Zadara is committed to GDPR compliance across our storage services. Zadara is also committed to helping our customers to be compliant when enforcement begins May 25, 2018.

Defining GDPR

The General Data Protection Regulation (GDPR) is a new European privacy law, due to become enforceable on May 25, 2018, that protects European Union (EU) citizens’ right to privacy. It introduces robust requirements that will raise standards for data protection, security, and compliance. The GDPR will replace the existing EU Data Protection Directive, and is intended to harmonize data protection laws throughout the EU.

Personally Identifiable Information (PII) is any data that can be used to identify a specific individual. Phone number, email address, passport/ID number, and even digital images are all included. GDPR grant people greater control over their PII, while imposing strict obligations on organizations that collect, handle, or analyze personal data. It also imposes heavy fines for non-compliance and data breaches.

What are the customer’s responsibilities?

Zadara customers, that use the Zadara storage service to store personal data, typically act as the data controller for any PII they keep. The data controller determines the purposes and means of the personal data. Zadara keeps and protects the data on behalf of its customers. In GDPR terminology, when the data controller is using the Zadara storage services Zadara is a data processor that processes personal data on behalf of the data controller.

Data controllers are responsible to implement the needed technical and organizational measures to ensure that personal data is kept and processed in compliance with the GDPR requirements.

The data controller needs to make sure the data subjects are well-informed about the use of their data and trust that it will be processed securely and only for purposes of which they are aware. The data controller is also responsible to notify the data subject in any incident of a security breach.

For the specific controls, Zadara customers should seek legal advice relating to GDPR obligations, as these must be tailored to any specific situation.

What are Zadara’s responsibilities?

A GDPR data processor is a person or organization who deals with personal data as instructed by a controller for specific purposes and services offered to the controller. Zadara is a data processor for the storage services provided to its customers.

Since the processing services Zadara provides are storage services, Zadara’s main responsibility is to be the guardian of any data stored on its systems.

Zadara manages the application-to-storage mapping, and ensures that any application can access storage it uses as defined by the customer. Zadara ensures that strict rules are in place for data access and keeps track of security access.

To avoid data theft, Zadara supports data encryption at-rest and in-flight using user-managed keys. Zadara never uses the customer data, not even for development or test purposes.

Zadara will notify customers without undue delay if we are aware of a breach of our security standards of the storage services, to help the data controller to report data breaches without undue delay.

What is Zadara doing to prepare to GDPR?

GDPR compliance is a shared responsibility. Zadara storage services offers a wide set of controls to help customers keep GDPR compliance. For Zadara that already has a high standard of data protection practices on its cloud storage, GDPR is a chance to enhance the practices, and to tighten things up further.

Zadara conducts ongoing security testing of its clouds and storage services. Zadara maintains security certifications such as ISO 27001, SOC 2 Type 2, and HIPAA. These certifications and audit reports can be used for customers risk assessments and help them determine that the proper security measures are in place.

Zadara trains all employees on data privacy, to have them aware of PII sensitivity, and the company commitment to be GDPR compliant.

Since Zadara does not have visibility into customers’ data and can’t identify PII, it treats everything stored on its systems as high risk and most sensitive. The controls taken to protect the data include:

• Highest level of physical security with biometric locks on Zadara’s equipment cages
• Strict role-based access control
• Secured communication that is always encrypted
• Data at-rest encryption with customers’ keys
• Data in-flight encryption for any data movement
• Robust identity management with dual-factor authentication
• Customers can select the region where the data is kept
• Multi-tenancy with complete separation between tenants on the VM’s and disk drive level
• Data deletion and drive shredding when the data is to be removed

Download a signed copy of our Data Processing Addendum (DPA).

Defining HIPAA

The Health Insurance Portability and Accountability Act (HIPAA) sets the standard for sensitive patient data protection. Companies that deal with protected health information (PHI) must have physical, network, and process security measures in place and follow them to ensure HIPAA Compliance. Covered entities (anyone providing treatment, payment, and operations in healthcare) and business associates (anyone who has access to patient information and provides support in treatment, payment, or operations) must meet HIPAA Compliance.

What HIPAA means for Zadara

Zadara is considered a HIPAA Business Associate as of the above definition. There is no HIPAA certification for a service provider such as Zadara. Zadara is a HIPAA compliant hosting provider, as it has the needed administrative, physical, technical and privacy safeguards in place, according to the U.S. Department of Health and Human Services:

• Administrative Safeguards – a collection of policies and procedures that govern the conduct of the workforce and security measures.
• Physical Safeguards – policies and procedures to limit physical access to its electronic information systems and facilities in which they are housed and to ensure their availability in an emergency.
• Technical Safeguards – policies and procedures for electronic information systems to allow access only to those persons or software programs that have been granted access rights. Access should be monitored and periodically audited to ensure that it is accurate and up to date.
• Privacy Safeguards – policies and procedures for electronic information systems to protect the privacy of the data subjects (primarily pertaining to covered entities)

The full report is available upon request. Request full HIPAA report.

Defining ISO 27001

ISO 27001 (formally known as ISO/IEC 27001:2005) is a specification for an information security management. It is a framework of policies and procedures that includes all legal, physical and technical controls involved in an organization’s information risk management processes.

As a formal specification ISO 27001 mandates specific requirements. Organizations that claim to have adopted ISO 27001 can therefore be formally audited and certified compliant with the standard.

ISO 27001 was developed to “provide a model for establishing, implementing, operating, monitoring, reviewing, maintaining and improving an information security management system.”

ISO 27001 is the de-facto international standard for Information Security Management. ISO 27001 contains 12 main sections:

1. Risk assessment
2. Security policy
3. Organization of information security
4. Asset management
5. Human resources security
6. Physical and environmental security
7. Communications and operations management
8. Access control
9. Information systems acquisition, development, and maintenance
10. Information security incident management
11. Business continuity management
12. Compliance

What ISO27001 Means for Zadara

Zadara services are certified to be compliant with the ISO27001 standard. To be accredited the certification, Zadara had to prove that our storage services meet the specified security standards to an external auditor. ISO 27001 certification demonstrates Zadara’s clear commitment to Information Security Management and ensures that there are adequate processes in place to lessen the risk of data breach.

Defining SOC

Service Organization Controls (SOC) are a set of standards designed to measure the ability of a given service organization to control its information in its service environments (e.g., the clouds it manages). SOC 2 compliance concerns internal controls of an advanced IT service organization. A company achieves SOC 2 compliance by having sufficient policies and strategies in place to protect client data.

About SOC 2

While many businesses understand the benefits of moving basic functions such as data storage to the cloud, some companies are still hesitant because of security concerns. SOC 2 compliance provides businesses with the confidence and peace of mind that their data is secured and highly available.

What SOC 2 Means for Zadara Storage

Our customers and regulators expect independent verification of security and availability controls. Service Organization Control (SOC) Reports are independent third-party examination reports that demonstrate how Zadara Storage achieves standard compliance. Zadara Storage undergoes independent third party audits on a regular basis to provide this assurance. This means that an independent auditor has examined the controls present in our services, products and operations.

The auditor documents the controls Zadara Storage has put in place in a SOC 2 report. The report evaluates the effectiveness of a service provider system based on the AICPA Trust Service Principles and Criteria. For more details on the SOC 2 trust services criteria, visit: AICPA.

The full report is available upon request. Request full SOC 2 Report.