In April of 2016, the European Union announced the requirement that all software vendors who do business within the European Union comply with the General Data Protection Regulation (GDPR) (EU) 2016/679. The GDPR places strict controls on the protection of personal information and privacy for individuals in the European Union, and it came into effect in May of 2018.
Security Compass’ SD Elements adheres to the software requirements of the General Data Protection Regulation (GDPR), and we’d like to provide detail about these considerations.
SD Elements Users
SD Elements puts the power of user management in the hands of our customers. When SD Elements is purchased by a company, the purchasing company sets up individual projects and determines which users in the company can access those projects. In addition, the administrator of the company, who’s in charge of deploying SD Elements, also determines which feature the user can actually access in SD Elements. If a user were to leave the company that is deploying SD Elements, then the company would delete that user’s access to the projects in SD Elements.
Security Compass does not directly view user information, except for the purpose of providing technical support, done in partnership with your company.
Collection of personally identifiable information
We collect this personally identifiable information for a few reasons:
- We use the user’s email address to help them sign into SD elements, to recover a lost password or change a password, and to optionally inform the user about changes to projects they are involved with in SD Elements.
- We use the user’s first name, last name, and email address to help their company comply with regulations regarding audits. For example, we maintain an activity log which records user tasks in SD Elements, such as when a user modifies a project, completes a task, comments on a task, or modifies a corporate risk policy in some way.
- We record when and where a user signs into SD Elements in order to audit and troubleshoot the event when the user runs into technical issues accessing specific features of SD Elements. This reference to a person may be shared with additional tools that are used to help troubleshoot technical issues.
For a full list, please click here.
This information may be shared with SD Elements integrated tools as part of the normal software development process. Examples of such tools are:
- Application Lifecycle Management Tools, such as JIRA or CD Agile Central (Rally)
- Code Analysis tools, such as ThreadFix or Fortify Software Security Centre.
In addition, your company may use the SD Elements platform to design custom tools which extract this user information for items such as reporting.
Security Compass may also maintain user information (e.g., their email and password) within our support systems. This is done in order to communicate with the user while resolving support related issues.
Retention of personally identifiable information
An important consideration when deploying SD Elements is maintaining the user information after they have left the company. This is done to ensure that the company conforms to compliance and audit regulations. We retain this information for as long as the company licenses SD Elements. In addition, if the company ceases to continue licensing SD Elements, we retain all user information in an encrypted backup file for a period of at least six months, in case the company wishes to later retrieve it for audit purposes or to restart their SD Elements license at a later time.
Hosting of SD Elements:
Depending on the security requirements of your company, SD elements can be hosted in one of two ways.
- In a cloud based SaaS environment, hosted using a secure hosting provider, such as Amazon Web Services (AWS)
- On your company’s premises, behind a corporate firewall.
If your company’s version of SD Elements is hosted in the cloud, your information may be transferred across multiple locations. This is possible if the SD Elements hosting provider creates a server in another location for the purposes of improving performance or ensuring SD Elements is regularly available for your company to use.
Normally, Security Compass remains neutral about where SD Elements is physically hosted in the cloud. However, your company may contractually require that SD Elements be hosted in a specific country.
If my information is transferred to another location, it is important to remember that SD Elements is a secure, encrypted web application that protects your information, regardless of where SD Elements is hosted.
For more information about our sub-processors, please click here.
If you have questions about how SD Elements processes information or protects data, please contact us at:
Attn: Legal Department
257 Adelaide St W #500,
Author: Mark Rathwell, Product Owner at Security Compass