Data Security Statement – Quentral srl
Last modified: 20 November 2019
This Data Security Statement forms an integral part of the General Terms and Conditions applied by Quentral srl and it fully implements the provisions contained therein. Unless otherwise specified and set out in this Data Security Statement, every term in capital letters used herein shall have the same meaning as set out in the General Terms and Conditions of Quentral srl and in the Data Protection Agreement.
The scope of this Data Security Statement is to inform the CUSTOMER on the security measures that QUENTRAL has in place to protect Users’ data and privacy. This document cannot be shared by the CUSTOMER with any third party nor can it be disclosed for any reason without the express written consent of QUENTRAL.
3. Responsible Parties
For the purposes of this Statement, two Parties are identified each with its own responsibilities for the fulfilment of an adequate level of security in relation to User’s Data:
- QUENTRAL, which applies the security measures to the infrastructure and provides the CUSTOMER with the tools to protect the Platform. QUENTRAL acts as an external Processor on behalf of the CUSTOMER which is the Data Controller of the end Users of the Service.
- CUSTOMER, which sets up the Platform, meaning that it sets out the purposes and methods of Personal Data Processing and determines the Service for the end Users. CUSTOMER acts as the Users’ Data Controller for privacy purposes.
4. Organisational measures
4.1. Current laws and applied solutions
QUENTRAL adopts technical and organizational solutions in compliance with EU Regulation 679/2016 on General Data Protection (“GDPR”) and any other applicable Italian laws, unless otherwise indicated by the CUSTOMER through a Data Protection Agreement between QUENTRAL and CUSTOMER.
4.2. Incident and contingency management
The internal working procedure adopted by QUENTRAL entails detection, reporting and communication processes in relation to any incidents or problems causing (or that may cause) any damage to Data, Services, Users and Platform. CUSTOMER shall be notified about any threats, risks, periods of time, impact and whenever possible of any solution within 72 hours since detection of the said security incident.
4.3. Quality and compliance guarantee
- The security of information and systems is constantly verified by QUENTRAL also by means of annual internal Audits. In its capacity as Processor QUENTRAL agrees to guarantee to the CUSTOMER, the Controller, should the latter require so, to verify the Processor’s compliance with the provisions of this Data Security Statement.
- QUENTRAL, being the Processor, commits to cooperate with CUSTOMER, the Controller, to support it in the implementation of a privacy impact assessment to the extent possible, given the information at its disposal and the nature of the Processing. The Controller shall bear any reasonable costs related to this obligation to collaborate.
- Controller shall have the right to hire, at its own expense, an independent expert to carry out an Audit to ascertain if the Processor complies with its own obligations arising out of this Data Security Statement. The Controller shall bear any costs related to this obligation to collaborate.
Data retention and protection on QUENTRAL’s servers are continuously and regularly monitored by the Technical Director and by the staff of QUENTRAL in charge to do so.
4.6. Human Resources
- To the best of its ability QUENTRAL agrees and has the obligation to act with adequate diligence to carry out the specific activities object of this Statement, by managing and assigning to the tasks to be performed adequate human, organizational, technological and IT resources and solutions, ensuring that its Human resources are always of high professional standing by bearing into due account the risks of Processing related to its Service, the state of the art, the implementation costs, the market of reference and the purpose and target of its Service.
- QUENTRAL being the Processor binds those subjects authorized to Data Processing to adequate legal obligations of confidentiality in relation to any performed Processing operation, even once the working relationship with the Processor expires.
5. IT security measures
5.1. Acceptable use of hardware and internal systems
The acceptable use of internal systems and of the hardware is set out in QUENTRAL’s policy of use and in any and each employment contract signed by every employee and contractor of QUENTRAL.
5.2. Development and test
Software development is performed on local devices. Development servers and environments are physically separate from the production servers and environments. The test and installation are carried out by authorized personnel only. QUENTRAL performs functional, usability, design and vulnerability tests which are run on separate servers.
All communication between User and software is encrypted using SSL/HTTPS. QUENTRAL uses 2048-bit encryption keys. Passwords are always hashed for storage.
5.4. Data storage and backup
All Client data is stored only on servers compliant with the provisions set out in the GDPR. All Data undergoes a backup on a weekly basis on a separate server. The backup data is encrypted and stored for a period of 30 days and automatically erased upon it.
5.5. Business continuity
In order to ensure business continuity, we strive to maintain the service parameters described in the SLA.
5.6. Network security
The network connection of QUENTRAL’s office is protected by a firewall, all inbound ports are blocked. QUENTRAL’s server stack consists of a network of servers that do not allow inbound internet traffic unless it is accessed via a secure VPN connection. There are only proxy servers on the Web ports 80 and 443 which are physically separate from the servers containing CUSTOMER’s data. Only authorized personnel have access to the servers via VPN using personal keys. Only a subset of our employees (Tech Department) can access the servers containing the CUSTOMER’s data. Access to these servers is further restricted through the use of a pair of personal SSH keys. All servers in QUENTRAL’s Platform have installed alert packages to detect intrusion attempts or other suspicious behaviours. In the event that
such attempts or behaviours are detected, QUENTRAL will be notified by automatic e-mails. Guests in the office are provided with a separate Wi-Fi connection.
5.7. Antivirus and antispyware protection
QUENTRAL’s office devices and systems are protected with antispyware and antivirus tools.
6. Physical security measures
6.1. Physical allocation
QUENTRAL’s servers are stored in QUENTRAL’s environment and in a protected Amazon AWS environment. Sensitive paper files are stored in our QUENTRAL’s office in a secured room, in locked cabinets. The building is protected with a key supplied to a limited number of employees for security purposes.
All office laptops are encrypted and password protected. Additional policies like the policy of devices set-up, password criteria and remote access criteria apply to all employees.
6.2. Use of removable devices for data storage
QUENTRAL does not store Personal and/or Sensitive Data on removable USB flash drives. All Personal and/or Sensitive Data collected through the Platform is stored on secure servers and occasionally, on encrypted and password-protected office laptops.
6.3. Reuse of hardware
Any device containing any Data is refreshed to default settings and then rechecked for any Data or software traces. In case of reuse of hardware, after refreshing, the employee is provided with a personal account password-protected.
7. Data Collection and exclusion of liability
7.1. QUENTRAL, in its capacity as Data Processor, receives and processes personal Data on behalf of the CUSTOMER which is the Users’ Data Controller.
7.2. QUENTRAL shall never act as Data Controller, Customer shall be considered as the sole Data Controller.
7.3. The type of personal Data collected through QUENTRAL’s Platform will depend on the Content that is uploaded by CUSTOMER and by the end Users of the Service. CUSTOMER shall be responsible for providing its Users with all the information mandatory by law, such as the purpose for which the processing of personal Data is intended and the legal basis for its processing. The CUSTOMER undertakes, in particular, to comply with and have its Users comply with the provisions set out in art. 22 “Obligations of CUSTOMER and User”, and in art. 25 “Acceptable use policy” of the General Terms and Conditions.
7.4. CUSTOMER and Users shall be solely responsible for the Contents and any other information uploaded on QUENTRAL’s Platform as well as for how they shall use the Service. QUENTRAL shall not accept any responsibility or liability, nor may it be held liable or responsible in any way, for any Content and/or information uploaded on QUENTRAL’s Platform as the result of the General Terms and Conditions signed with the CUSTOMER and/or arising from the use of the Service by the Customer’s Users.