What is GDPR?
The GDPR is a set of key legislation governing data privacy and security for EU citizens, residents, and organizations operating in or doing business with residents of the EU. Once the GDPR is in place (The regulation has taken effect from 25th May 2018), individuals get more control over how their data is collected, used, and protected. And businesses are liable for the safety of their customers' information and are subject to penalties for any violations.
At Site24x7, we care deeply about the privacy and security of all customer and performance data sent to Site24x7 for processing, so we have implemented GDPR controls as our baseline standard for all our operations worldwide.
Before we go into detail about the various provisions and security measures that Site24x7 has implemented to be GDPR compliant, let's get some definitions out of the way.
Personal data: Information related to an identifiable natural person.
Data subject: The person whose data is processed
Data controller: Determines the purpose and means of the processing of personal data.
Data processor: Processes on behalf of the controller
Site24x7's compliance with GDPR
As a data controller
Site24x7 processes limited personal data (account information) of our customers when they signup for our service. We have taken measures to ensure this is done in accordance with all data protection laws such as GDPR.
As a data processor
Site24x7's products are focused on the performance of websites, infrastructure, networks, and applications. Our agents and probes don't collect any personal information by default. In essence Site24x7's primary obligation is to function as a data processor for our customers.
We encrypt customer-centric data like domain names, user names/passwords, third-party service API keys, webhook URLs by default, along with PIIs like emails, mobile numbers, and IP addresses.
Our monitoring agent uses an HTTPS connection to send performance data from the user environment to Site24x7 servers. Our servers are located in best-in-class data centers across the globe and are SOC 2 TYPE II compliant.
Rights of the data subject
Email and phone number confirmation: Any Site24x7 user will start receiving email, SMS, or voice-based alerts and reports, only after they successfully verify their email or phone number.
Right to access
Any time personal data is accessed (including read and write operations), it's thoroughly audited on our end.
Right to rectify
Customers with requisite user permissions can manually log in to Site24x7's web client using their valid credentials and correct their inaccurate or incomplete personal data. Additionally, they can update any personal data using our documented RESTful APIs.
Right to erasure
Once a user initiates termination of their Site24x7 account, Site24x7 will retain all this user's data for 30 days before erasing it completely. There is provision for immediate erasure too, on user's request.
Right to data portability
Users can request Site24x7 to securely migrate their data from our data centers in the US, India, China or Australia to the ones in the EU, and vice versa, without affecting the usability of that data. Users can also securely log in to their account and export both the sub-users list, the monitor metadata, and the reporting data in CSV format. The sub-users list includes information on data subjects and the monitors list includes information on monitored networks and resources.
Does Site24x7 use sub-processors?
Site24x7 uses public cloud providers and other service providers to better support our customers. You can find a list of sub-processors along with the type of service they provide here.