We have been carefully studying the GDPR and understand the impact on you, our customer, and the necessary actions we need to take to satisfy its requirements. Here is a summary of what we’ve learned and the actions that we are taking. Please reach out to us at [email protected] should you have any questions.
The General Data Protection Regulation (GDPR), the EU’s omnibus privacy law that replaces the Data Protection Directive 95/46/EC, aims to bring order to a patchwork of privacy rules across the EU. The GDPR became enforceable as law in all EU member states on May 25, 2018. If you would like to read the full GDPR, please find it here.
The GDPR is European legislation designed to harmonize data protection across the EU. It imposes new regulations for companies to protect consumers regarding data processing, access, and security, in addition to tougher enforcement for breaches of the rules.
The GDPR was created around six core principles (Article 5) for personal data, which are as follows:
Lawfulness, Fairness and Transparency – Processed lawfully, fairly, and in a transparent manner in relation to data subjects.
Purpose Limitation – Collected for specified, explicit, and legitimate purposes and not processed beyond those purposes.
Data Minimization – Adequate, relevant, and limited to what is necessary in relation to the purposes for which they are processed.
Accuracy – Accurate and, where necessary, kept up to date.
Storage Limitation – Kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed.
Integrity and Confidentiality – Processed in a manner that ensures appropriate security of the personal data.
The GDPR contains security, recordkeeping, access rights, and notification procedures that companies must implement to ensure compliance. Issues that are attracting particular attention include increased administrative requirements and the need to provide the tools necessary to meet the numerous obligations on both controllers and processors.
GDPR and Evisort
Evisort takes its legal and regulatory obligations seriously. Moreover, we take data privacy and security very seriously. The core of our business involves the collection of contracts on behalf of our customers, which almost always includes personal data. We constantly work to ensure we collect, process, and share the data we deal with in a lawful and transparent manner.
There are two primary roles in the GDPR structure: Controller and Processor. Our customers provide the contracts and have a relationship with the data subjects involved, and as such, our customers are considered the Controller. Evisort, which provides a software application that utilizes artificial intelligence to extract, classify, and track key provisions in such contracts on behalf of customers, is considered the Processor. As Processor, it is our duty to assist our Controller customers so that they may be compliant with the GDPR.
To that end, we wanted to share with the Evisort community some information about Evisort’s practices and procedures related to data collection and GDPR compliance. There are the relevant features of our technology that allow our Controller customers to satisfy key requirements of the GDPR:
Processing records analysis – We carried out a company survey to identify and assess what personal data we hold, where it comes from, how and why it is processed, and if and to whom it is disclosed.
Data retention policies and procedures – We have reviewed our data retention and data erasure policies to be in line with the minimization standards of the GDPR.
Data protection policies and procedures – Our main policy and procedure document for data protection has been reviewed to be in line with the GDPR standards and requirements. Such policies and procedures include policies related to backup and business continuity, cryptography, disaster recovery, strong passwords, access control, risk assessment, vulnerability management, and other administrative, technical, and physical security policies.
Data breach policies and procedures – Our breach procedures ensure that we have safeguards and measures in place to identify, assess, investigate, and report any breach at the earliest possible time. Our procedures are robust and have been disseminated to all employees, making them aware of the reporting lines and steps to follow.
International data transfer adequacy mechanism – We have prepared an EU Standard Contractual Clause to ensure appropriate safeguards are in place to handle any transfer of personal data from the EU.
Request permanent removal – To have personal data in your contracts permanently deleted from our database, email [email protected] with the contracts that you would like expunged from our database and we will delete them for you. Once deleted, there is no opportunity for recovery.
Security: The Evisort platform has a large number of enterprise security features that make us the trusted platform for thousands of companies, ranging from small start-ups to the Fortune 500. Evisort has implemented appropriate technical and organizational measures in line with the requirements of the GDPR to ensure that the level of security of personal data is appropriate to the level of risk associated with processing such persona data, and to help ensure the protection of the rights of individuals.
Some of the highlights of the security measures we’ve put in place include:
Security processes – Evisort has implemented policies and procedures related to cloud security management, server security management, network security management, identity and access management, and employee security training.
Security policies – Evisort’s security program is based on ISO 27001 standards.
SOC 2 Type 2 Certified – Evisort is SOC 2 Type 2 certified and our system is equipped with automated monitoring.
Vulnerability management – Evisort undergoes regular penetration testing by disinterested third parties and continuous vulnerability monitoring to maintain the security of our solution.
Data control and monitoring – Evisort has continuous monitoring in place, including network and host intrusion detection. We keep full audit logs and conduct vulnerability scans regularly.
Secure Amazon Web Services hosting – Evisort is hosted on Amazon Web Services but can be made available for on-premise deployment for enterprise clients.
High encryption standards – Data is encrypted at rest and in transit (AES-256).
Customized access control – Evisort allows clients to create and manage different levels of user access privileges, such as admins and read only users. Admins can also define which users have access to certain documents and folders.
World-wide bounty program – Evisort runs a world-wide bounty program where white-hat hackers are offered payment to discover vulnerabilities in Evisort’s system.
A full overview of our security architecture can be found at our Product Security webpage.
GDPR contract update: Both Evisort (Processor) and its customers (Controllers) are jointly and separately responsible for certain actions under the GDPR. Therefore, the GDPR requires shared responsibility to protect an individual’s privacy rights. GDPR Article 28 requires that a contract be in place between a Controller and a Processor. Evisort’s Terms and Conditions provide the fundamental legal requirements and obligations regarding data ownership, confidentiality, and processing responsibilities. However, if you would like to execute a separate Data Processing Addendum (DPA) with Evisort with GDPR-specific language, please email us at [email protected].
GDPR roles and employees: Evisort has designated Joe Zhou as our Security Officer to develop and implement our roadmap for complying with the GDPR. He is responsible for promoting awareness of data privacy and GDPR across the organization, assessing our GDPR readiness, identifying any gap areas, and implementing new policies, procedures, technologies, and measures to address such gaps.
Evisort understands that continuous employee awareness is vital to the continued compliance of the GDPR and has involved its employees in plans of adequate preparation. If you have any questions about our preparation for the GDPR, please contact Joe Zhou at [email protected].