Upload
others
View
3
Download
0
Embed Size (px)
Citation preview
TokBox and GDPRA secure, compliant platform for all our customers
www.tokbox.com 2
03
04
05
06
09
10
12
13
14
15
17
ContentsWHAT IS GDPR?
SHOULD I BE CONCERNED ABOUT GDPR?
THE 5 W’S OF GDPR FOR TOKBOX CUSTOMERS
PREPARING TOKBOX FOR GDPR
WHAT OUR CUSTOMERS NEED TO KNOW ABOUT GDPR COMPLIANCE
ABOUT TOKBOX
1. WHO IS RESPONSIBLE FOR THE RIGHTS OF DATA SUBJECTS?
2. IF A DATA SUBJECT ASKS TO BE FORGOTTEN, WHO FULFILLS THIS REQUEST?
3. HOW WILL THE NOTIFICATION PROCESS WORK IN THE EVENT OF A DATA BREACH?
4. HOW DOES TOKBOX MANAGE THE COMPANY CONTACT INFORMATION IT HOLDS?
5. HOW DO WE KNOW WHERE DATA IS BEING PROCESSED, STORED AND TRANSFERRED TO?
Contents // TokBox and GDPR
www.tokbox.com 3
By now, we’re sure that you’ve heard of the General
Data Protection Regulation, more commonly known as
GDPR. This regulation from the EU is overhauling the
requirements for businesses who collect, process and
transfer the personal data of EU citizens.
The regulation has already been approved by the EU and
the deadline for companies to become compliant is May
25th 2018 - a date which is fast approaching at the time
of publication.
The new EU data protection regulation
A quick legal caveat
The GDPR is an extensive piece of legislation which has
been several years in the making. In this guide, we’ve
tried to provide information in a simple, straightforward
way to make it easy for our customers to understand the
key elements of the legislation and to continue working
with us.
However, this guide should not be considered as legal
advice. We recommend you seek out specialist legal
counsel to discuss your company’s specific situation.
A list of additional resources which we think you’ll find
useful is provided at the end of this guide.
What is GDPR?
What is GDPR? // TokBox and GDPR
www.tokbox.com 4
Although the GDPR has been agreed upon by the
European Union, its impact is going to be felt worldwide.
It is designed to protect EU citizens wherever they have
transactions with a company. That means that:
• if you are a business which has customers in the EU,
you need to care about GDPR
• If you are a business which might have EU citizens
as customer, even if they access your services from
somewhere else in the world, you need to care about
GDPR
My company isn’t based in the EU - I’m off the hook, right?
Should I be concerned about GDPR?
Introduction // Live Video In Asia Guide
TokBox’s approach to the question
We’ll go into it in more detail in this guide, but we want to
make it as easy as possible for our customers to focus on
building great applications, and not on trawling through
legal documents and regulatory questions. That’s why
our GDPR-compliant data privacy policy will be applied
across the board to all our customers’ data. TokBox
enforces one privacy policy for all our customers.
That way, you can rest assured that with TokBox as your
trusted live video supplier, you can get on with building a
great business.
Should I be concerned about GDPR? // TokBox and GDPR
www.tokbox.com 5
The 5 W’s of GDPR for TokBox customers
Who
When
What
Where
WhyGDPR compliance is necessary for any
company handling the personal data
of individuals who are EU citizens,
regardless of where the company is
based or where the individual is when
accessing services.
TokBox is committed to being compliant
with GDPR by May 25th, 2018, when the
regulation becomes enforceable.
The scope of GDPR compliance
includes the OpenTok Cloud platform
and the Customer Relationship
Management system where Personal
Data is processed and stored.
Our customers in the European Union,
United States, and all TokBox customers
and website visitors around the world.
GDPR is designed to strengthen
data protection around personal
information for EU citizens, to
remove the barrier of mistrust which
can hamper the development of
innovative online services. TokBox is
committed to being GDPR compliant
to make it easy for our customers to
access the European market.
We know you’re busy, so here is GDPR at TokBox in brief.
The 5 W’s of GDPR for TokBox customers // TokBox and GDPR
www.tokbox.com 6
Preparing TokBox for GDPR
6 Preparing TokBox for GDPR // TokBox and GDPRwww.tokbox.com
www.tokbox.com 7
Here at TokBox, we’ve been preparing for GDPR for a long
time, in order to be able to work with customers and have
everything in place for the May 25th 2018 deadline.
A cross-department effort led by our Information
Security and Compliance team, our journey has involved
almost all TokBox departments. Engineering, Product,
Marketing, Customer Success, Legal and Finance have
all been involved, making sure that no stone is left
unturned on the road to compliance.
Following a thorough audit of our website and all
documentation, a Data Impact Assessment was
produced which allowed us to identify and address any
areas which would be impacted by the GDPR rules.
During this time we also worked closely with customers
to understand what they would need to be confident
working with us as a GDPR-compliant supplier. The
information you can find in the rest of this guide is
a direct result of the feedback we received from
these customers: information which is clear, easy to
understand and above all which will help our customers
avoid duplication of efforts.
Our journey towards compliance
Preparing TokBox for GDPR // TokBox and GDPR
www.tokbox.com 8
With many experts offering advice on implementing
GDPR, we found it helpful to choose which authoritative
sources we could rely on for guidance.
We chose The International Association of Privacy
Professionals (IAPP) because they certify privacy
professionals who advocate for Fair Information Privacy
Principles originating from the Privacy Act of 1974 and
enforced by the US Federal Trade Commission.
To implement these principles for GDPR, we chose
ISACA, a professional association of certified IT auditors.
ISACA has published, “Implementing the General Data
Protection Regulation”, and a Data Protection Impact
Analysis worksheet.
Authoritative sources
To make it as easy as possible for our customers to
understand what they need to do with regards to GDPR,
we developed a clear Shared Responsibility model for
data management.
The concept of a “Shared Responsibility Model” is
widely used by today’s cloud providers to delineate
ownership of resources and responsibilities between
provider and tenant. Tenant responsibilities differ
depending on cloud service model and provider,
so there is no standard shared responsibility model.
However, you may be familiar with this type of model if
your company uses any other cloud services.
To understand their cloud security responsibilities,
tenants should reference the contractual agreements
they have with their providers. Regarding GDPR, this
division of responsibility is typically defined in a Data
Processing Agreement (DPA).
TokBox is able to provide a Data Processing Agreement
to customers who require it. Please get in touch with
your Account manager or [email protected] in order
to arrange this.
A Shared Responsibility model
Preparing TokBox for GDPR // TokBox and GDPR
www.tokbox.com 9
What our customers need to know about GDPR Compliance
9 www.tokbox.com
Following extensive consultation with customers who are preparing for GDPR compliance, we have identified the principle areas where TokBox may have a role to play.
The following Shared Responsibility Model provides specific answers to the most common general questions on GDPR. Use it to help determine audit scope of privacy practices between TokBox and your organization.
What our customers need to know about GDPR Compliance // TokBox and GDPR
www.tokbox.com 10
Customer acts as a Data Controller for End Users
of the customers’ applications built on the OpenTok
Platform, which includes their customers and
employees as Data Subjects.
If you ever choose to sit down and read the full text of the GDPR, you will see the term “Data Subjects” many times.
“Data Subjects” are the natural persons whose privacy rights must be protected. Whoever the Data Subject entrusts with their
personal information (the “Data Controller”), is ultimately responsible.
Customer TokBox
TokBox acts as a Data Processor on behalf of the
customer as Data Controller, with no knowledge of
the customer’s End Users. TokBox is responsible for
personal information stored in the Account Portal, which
contains contact information for our direct customers as
Data Subjects.
WHO IS RESPONSIBLE FOR THE RIGHTS OF DATA SUBJECTS?
Customer will not use the TokBox Services in any manner
that violates the privacy and legal rights of its End Users
under all applicable laws and regulations.
Customer will obtain and maintain any required consents
from End Users to allow, as applicable, Customer’s
access, monitoring, use, recording, storage and/or
disclosure of End User Data.
TokBox maintains records of consent, and records of all
requests to be forgotten for audit purposes. Each record
consists of an identifier, date, and request type.
01
What our customers need to know about GDPR Compliance // TokBox and GDPR
www.tokbox.com 11
If you ever choose to sit down and read the full text of the GDPR, you will see the term “Data Subjects” many times.
“Data Subjects” are the natural persons whose privacy rights must be protected. Whoever the Data Subject entrusts with their
personal information (the “Data Controller”), is ultimately responsible.
Customer TokBox
WHO IS RESPONSIBLE FOR THE RIGHTS OF DATA SUBJECTS?
If TokBox Services are used by our customers to collect,
display or transmit any personal information about their
users, those customers will prominently display a privacy
policy that complies with all applicable laws and that
makes it clear to users what data is collected and how it
will be used, displayed or shared. Customers will collect
and use user data only in accordance with their privacy
policy and all applicable laws and regulations.
TokBox routinely scrubs personally-identifiable
information from all logs, including IP addresses. Our
Privacy Policy is prominently displayed on our website,
which contains all the required notice of what data we
collect, how it is used, and what our retention schedules
are for storing the information.
01
What our customers need to know about GDPR Compliance // TokBox and GDPR
www.tokbox.com 12
02
Customers are responsible for handling any claims
related to their End Users including any content, services
or advertising. Customers are responsible for properly
handling and processing notices sent to you (or any of
your agents or affiliates) by any person claiming that you
have violated such person’s rights, including notices
pursuant to the Digital Millennium Copyright Act, or
“requests to be forgotten” according to GDPR.
In the event that TokBox is contacted by a customer’s
End User with a request to be forgotten, the request will
be entered into our records. If no matching identifier is
found in our database of customers and website visitors,
TokBox will take no action.
The GDPR includes an articles which enshrines the right of an EU citizen to request that his or her personal data be deleted by
a company or organization.
The Data Controller must have a Data Protection Officer who is responsible for documenting and fulfilling requests from Data
Subjects to have all their personal information removed from the Data Controller’s possession, and may also request that
deleted information is returned to them in a secure, portable format.
Customer TokBox
IF A DATA SUBJECT ASKS TO BE FORGOTTEN, WHO FULFILLS THIS REQUEST?
What our customers need to know about GDPR Compliance // TokBox and GDPR
www.tokbox.com 13
03
You agree to comply, and require that your users comply,
with all applicable laws, whether federal, state, local or
international, relating to the privacy of communication for
all parties to a conversation, including, when required,
advising all participants in a recorded video chat that the
video chat is being recorded.
TokBox is responsible for notifying customers of any
issues that may impact service, security, or regulatory
compliance.
A data breach is when information, including personal information of Data subjects, is made available to unauthorised parties.
For example, this could be as a result of a third party hacking into a company’s systems, or due to carelessness by employees.
Several high profile Data breaches have appeared in the media in the last few years, often a long time after the data itself was
lost or stolen.
GDPR mandates that all data breaches must be reported within 72 hours.
Customer TokBox
HOW WILL THE NOTIFICATION PROCESS WORK IN THE EVENT OF A DATA BREACH?
What our customers need to know about GDPR Compliance // TokBox and GDPR
www.tokbox.com 14
As a Data Subject, Customers are responsible for
providing consent with any data it voluntarily submits to
TokBox. This includes personal contact details used for
business purposes, provided with explicit consent upon
agreeing to our Terms of Service.
TokBox strongly encourages our customers to refrain
from transmitting any sensitive or personally-identifiable
information in emails, support tickets, or during media
sessions with our staff.
04Company contact information may include personally-identifiable data such as: Contact name, job title, email, phone, etc.
Customers who voluntarily provide this information understand why we need it and what it is used for, because they have
agreed to our Privacy Policy and Terms of Service.
Customer TokBox
HOW DOES TOKBOX MANAGE THE COMPANY CONTACT INFORMATION IT HOLDS?
What our customers need to know about GDPR Compliance // TokBox and GDPR
www.tokbox.com 15
Customers are responsible for Personal Data,
Sensitive Data, Protected Health Information, and PCI
Cardholder Data.
Customers retain control of where their data is stored and
how it is encrypted.
By default, the TokBox data retention policy on
confidential customer data is to keep it for the minimum
time possible to securely and reliably process it whether
in-flight or at-rest.
TokBox and its affiliates are not responsible or liable
for the deletion of or failure to store any customer data
and other communications maintained or transmitted
through use of the TokBox services. Customer is solely
responsible for securing and backing up its customer
application and customer data.
05TokBox has a robust Data Governance Program, which includes controls for data quality and data access.
Customer TokBox
HOW DO WE KNOW WHERE DATA IS BEING PROCESSED, STORED AND TRANSFERRED TO?
What our customers need to know about GDPR Compliance // TokBox and GDPR
www.tokbox.com 16
05TokBox has a robust Data Governance Program, which includes controls for data quality and data access.
Customer TokBox
HOW DO WE KNOW WHERE DATA IS BEING PROCESSED, STORED AND TRANSFERRED TO?
Customers retain control of classifying their data and
governing how it is accessed.
All Customer Data on the OpenTok platform is classified
as “Confidential”. By default, TokBox staff have no access
to customer content. Customers retain control of their
data, and are responsible to their End Users for securing
content and credentials which may contain personally-
identifiable or sensitive information.
What our customers need to know about GDPR Compliance // TokBox and GDPR
www.tokbox.com 17
Need more information?TokBox & GDPR webinar
https://www.crowdcast.io/e/tokbox-gdpr
Help center information (updated as required)
https://support.tokbox.com/hc/en-us/articles/360000108304-EU-General-
Data-Protection-Regulation-GDPR-
TokBox Privacy Policy (updated as required)
https://tokbox.com/support/privacy-policy
Headquarters
501 2nd Street
Suite 310
San Francisco, CA
94107
Offices in
San Francisco
Sydney
New York
Barcelona
London
facebook.com/tokbox
twitter.com/tokbox
linkedin.com/company/tokbox
Contact Us
About TokBoxTokBox develops and operates OpenTok, a global
cloud platform for embed-ding live video into website
and mobile applications. The scalable, customizable
platform gives developers the creative freedom to
build any communication ex-perience from one-to-
one chats to multi-party calls or large scale
broadcasts. The first platform to incorpo-rate support
for WebRTC, OpenTok caters to enter-prises,
entrepreneurs and developers with powerful APIs
and a cloud infrastructure. OpenTok is trusted by
leading organizations including Esurance, Royal Bank
of Scotland and InTouch Health.
For more information, visit tokbox.com
About TokBox // TokBox and GDPR