spaceOS connects workspaces and buildings to their members and tenants to boost productivity, comfort, and safety. Central to this mission is our commitment to being transparent about data collection, management, and sharing.
The European Union’s law on personal data processing, the General Data Protection Regulation (GDPR), has gone into effect on May 25th, 2018. It has a significant impact on how businesses and SaaS businesses, in particular, handle their users’ personal data – and not only in Europe, since it applies to any business offering goods or services to, or performing monitoring of, users in the EU.
As the GDPR is important to SaaS providers like us, not only do we need to be compliant, but we also strive to help our clients be compliant as well. Choosing spaceOS means avoiding nuisances with regards to implementing GDPR guidelines. At spaceOS, we’re big fans of the GDPR. Personal data has historically been used and shared indiscriminately, and stored indefinitely “just in case”. The GDPR encourages businesses to be more aware of the data they collect and what they do with it. It gives users much more control over what happens to their data. We’re working continuously on our compliance, and are happy to see that most other SaaS providers are doing the same.
2. Data Privacy
spaceOS is committed to the highest standards of data security and privacy. We have taken steps to ensure that our services comply with the Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data and repealing Directive 95/46/EC (General Data Protection Regulation).
We are dedicated to safeguarding personal data by developing a data protection regime that is robust and effective. We are committed to the principles inherent in the GDPR and particularly to the concepts of information transparency, privacy by design, the right to be forgotten, and a risk-based approach.
Here is a list of technical and organizational security measures we put in place to ensure the highest level of data protection.
a. Measures for the pseudonymization and anonymization of personal data:
We use anonymous aggregates to advance our algorithm development. Data with PII cannot be retrieved by relevant systems without going through our anonymization, feature extraction, and aggregation routines.
b. Measures to encrypt personal data:
We do not only use encryption in the transport layer, but all communication also takes place via SSL-encrypted channels. We also encrypt sensitive data in our databases.
c. Measures to ensure confidentiality on a permanent basis:
All our servers are equipped with the latest security measures and are hosted behind a Private Virtual Cloud on AWS. In addition to Linux-specific measures and strong cryptographic key authentication on the server itself, we employ AWS-specific security measures and add an additional layer of security by proxying all our incoming traffic through Cloudflare to take advantage of advanced technologies to prevent snooping and service level attacks.
d. Measures to ensure long-term integrity:
Data integrity is protected by the use of AWS data replication and backup services, and by frequent backups performed several times a day to ensure further redundancy in the event of an AWS problem.
e. Measures to ensure long-term availability:
We thoroughly test our API for malpractice and retain backups for a reasonable period of time to protect various snapshots of the data from accidental destruction or loss.
f. Measures to ensure the long-term resilience of the systems and services:
We use multiple internal and external state-of-the-art systems to monitor our platform, automatically detect threats, and protect the platform from them, resulting in a 99% uptime guarantee. Technologies we use to ensure resilience include Autoscaling AWS, Containerization, Cloudwatch, Cloudflare, and more.
g. Measures to regularly review and evaluate the effectiveness of technical and organizational procedures: We regularly review our technical and organizational procedures and work with external experts to improve our systems and their security.
h. Measures to prevent unauthorized access, traceability, and integrity in data transmission (transmission control through secure transmission):
All data during transport is encrypted with SSL and thus protected by design against man-in-the-middle attacks.
i. Measures to separate personal data collected for different purposes (separation control through client separation and authorization management): All customers are operated on AWS in logically (and potentially physically) separate systems. This ensures that no other customer’s data can be accidentally accessed.
j. Measures to erase data and restrict processing:
All data of individual users will be deleted from our servers within a reasonable period of time in accordance with the regulations of the country in which the customer operates. In different countries, it is necessary that e.g. financial documents are stored for different periods of time. This includes all data stored in backups or logs of the system as well as data stored in the databases.
We are happy to answer more detailed questions for you, just send an email to our Data Security Officer at [email protected]