What is GDPR?
In January 2012, the European Commission set out plans for data protection reform across the European Union (EU). In 2016, the commission reached an agreement on the required reforms and the means by which they would be enforced. One of the key reforms is the introduction of the General Data Protection Regulation, or "GDPR".
At its core, GDPR is a new set of rules designed to give EU citizens more control over their privacy, their data, and their consent for use of their data. Under the terms of GDPR, organizations who collect and manage personal data will be required to make sure that such data is gathered legally and under strict conditions, as well as protect it from misuse and exploitation. Organizations who fail to meet these requirements will face penalties. GDPR also promises consumers easier access to their personal data and requires that organizations explain how they use customer information in a clear and understandable way.
Under the GDPR regulation, consumers have additional provisions: the right to data portability and the right to be forgotten. Data portability allows consumers to receive their personal data from a data controller in machine-readable format and send it to another data controller. The right to be forgotten allows consumers to request that their personal data be erased by data controllers when it is no longer needed or if processing that data is unlawful in any way.
Further, GDPR requires that any organization experiencing a data hack notify the appropriate national bodies as soon as possible in order to enable EU citizens to take appropriate measures to prevent their data from being abused.
GDPR applies to every organization operating within the EU, as well as organizations outside the EU that offer goods or services to people or businesses in the EU. Its reforms are designed to modernize laws and obligations across Europe for the internet-connected age.
What are Radius' compliance requirements with regard to GDPR?
To assess compliance requirements, it's important to understand the difference between a data controller and a data processor. A data controller has overall control over the data and determines the purposes and means of the processing of Personal Data. A data processor processes Personal Data on behalf of the controller.
Businesses that use Radius are considered to be data controllers. With regard to Personal Data subject to GDPR, Radius is a Processor. Articles 28-37 set forth the key compliance obligations for data processors.
Processing to meet the Requirements of GDPR
Data controllers should select data processors which provide sufficient guarantees to implement the appropriate technical and organizational measure to ensure processing meets the requirement of the controller and of the GDPR. This means that processors must process Personal Data in accordance with the controller’s instructions. Radius has implemented technical and organization measures to ensure that Personal Data is processed in accordance with the instructions of our customers and in compliance with GDPR.
Restrictions on sub-contracting
Radius will not subcontract processing of Personal Data without prior written consent.
Radius maintains a record of all processing of Personal Data, including descriptions of technical and organizational security measures. We currently do not transfer data to third countries.
Data security is a critical at Radius. Radius is independently audited on a regular basis, and our policies are transparent, documented, and verified. We have attained SOC 2 Type II certification and are a member of the Cloud Security Alliance - Security, Trust & Assurance Registry (CSA STAR).
Every Radius employee undergoes annual security training, and we have a dedicated team of engineers researching and implementing the latest security measures. The Radius team prioritizes continuous improvements to the methodologies and systems responsible for meeting the growing demands and challenges of data security.
Application and Data Security
Radius uses HTTPS for all application services. We regularly audit the details of our implementation: the certificates we serve, the certificate authorities we use, and the ciphers we support. Radius currently employs 2048-bit RSA SSL certificates to secure all communications between a user and the application.
Radius is a cloud-based application, built on Amazon Web Services (AWS), a best-in-class cloud infrastructure provider. AWS data centers are staffed 24/7 by trained security guards, and access is authorized strictly on a privileged basis. They utilize state-of-the art electronic surveillance and multi-factor access control systems, and their environmental systems are designed to minimize the impact of disruptions to operations. Multiple geographic regions and Availability Zones allow companies to remain resilient in the face of most failure modes, including natural disasters or system failures. For more information on the security of AWS cloud infrasfructure, please visit http://aws.amazon.com/security/.
To ensure the integrity of customer data, Radius uses Amazon’s Simple Storage Service (S3) and Relational Database Service (RDS) to store data on multiple devices and across multiple zones within a region. Database replication ensures that the failure of any one server does not result in data loss or impaired usage of the application.
For maximum security, all data is encrypted both in transit and at rest. Stored data relies on 256-bit Advanced Encryption Standard (AES-256).
Radius users require a strong password to log in to the application, which relies on Blowfish encryption. Radius accepts connections via SSL only, and we establish authentication using 2048-bit certificates. Authentications ensure that a user knows they are connecting to Radius, and that any data transmitted to or from Radius is encrypted and protected. These provisions offer protection against DDoS and MITM attacks.
In the event of a data breach, Radius will notify its data controllers without undue delay upon becoming aware of the breach.
Personal Data Provided by Radius
Radius relies on the representations and warranties of our trusted data partners to provide us with international data that is at all times in compliance with applicable laws, rules, and regulations and that the collection and compilation of that data complies with all legally required notice and consent requirements governing such data.
How can I get more information?
If you have specific questions about GDPR or Radius' compliance requirements, please email us at firstname.lastname@example.org.