Our products and services make it easier for our customers to comply with the European Union’s General Data Protection Regulation (GDPR). Storage Made Easy, as a company, is also compliant.
For more information on the Compliance features of the File Fabric please see our GDPR whitepapers.
The GDPR, which became active May 25, 2018, gives individuals (data subjects) in the European Union more control (rights) over how their personal data is used, and places obligations on businesses that process that data. The GDPR calls businesses that determine what and how personal data is processed ‘data controllers’. Businesses that handle personal data only under the direction of a data controller are called ‘data processors’. Data controllers and data processors each have different obligations under GDPR.
In different scenarios, with different categories of data, Storage Made Easy and our customers may play roles either as a data controller or data processor.
Software (Enterprise File Fabric)
Organizations who run the Enterprise File Fabric software in their own data centers, or on cloud platforms such as AWS EC2, Google Compute or Azure, are determining how personal data will be processed. Under GDPR, they are classified as data controllers.
For information on how our software supports data controllers see GDPR Compliance.
Online Services (SaaS)
Individuals can create accounts through our online File Fabric service, located in the US and EU. Under GDPR, Storage Made Easy is a data controller for the personal data entered by those individuals in creating and managing the account. However, for additional personal data entered by the account owner, including the credentials of their storage providers, content uploaded through the service, and for business accounts, member names and email addresses, the account owner is the data controller and Storage Made Easy is a data processor working under their direction.
Managed Services (IaaS)
Storage Made Easy manages dedicated instances of our Enterprise File Fabric platform for our customers on a number of different public and private clouds including Linodeand Memset. Since the customer is determining what personal data is being collected and how it is being used, in this scenario, under GDPR, they are the data controller. For any personal data Storage Made Easy may be processing under their direction, Storage Made Easy is a data processor.
Information for data controllers can be found at GDPR Compliance. Storage Made Easy’s responsibilities as a data processor are outlined in our Data Processing Agreement. We also maintain subprocessor agreements with our platform vendors. Linode infrastructure compliance details and accreditations can be found here. Memset infrastructure compliance details and accreditations can be found here.
Marketing, Sales and Support
AB-375, California’s new privacy law came into effect on January 1st 2020. The CCPA allows anyone who resides in the state to access and obtain copies of data that companies may store on/about them with the right to delete the data as well as opting out of companies selling or monetizing their data.
Companies are required to comply with the CCPA if they comply with any of the following:
(i) They have gross revenues over $25M
(ii) They are a for-profit company that does business in California and collect the information of more than 50,000 consumers, devices or households.
(iii) 50% of their income is derived from selling personal information.
Unlike the GDPR the CCPA doesn’t require companies to go through steps such as data collection consent, having a valid reason to collect user information, or requires companies to minimize data collected, although this may occur in future revisions.
The File Fabric provides functionality that helps in satisfying CCPA requirements such as providing a mechanism to understand ‘who’ is accessing data, ‘when’, and ‘how’ through a combination of the File Fabric's Audit event logs and Policies.
Additionally when connected to the File Fabric data content is indexed so that it can be checked for PII / PHI which can then be flagged and quarantined until it can be dealt with.
The Enterprise File Fabric product’s cryptographic module has been validated by a third-party, as conforming to the Advanced Encryption Standard (AES) algorithm. The validation registration is No. 4854. (#cmnt6)The AES algorithm, as specified in Federal Information Processing Standard Publication 197, Advanced Encryption Standard (FIPS PUB 197), is used to protect electronic data. It is a symmetric block cipher that can encrypt and decrypt information with cryptographic keys. Storage Made Easy uses 256-bit keys (AES-256). AES is mandatory for electronic products and services provided to the federal government. It is also required by other highly secure organizations.
For more information see File Encryption.
The Enterprise File Fabric had been approved by the UK Government for purchase by public-sector bodies through the Gov.uk Digital Marketplace. The solution is available as Cloud Software (SaaS) and hosted on UKCloud Primary Storage and Computing as a Service infrastructure.
UKCloud are National Cyber Security Centre Accredited and are Home Office/PASF assured facilities and data centres for “Blue Light” services. They also have HSCIC/NHS Digital N3 Aggregator status. UKCloud are also ISO 9001, ISO 2000, ISO 27001, ISO 27017, ISO 27018 accredited.
For more information see Secure Unified File Sharing and Collaboration for UK Government Cloud.
HIPAA and HITECH are U.S. Federal Government standards for the security and privacy of Protected Health Information (PHI). HIPAA and HITECH impose requirements related to the use and disclosure of PHI, appropriate safeguards to protect PHI, individual rights, and administrative responsibilities. For more information on HIPAA and HITECH, visit http://www.hhs.gov/ocr/privacy/.
General Compliance guidelines for HIPAA
- Ensure confidentiality, integrity and availability of all electronically protected health information that the covered entity either creates, receives, maintains or transmits.
- Protect against any reasonably anticipated threats or hazards to the security or integrity of such aforementioned information.
- Protect against any reasonably anticipated uses or disclosures of such information that are not permitted or required.
- Ensure that there is compliance by the workforce.
Ways in which the Storage Made Easy Cloud Appliance satisfies HIPAA:
Data Access: This can be controlled using access control lists, to enable data to be only accessed by authorised personnel over https. Also IP GEO-restrictions can be implemented to restrict geographic access. The actual legislative wording regarding restricted access to data is:
“Allow access only to those persons or software programs that have been granted access right.â€ (Section 164.312(a)(2)(1))
Remote / Offsite Access to data: Storage Made Easy provides a service which can be configured to be part of a disaster recovery plan enabling data to be accessed in the event of fire, flood, natural disaster, inadvertent deletions, viruses, hacking, theft or any other contingency. The actual legislative wording is:
”Establish (and implement as needed) policies and procedures for responding to an emergency or other occurrence (for example, fire, vandalism, system failure, and natural disaster) that damages systems that contain electronic protected health information.â€ (HIPAA, Section 164.308(a)(7)(i)).
Physical Security of Data: Storage Made Easy supports over 55 clouds. Our Cloud Appliancecan be hosted on Amazon EC2 and HIPAA data can be stored using the Amazon S3 data cloud. Further information on Amazon and HIPAA can be found in the AWS white paper Architecting for HIPAA Security and Compliance on Amazon Web Services.
Event Logging: HIPAA solutions should enabled audit logging and drill down of file events to enable checks on file access and change and from which IP Address these were made. Such audit and event logging is built into the Storage Made Easy solution.
Encryption: The privacy rules regulations describe ensuring data is encrypted when “in flight” and when “at rest”. Storage Made Easy and Amazon directly both support AES 256 bit encryption at a file level and data can be sent over secure channels.
This information is not intended to constitute legal advice. You are advised to seek the advice of counsel regarding compliance with HIPAA or refer to the HIPAA section of the U.S. Department of Health and Human Services' website, which can be found at: http://www.hhs.gov/ocr/hipaa/
Download HIPAA Statement
Auditing & Family Education Rights & Privacy Act (FERPA)
FERPA is the federal privacy law for educational institutions and has regulatory compliance requirements for student educational records.
The File Fabric's detailed audit event logs and access polices can be used to help track 'who' had access to data , 'when', and 'why'.
Note that FERPA compliance regulations specifically prohibit educational institutions from disclosing “personally identifiable education information” without a student's written permission.