it is any information that can directly or indirectly identify an individual. It may relate to person’s professional, private or public life. For instance, it can be a name, username, email address, bank details, medical information, work performance details, photo, location, IP address, education, purchases, etc.

What does this mean for cloud providers?

Let’s have a look at the major changes we made on this track.

Right to erasure (Forget me)

For this regulation we have implemented Delete account option in ConnectyCube Dashboard >> Privacy and Settings.

For API users (end users) we have the following options to delete their accounts:

1. Account owner can delete users from his app via Dashboard >> Users tab per their request.

2. User can delete his account via API. We have the following code implemented for this case:

a. JS

b. iOS

c. Android

Notify 3rd parties for erasure

Data controllers and processors also have to make sure that the information does not appear in search results any more. This part concerns only public profile pages that are crawlable by Google. Ideally, the personal data page should return a 404 HTTP status.

Since ConnectyCube provides an option for using Firebase phone authentication to verify users via SMS, we have included its API for removing users from their records when user deletes his account in our code.

Restrict data processing

  • Individuals have a right to ‘block’ or suppress processing of personal data.

This means that data processing should be restricted if customer decides so. When clicked, it should mark the profile as restricted. As a result, it should no longer be visible to the back office staff or publicly.

  • When processing is restricted, you are permitted to store the personal data, but not further process it.

At ConnectyCube we have implemented a special checkbox for our customers to be able to restrict processing of their data. When this checkbox is not check marked, a special field in the database is filled and denotes that this user’s data should not be included in stats gathering and further data processing. Here is how customers can manage it:

  1. At account registration

2. In Dashboard >> Privacy and Settings

Data portability

We have the following options for data export:

1. Button in ConnectyCube Dashboard >> Privacy and Settings for export of Account Owner’s profile data in a CSV file.

2. Button in Dashboard >> Users to export application users (you can export only selected users or all users).

You can also export one API user profile via Edit profile section in Dashboard >> Users:

3. Button in Dashboard >> Chat to export chat history (you can export only selected chat dialogs or all dialogs).

4. Application user export via API.
We have an option to retrieve user data via API and our customers can use it to implement user export via API in their app. The code for retrieving users can be found at the following links:

a. JS

b. iOS

c. Android

Edit profile

For this case we have the following options:

  1. Account owner can update his profile data in Dashboard >> Profile.

2. API user profile data can be updated by ConnectyCube account owner via Edit profile option in Dashboard >> Users.

3. Application users can update their data via API. For that purpose our customers can implement corresponding code in their app:

a. JS

b. iOS

c. Android

Newsletters and direct marketing

ConnectyCube has implemented a checkbox where the customer can check mark if he would like to receive marketing emails.

  1. At account registration

2. In Dashboard >> Privacy and Settings

According to the regulation it is necessary to re-request consent of the customers for sending marketing emails to them even if it was given earlier when checkbox was not in place or was checkmarked by default.

We emailed all our customers who gave their consent for data processing previously and requested them to confirm if it is still the case and check mark this option in their account.

The right of access

  • Individuals have the right to access their personal data and supplementary information.
  • The right of access allows individuals to be aware of and verify the lawfulness of the processing.

At ConnectyCube we had it already in place:

1. Account owner can view his personal details in Dashboard >> Profile section.

2. For API users we have an option to retrieve user data:

a. JS

b. iOS

c. Android

Age check

ConnectyCube has implemented an age check radio button at the registration:

We have also added age check checkbox in Dashboard >> Privacy and Settings in case the customer needs to change the setting later:

Logging

At ConnectyCube we do not log anything by default and have fatal logging level set on the server. Moreover, we have a filter for sensitive information. So, if any sensitive data fields like password, etc. are logged, their values will be replaced with asterisks as follows: ****.

List of all activities personal data used for

We have checkboxes in place with activities explained, so that our customers can decide if they would like to give us their consent for data processing for each of those purposes or not. The checkboxes can be found in the following ways:

  1. At account registration

2. In Dashboard >> Privacy and Settings

Anonymising collected data to protect privacy

In order to comply with the regulation ConnectyCube does not include personal data when gathering statistics. At ConnectyCube we use account IDs for that purpose and in statistics we can see only that a particular account ID has generated a particular amount of API calls, for example, but we do not see there who the account owner is.

Pseudonymisation

ConnectyCube anonymises all personal data when making a QA server from a copy of Production server. This means that instead of real user data there will be some random strings in the database.

Data breach notifications

At ConnectyCube we care about customer security and according to our policy, in case we find any data breach we will inform our customer about it as soon as possible.

Privacy Policy

ConnectyCube has Privacy Policy page accessible directly from our website and providing our customers with information about the ways and purposes their data may be collected, stored and processed.

There is pretty much to be found in the Internet about GDPR regulations these days. However, the information is not clear in some points and nobody can be 100% sure to understand all of it right and implement as intended. Don’t panic though. According to the law, you are not to expect fines at once if you miss something. At first you might get a warning and still have some time to correct it.

But you should agree that in any case it is better to prepare as much as possible and be ahead of the game. So, ConnectyCube did what it could do. And it’s just a start. Time will tell how it goes.

This is our way to GDPR compliance. Hope you’ll find our information useful.

Good luck!

ConnectyCube

Written by

@ConnectyCube is a unified @API for instant messaging, video calling and push notifications for native @iOS, @Android and hybrid mobile and web @JS applications