Introduction
The European Union has taken steps in protecting the fundamental right to privacy for every EU resident with the General Data Protection Regulation (GDPR) which will be effective from May 25, 2018. EU residents will now have greater say over what, how, why, where, and when their personal data is used, processed, or disposed.
This rule clarifies how the EU personal data laws apply even beyond the borders of the EU. Any organization that works with EU residents’ personal data in any manner, irrespective of location, has obligations to protect the data.
Odex’s Commitment
Odex Software provides Software as a Service (SaaS) to the outdoor advertising industry. Odex follows the GDPR steps to ensure full compliance with the Data Protection Regulation.
Odex provides a processing platform for data to be entered by a user via the web and desktop. No data is held for reasons beyond the scope of client’s own use. The client owns full responsibility for the accuracy of the data entered. The data is entered by the client or by Odex at the request of the client, however ownership and management lie with the client. In this view Odex is deemed a Data Processor and not a Data Controller, as such tools are provided to ensure the client can complete any request deemed appropriate under GDPR.
As according to Article 17 section 2 and 3, Odex shall only act on the client’s instructions and that personal data we process is stored securely. In the event Odex believes the client’s instructions conflict with the requirements of the GDPR or other EU or Member State laws, under Article 28 section 3 the data protection office will inform the client immediately.
Odex will contact your assigned DPO contact, in the event Odex requires to publish any updates, or changes in relation to GDPR or data production. In the event of a data breach Odex has specific steps in relation to notification, or communication. This is detailed further in this document.
Datacentre Security
A. PHYSICAL SECURITY STANDARDS AND ACCESS
To underline our commitment to security best practice, our data centre is hosted in the Microsoft Azure Cloud environment hosted in the Netherlands. Microsoft Azure ensures the proper selection of adequate and proportionate security controls to protect all information assets in the data centre. For more information on the Microsoft Azure security protocols please refer to the following article: https://learn.microsoft.com/en-us/azure/azure-government/azure-secure-isolation-guidance
B. VIRTUAL SECURITY
The Odex data centre employ a firewall solution. The server runs local firewalls exposing only required ports to the public internet. Anti-virus software controls access to the data centre network in general and scan traffic for attack signatures, blacklisting and blocking any IP addresses suspected of infiltration attempts.
C. DATA SECURITY
Only top level Odex staff members have database access and are limited to data required for development and support purposes. General Support staff do not have source database access.
D. STORAGE SYSTEMS & BACKUPS
All Odex data is stored in databases hosted in the Azure cloud environment. Backups is done daily in the Azure Blob Storage service and held for a 30-day backup period.
Any failure of individual storage devices is handled by the inbuild Azure storage area network and does not result in any data loss and can be retrieved within 12 hours.
Data Access and Ownership
A. ACCESS TO DATA
Login access is granted by client administrators and are provided with login credentials. Passwords are required to meet a strong password policy including a min password length and an alpha-numeric format. Creating new accounts are done via an email activation process. First time users are prompted via 2-way email authentication to enter a One-Time pin and create unique passwords using our password policy. Passwords are not accessible after they have been set but can be reset using the forget password functionality. Odex also has systems in place to automatically block logins or to restrict users to only login from specific Mac addresses.
Data stored by Odex is accessible by the client through the Odex portal. The client administrator has full access to amend and update all data. Upon request an audit log can be provided detailing logged in users and access times of logins.
B. ODEX ACCESS
Odex staff are required to access client’s data via an approved login or via the database through VPN access and whitelisted IP addresses. Access is recorded via an audit trail and is logged for security reasons. Odex staff are not permitted to access or amend client’s data, without the consent of the client administrators, this as according to the Article 29. Access to data is only available to approved developers and approved support staff once consent is received. General employees of Odex do not have access to client’s data. All Odex persons authorised to access or amend client’s data have undergone appropriate training and are under obligation to ensure that data is strictly confidential this is in accordance with Article 28 section 3.
C. DATA SHARING
Odex does not use any client data for marketing or research purposes. Client data is also not shared with third parties or services without the consent of the client, as according to Article 28 section 2 and 4. In the event data is shared for purposes such as financial integration, CRM/Customer Integration, Campaign Integration or Digital Player Integration clients would be required to provide written consent, if not already agreed upon executing of a service agreement. The third party will be deemed a sub-processor and must be appointed on the same terms as set out between the client and Odex within accordance of Article 28 section 1 and 2.
D. SENSITIVE DATA
Odex processes some personal data, this data is only accessible from valid logins with allowed permissions. The personal data includes the following:
- Client Users: Names, titles, contact numbers, addresses, emails, and IP addresses.
- Client customer contact details: Names, titles, contact numbers, addresses, and emails.
- Customer contact activities: Related to Proposals/Campaigns/Landlord/Operations and Invoices.
Users without the required permissions have no way of accessing sensitive data.
GDPR Specifics
A. RIGHT TO DELETE DATA
Odex understands it is your right to delete any or all data from the Odex system. The client can exercise their rights under GDPR by simply logging in Odex to locate the data in question and delete it. If a larger amount is required for deletion, this can be done so upon request by Odex.
B. RIGHT TO ACCESS DATA
Odex understands it is your right of access to personal data through subject access requests. Odex has provided tools that allows users with the required permission to retrieve a Personal Report, detailing all the stored personal data from Odex. It is the client’s responsibility to manage access to this data. As in according to Article 15 section 3 of the GDPR it is the controller who shall provide a copy of the personal data undergoing processing.
C. NOTIFICATION OF A DATA BREACH
In the event a data breach on personal data has occurred, in accordance with Article 33, Odex will inform the relevant Data Protection Officers, without any undue delay. Notifications will contain the below:
- An outline of the breach.
- A contact point for obtaining more information; and
- Recommended measures to mitigate any possible adverse effects from the breach.
D. ODEX COMMUNICATION
Odex’s primary communication is via email. Any product updates, changes or anything that may impact the end user will be communicated to the key contact. This is usually the user who completed the sign-up process. All other emails from Odex are via email subscriptions that can be controlled by each user’s mail settings. Any group wide communications are managed by your system administrator.
E. ACCESS TO THIRD-PARTY DATA
Odex may require access to personal data provided by some third parties if needed. Upon integration to any of these a consent form must be signed by the client allowing Odex to process any required data from the third party. Odex will not share or use these data for any reason without consent of the client.
F. REMOTE ACCESS
From time-to-time Odex might require remote access to clients’ environments. This will be completed by Microsoft Teams, VPN access or TeamViewer. Access is only permitted on the basis the client has approved a stored login process or provides a onetime login, where the token in use is valid for the one session. Were access is not provided, Odex will not be able to provide support in any remote instances.
G. RETENTION OF DATA
Odex will retain any processed data for the length of the agreement. Upon termination of the agreement the data can be exported or deleted upon request.
H. DATA PROTECTION OFFICER
As in accordance with Article 37, Odex will appoint a Data Protection Officer. Their role will include:
- Inform and notification of any changes or obligations under GDPR
- Ensure Odex is compliant and meets all requirements set under the GDPR
- Address any requests directed to Odex regarding any Data Protection issues or requests
The Data Protection Officer can be contacted by email below:
Email: marius@odex.systems