Our clients’ privacy and security are at the heart of everything we do at AbacusNext. In light of the European Union’s new data privacy and protection rules known as the General Data Protection Regulation (GDPR), we have taken a number of steps to maintain our own compliance and to help our clients do the same. GDPR clarifies how the EU personal data laws apply even beyond the borders of the EU. Any organization that works with EU residents' personal data in any manner, regardless of location, has obligations to protect the data.
AbacusNext is committed to empowering professionals with most secure, compliant technology solutions available. We currently adhere to all relevant data protection and privacy regulations within the EU and elsewhere, including GDPR. We will continue assessing our processes and systems and reviewing current product features in order to implement necessary changes.
AbacusNext is headquartered in San Diego, California, but we have affiliated companies in the UK and primarily follow the advice of the UK Information Commissioners Office (ICO) to ensure we are meeting our obligations under GDPR. To see the steps the ICO lays out to ensure GDPR readiness, read our full compliance statement.
What Does this Mean for Our Clients?
GDPR dictates, and AbacusNext will ensure, that all clients for whom we control or process personal data, have the following rights:
- Right to be informed
- Right to restrict processing
- Right to object
- Right of access
- Right of data portability
- Right not to be subject to automated decision making and profiting
- Right to rectification
- Right to erasure
Please direct any questions or inquiries related to these rights to firstname.lastname@example.org
What Should You Do to Be GDPR-Ready?
As part of your own GDPR compliance plan, clients who are subject to the regulation will need signed verification that any data stored or processed by AbacusNext meets the data protection standards of GDPR. To assist you with your verification needs we have added a Data Processing Addendum (DPA) to the Terms and Conditions of all relevant AbacusNext products. We will contact directly all clients who are required to sign a DPA to maintain their compliance. If you have any questions about the DPA please contact us at email@example.com.
What is GPDR?
EU's General Data Protection Regulation (GDPR) is a game changer in data protection and privacy laws. The EU has realized that while technology has evolved drastically in the last few decades, privacy laws have not. In 2016, EU regulatory bodies decided to update the current Data Protection Directive to suit the changing times. This law creates a comprehensive list of regulations that govern the processing of EU residents' personal data.
Does it apply to me?
GDPR applies to any organization that works with the personal data of EU residents. This law introduces new obligations for data processors while clearly stating the accountability of data controllers.
Where does it apply?
This law doesn't have territorial boundaries. It doesn't matter where your organization is from — if you process the personal data of subjects of the EU, you come under the jurisdiction of the law.
What are the penalties for non-compliance?
A breach of the GDPR incurs a fine of up to 4% of annual global turnover or €20 million (whichever is greater).
What is personal data or Personally Identifiable Information (PII)?
Any information relating to an identified or identifiable natural person. The identifiers are classified into two types: direct (e.g., name, email, phone number, etc.) and indirect (e.g., date of birth, gender, etc.).
Technical and Organizational Security Measures
This document is a high-level overview of technical and organizational security measures and controls implemented by AbacusNext to protect personal data and ensure the ongoing confidentiality, integrity and availability of AbacusNext’s products and services.
AbacusNext reserves the right to revise these technical and organizational measures at any time, without notice, so long as any such revisions will not materially reduce or weaken the protection provided for personal data that AbacusNext processes in providing its various services.
Organization of Information Security
Organization and management of Information Security and dedicated staff responsible for the development, implementation, and continuous monitoring of AbacusNext’s Information Security Program.
Policies and Procedures
Maintain Information Security policies and procedures and make sure that policies and procedures are regularly reviewed, updated where necessary, and communicated and made available to all AbacusNext employees.
Implement a formal organizational Risk Management program which includes periodic Risk Assessments along with its procedures for the purposes of periodic review and assessment of risks to the AbacusNext organization, monitoring and maintaining compliance with AbacusNext policies and procedures, and reporting the condition of its information security and compliance to Senior Management.
Physical and Environmental Security
Deploy a defense-in-depth strategy of physical and environmental security controls at all AbacusNext data centers. AbacusNext’s data centers are designed to: (i) protect information assets from unauthorized physical access, (ii) manage, monitor and log movement of persons into and out of AbacusNext’s facilities, and (iii) guard against environmental hazards such as heat, fire and water damage.
All AbacusNext data centers adhere to vetted and known industry standards and regulatory requirements.
Logical access controls designed to manage electronic access to data and system functionality based on authority levels and job functions, (e.g. granting access on a need-to-know and least privilege basis, use of unique IDs and passwords for all users, periodic review and revoking/changing access promptly when employment terminates or changes in job functions occur).
Password controls designed to manage and control password complexity requirements and usage, including prohibiting users from sharing passwords.
Data security controls which include logical segregation of data, restricted (e.g. role-based) access and monitoring, and where applicable, utilization of commercially available and industry-standard encryption technologies.
Network security controls that provide for the use of enterprise firewalls and layered DMZ architectures, and intrusion detection systems and other traffic and event correlation procedures designed to protect systems from intrusion and limit the scope of any successful attack.
Communication with AbacusNext’s applications utilizes cryptographic protocols such as TLS to protect information in transit over public networks. At the network edge, firewalls, web application firewalls, and DDoS protection are used to filter attacks. Within the internal network, applications follow a multi-tiered model which provides the ability to apply security controls between each layer.
Monitoring and Logging
System audit or event logging and related monitoring procedures to proactively record user access and system activity for routine review.
Change management procedures and tracking mechanisms to designed to test, approve and monitor all changes to AbacusNext technology and information assets.
Incident Management procedures design to allow AbacusNext to investigate, respond to, mitigate and notify of events related to AbacusNext technology and information assets. In the event of any security breach of personal data, AbacusNext will notify customers promptly.
Vulnerability assessment, patch management, and threat protection technologies and scheduled monitoring procedures designed to identify, assess, mitigate and protect against identified security threats, viruses and other malicious code.
AbacusNext conducts quarterly penetration tests conducted by AbacusNext personnel. AbacusNext is periodically subject to publisher audits using their own third-party companies. In addition, AbacusNext conducts periodic self-assessments on the overall security posture of the organization and its products.
Business Continuity/Disaster Recovery
Business continuity and disaster recovery procedures, as appropriate, designed to maintain service and/or recovery from foreseeable emergency situations or disasters. BC/DR plans are reviewed and tested periodically for accuracy.