CARET GDPR Readiness

Our customers’ privacy and security are at the heart of everything we do at CARET.

Our commitment to you

CARET is committed to empowering professionals with most secure, compliant technology solutions available. We currently adhere to all relevant data protection and privacy regulations within the EU and elsewhere, including GDPR. We will continue assessing our processes and systems and reviewing current product features in order to implement necessary changes.

In light of the European Union’s new data privacy and protection rules known as the General Data Protection Regulation (GDPR), we have taken a number of steps to maintain our own compliance and to help our clients do the same. GDPR clarifies how the EU personal data laws apply even beyond the borders of the EU. Any organization that works with EU residents’ personal data in any manner, regardless of location, has obligations to protect the data.

CARET is headquartered in San Diego, California, but we have affiliated companies in the UK and primarily follow the advice of the UK Information Commissioners Office (ICO) to ensure we are meeting our obligations under GDPR. To see the steps the ICO lays out to ensure GDPR readiness, read our full compliance statement.

What does this mean for our clients?

GDPR dictates, and CARET will ensure, that all clients for whom we control or process personal data, have the following rights:

  • Right to be informed
  • Right of access
  • Right to rectification
  • Right to restrict processing
  • Right of data portability
  • Right to erasure
  • Right to object
  • Right not to be subjected to automated decision making and profiting

Please direct any questions or inquiries related to these rights to compliance@getcaret.com

What should you do to be GDPR-Ready?

As part of your own GDPR compliance plan, clients who are subject to the regulation will need signed verification that any data stored or processed by CARET meets the data protection standards of GDPR. To assist you with your verification needs we have added a Data Processing Addendum (DPA) to the Terms and Conditions of all relevant CARET products. We will contact directly all clients who are required to sign a DPA to maintain their compliance. If you have any questions about the DPA please contact us at compliance@getcaret.com.

What is GPDR?
EU’s General Data Protection Regulation (GDPR) is a game changer in data protection and privacy laws. The EU has realized that while technology has evolved drastically in the last few decades, privacy laws have not. In 2016, EU regulatory bodies decided to update the current Data Protection Directive to suit the changing times. This law creates a comprehensive list of regulations that govern the processing of EU residents’ personal data.

Does GDPR apply to me?
GDPR applies to any organization that works with the personal data of EU residents. This law introduces new obligations for data processors while clearly stating the accountability of data controllers.

Where does GDPR apply?
This law doesn’t have territorial boundaries. It doesn’t matter where your organization is from — if you process the personal data of subjects of the EU, you come under the jurisdiction of the law.

What are the penalties for non-compliance with GDPR?
A breach of the GDPR incurs a fine of up to 4% of annual global turnover or €20 million (whichever is greater).

What is personal data or Personally Identifiable Information (PII)?
Any information relating to an identified or identifiable natural person. The identifiers are classified into two types: direct (e.g., name, email, phone number, etc.) and indirect (e.g., date of birth, gender, etc.).

Technical and Organizational Security Measures
This document is a high-level overview of technical and organizational security measures and controls implemented by CARET to protect personal data and ensure the ongoing confidentiality, integrity and availability of CARET’s products and services.

CARET reserves the right to revise these technical and organizational measures at any time, without notice, so long as any such revisions will not materially reduce or weaken the protection provided for personal data that AbacusNext processes in providing its various services.

Organization of Information Security
Organization and management of Information Security and dedicated staff responsible for the development, implementation, and continuous monitoring of CARET’s Information Security Program.

Policies and Procedures
Maintain Information Security policies and procedures and make sure that policies and procedures are regularly reviewed, updated where necessary, and communicated and made available to all CARET employees.

Risk Management
Implement a formal organizational Risk Management program which includes periodic Risk Assessments along with its procedures for the purposes of periodic review and assessment of risks to the CARET organization, monitoring and maintaining compliance with CARET policies and procedures, and reporting the condition of its information security and compliance to Senior Management.

Physical and Environmental Security
Deploy a defense-in-depth strategy of physical and environmental security controls at all CARET data centers. CARET’s data centers are designed to: (i) protect information assets from unauthorized physical access, (ii) manage, monitor and log movement of persons into and out of AbacusNext’s facilities, and (iii) guard against environmental hazards such as heat, fire and water damage.

All CARET data centers adhere to vetted and known industry standards and regulatory requirements.

Access Control
Logical access controls designed to manage electronic access to data and system functionality based on authority levels and job functions, (e.g. granting access on a need-to-know and least privilege basis, use of unique IDs and passwords for all users, periodic review and revoking/changing access promptly when employment terminates or changes in job functions occur).

Password Protection
Password controls designed to manage and control password complexity requirements and usage, including prohibiting users from sharing passwords.

Data Security
Data security controls which include logical segregation of data, restricted (e.g. role-based) access and monitoring, and where applicable, utilization of commercially available and industry-standard encryption technologies.

Network Security
Network security controls that provide for the use of enterprise firewalls and layered DMZ architectures, and intrusion detection systems and other traffic and event correlation procedures designed to protect systems from intrusion and limit the scope of any successful attack.

Communication
Communication with CARET’s applications utilizes cryptographic protocols such as TLS to protect information in transit over public networks. At the network edge, firewalls, web application firewalls, and DDoS protection are used to filter attacks. Within the internal network, applications follow a multi-tiered model which provides the ability to apply security controls between each layer.

Monitoring and Logging
System audit or event logging and related monitoring procedures to proactively record user access and system activity for routine review.

Change Management
Change management procedures and tracking mechanisms to designed to test, approve and monitor all changes to CARET technology and information assets.

Incident Management
Incident Management procedures design to allow CARET to investigate, respond to, mitigate and notify of events related to CARET technology and information assets. In the event of any security breach of personal data, CARET will notify customers promptly.

Vulnerability Management
Vulnerability assessment, patch management, and threat protection technologies and scheduled monitoring procedures designed to identify, assess, mitigate and protect against identified security threats, viruses and other malicious code.

Audit
CARET conducts quarterly penetration tests conducted by CARET personnel. CARET is periodically subject to publisher audits using their own third-party companies. In addition, CARET conducts periodic self-assessments on the overall security posture of the organization and its products.

Business Continuity/Disaster Recovery
Business continuity and disaster recovery procedures, as appropriate, designed to maintain service and/or recovery from foreseeable emergency situations or disasters. BC/DR plans are reviewed and tested periodically for accuracy.