Opsyte's GDPR Compliance
Everyone at Opsyte takes the security of our product very seriously. Our customers trust us with their data, and protecting that is central to running our business and helping our customers run theirs.
Opsyte has long partnered with data privacy specialists and legal advisors on an ongoing basis to ensure continuous compliance with GDPR. Additionally, we’re actively working with customers to fully understand their data processing and privacy needs.
The Opsyte executive team is committed to Opsyte’s compliance with the General Data Protection Regulation.
Our compliance will build on the already safe and secure product we have now — ensuring your data and the data of your employees is as secure as possible. Opsyte complies with national data protection laws. We’re also registered with the Information Commissioner’s Office (ICO).
Opsyte not only provides a secure solution for you, it also helps you become GDPR compliant by ensuring your employee’s data is fully protected.
Below are the steps we’re taking to ensure we’re GDPR compliant.
Risk Profile
We haven’t left GDPR compliance as an afterthought. In fact, we’ve been working towards GDPR compliance since November 2017, when we first ran a risk assessment on the type of data we process and store. Opsyte does not process sensitive data on a large scale, nor do we systematically monitor individuals based on personal data or use automated profiling.
Opsyte System Compliance
GDPR is not a one-off project, but an ongoing initiative that’s part of Opsyte’s continuous improvement model and enterprise risk management. We continuously strive to improve our incident management framework and continuous improvement register.
Access Control
All access to customer data is protected by roles and permissions within the Opsyte system. Opsyte employees can only access data on a need-to-know basis, and according to “the principle of least privilege” which means Opsyte employees have the minimal level of access to data in order to do their job.
We’ll also help our customers become GDPR compliant by ensuring roles created in the system don’t accidentally compromise data security.
Data anonymisation and pseudonymisation
GDPR requires that certain data be either anonymised or pseudonymised.
We use obfuscation as a way to anonymise data. Personal information like bank account details and personal identification numbers will be obfuscated — meaning only the last few digits will be shown (e.g. **** 1234).
Data Retention
Opsyte’s data retention policy adheres to regulatory requirements. If you want more details on this, please contact us.
Compliant third party systems
We only use third party systems that are compliant with GDPR.
Encrypted Data
Our customers’ data is encrypted from end-to-end. This means when you enter information in the app or through our website, your data is sent in an encrypted format, then stored in a database. Your information is encrypted throughout that journey, so it can’t be read by third parties at any point.
Secure Passwords and Verification
Only you can see your password, so even users with the highest admin access can’t see other users’ passwords. Your password will always be encrypted in the Opsyte system and database.
We require users to verify their email and use a secure password. We will also require all existing users to update their passwords and verify their email.
Removing End User Data
End user data is subject to our end user licence, as well as our retention schedule. The removal of end user data from customer portals is by request, and subject to a review by Opsyte and the portal’s admins. End user data that is no longer relevant or required will be anonymised by removing any personal data.
Opsyte Business Compliance
GDPR is a part of our enterprise risk management, meaning we think about GDPR compliance as part of the methods and processes we use to manage risks and achieve our objectives as a company.
DPA
As a part of this compliance, Opsyte only processes data as per our Data Processing Agreement. All the data we process is protected in our infrastructure and SaaS systems — meaning the data we process never leaves a secure system.
When we process and access data, it’s always with consent — whether it’s in accordance with our Data Processing Agreement or with explicit customer consent. That ensures we fulfil our legal obligation to our customers to protect their data at all times.
Opsyte Employee Access to Data
Additionally, all access to customer data is protected by roles and permissions within the Opsyte system. Opsyte employees can only access data on a need-to-know basis, and according to “the principle of least privilege,” which means Opsyte employees have the minimal level of access to data in order to do their job.
All access to customer data within the Opsyte product is via consent only. For example, when a Customer Success team member needs to access a customer’s Opsyte account, the customer must give permission for the CS team member to access that data.
We require all our employees to complete data protection training, with an emphasis on how data protection relates to GDPR. Employees are routinely trained on new processes and procedures, and retrained on any subsequent changes.
Additionally, we require that each department document any process that relates to the processing of personal data. To protect our system against internal abuse, we also ensure Opsyte employees are given the minimum access to data required to carry out their role.
Data Breach Management
GDPR requires that companies inform users if there is a data breach within 72 hours of discovering it. We have all the processes in place to ensure this is possible and easy to execute.
Consent
One of the biggest changes in GDPR is how companies get consent from customers for using their personal data. We’ve updated our process for getting customers consent and have informed customers how their data will be processed when using Opsyte. We will also ensure that only necessary data is collected in the first place.
Risk Management
Opsyte operates using a framework called continuous improvement model, which allows us to fluidly make changes to policy, process and procedure to combat any incoming risks.
DPO
GDPR requires that some companies have a Data Protection Officer (DPO). Opsyte’s DPO is responsible for the following:
- Educating employees on why GDPR compliance is important
- Training staff involved in data processing
- Auditing our systems to ensure compliance and addressing problem areas proactively
- Serving as the point of contact for GDPR authorities
- Maintaining data processing records, which must be turned over to customers if asked
- Additional security procedures
All customer data is encrypted and backed up to a secure facility. We also use antivirus or malware protection on all machines at Opsyte. All machines used for software development, or those that come in contact with sensitive data, use encrypted disks.
We take customer trust seriously
Customer trust is the foundation of our product and our business — without it, we can’t provide our customers with the solutions they need to better run their businesses. That’s why data protection and privacy is something we’ve prioritised since the founding of Opsyte, and it’s something we’ll continue to prioritise with our Information Security Management System and compliance to various data privacy laws, such as GDPR.