General Data Protection Regulation (GDPR)
GDPR Processing Description
Hereinafter the client is referred to as "the data controller", 7724 is referred to as "the processor".
Within the framework of their contractual relationship, the parties undertake to comply with the regulations in force applicable to the processing of personal data and, in particular, Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 applicable from 25 May 2018 (hereinafter, "the European regulation on data protection").
Data storage security:
The processor is authorized to process on behalf of the data controller the personal data necessary to ensure the hosting of their website.
The nature of the operations performed on the data is: IT services.
The personal data processed are:
- Email address,
- Last name, first name,
- Date of birth,
- Complete address(es),
- Connection IP address,
- Order history
- Login and/or FTP credentials
The categories of data subjects are:
- Developer
- System Administrator
For the execution of the service, the data controller makes available to the processor the following necessary information:
- Access to data and administration interfaces of the online sales platform, as well as related services.
Duration of GDPR processing application:
The application of GDPR processing begins upon ordering the service after transmission by the data controller of the access credentials allowing access to their data.
The Client's acceptance of a renewal invoice tacitly extends the duration for the covered period. The processing expires at the end of non-renewal.
Obligations of the processor towards the data controller:
The processor undertakes to:
1. process the data only for the sole purpose(s) that is/are the subject of the subcontracting.
2. process the data in accordance with the documented instructions of the data controller. If the processor considers that an instruction constitutes a violation of the European regulation on data protection or any other provision of Union law or Member State law relating to data protection, they shall immediately inform the data controller. Furthermore, if the processor is required to transfer data to a third country or an international organization, under Union law or Member State law to which they are subject, they must inform the data controller of this legal obligation before processing, unless the relevant law prohibits such information for important reasons of public interest.
3. guarantee the confidentiality of personal data processed under this contract.
4. ensure that persons authorized to process personal data under this contract:
- undertake to respect confidentiality or are subject to an appropriate legal obligation of confidentiality.
- receive the necessary training in personal data protection.
5. take into account, with regard to their tools, products, applications or services, the principles of data protection by design and data protection by default.
6. It is the responsibility of the data controller to provide information to data subjects about processing operations at the time of data collection.
7. As far as possible, the processor must assist the data controller in fulfilling their obligation to respond to requests for exercising the rights of data subjects: right of access, rectification, erasure and objection, right to restriction of processing, right to data portability, right not to be subject to an automated individual decision (including profiling).
8. The processor notifies the data controller of any personal data breach after becoming aware of it and by email. This notification is accompanied by all useful documentation to enable the data controller, if necessary, to notify this breach to the competent supervisory authority.
9. The processor assists the data controller in carrying out data protection impact assessments. The processor assists the data controller in carrying out prior consultation with the supervisory authority.
10. The processor undertakes to implement the security of hosting platforms.
11. At the end of the service provision relating to the processing of this data, the processor undertakes to destroy all personal data within 2 months following the end of the contract.
12. The processor communicates to the data controller the name and contact details of their data protection officer, if they have appointed one in accordance with Article 37 of the European regulation on data protection.
Obligations of the data controller towards the processor:
The data controller undertakes to:
1. provide the processor with the data referred to in Section II of these clauses.
2. document in writing all instructions concerning the processing of data by the processor.
3. ensure, beforehand and throughout the duration of the processing, compliance with the obligations provided for by the European regulation on data protection on the part of the processor.
4. supervise the processing, including carrying out audits and inspections with the processor.
Physical Storage Sites for Web Platform Data
Depending on the main Datacenter for your data, most often OVH and Online.net.
Physical Storage Sites for Backup Platform Data
OVH Datacenter SGB-2
Strasbourg
France
OVH Datacenter GRA-1
Gravelines
France
Company Hosting Data Backup
7724
Chemin du Petit Cabri
13100 Le Tholonet
France
Security Measures Implemented for Backup Platform Data Storage?
Data storage security:
- Encryption: AES XTS algorithm;
- Key: SHA with a length of 512 bits or more;
- Passphrase: random length between 48 and 64 characters composed of digits, letters and symbols; typed interactively at each startup of backup nodes to ensure that physical theft of the server makes the data inaccessible.
Data transfer security:
- Encryption: SSH AES CBC or better;
- Key: RSA with a length of 4096 bits or more.
Data Recovery Method in Case of Problem
Remote connection via SSH or physical access to servers by our intervention team in extreme cases.
Certifications
No certification has been necessary to accomplish our missions at this time.