Initial notes from FotoWare's Data Protection Officer
FotoWare works with clear routines and measures with regard to data security and data storage. We appreciate that customers trust us with their data, and we take seriously the responsibility we have for safeguarding that data and for being open about the way we process it.
When FotoWare made the move to the cloud, we decided to partner with Microsoft. They demonstrate a healthy track record in data security, and their Azure cloud platform has received great acclaim as a secure, versatile development platform. In fact, Microsoft is continually working to implement new security certifications to the point where they're now approved for hosting sensitive government data in some countries.
At FotoWare, the security of our customers' data is a top priority, as you would rightly expect from a SaaS vendor. We think "security first" in everything we do, and we work diligently to improve the way we build our systems for maximum security. Essentially, there are five core areas that have an impact on the overall security of the service we offer:
Choice of platform
Our solutions run on, and data is stored on, the Azure Cloud platform. This is a safe, scalable platform used by cloud software vendors all over the world. It affords us tools to control the location of your data, its replication to avoid data loss and the security mechanisms needed to keep it safe. Indeed, we trust Azure to the point where all our own services run on the same platform.
Developing solutions with security in mind
Everything we make is "privacy by design". We subject our code to automatic testing and user testing, and from time to time we use external parties to scrutinize and evaluate the security of individual parts of our offering and the system as a whole. Their findings are reviewed and ultimately end up on our drawing board if improvements are needed.
Enforcing strong encryption
Encryption is a given these days, and we make sure all the data that moves between clients and servers is encrypted by security tech such as HTTPS and Transport Layer Security. Data is also encrypted when it's committed to storage in the Azure data center. - what's commonly referred to as encryption at rest.
Limiting access to trusted personnel only
We limit who can access your data. When you call FotoWare Support to get help, we will ask for your consent before doing anything that affects your data. Technical and organizational safeguards are in place to limit access. When we use third-party suppliers to provide additional services, we assess whether they can provide the appropriate level of security and privacy that we require.
Service Monitoring and automatic incident reporting
Our staff is on guard 24/7 to respond to security incidents, big or small, and our Data Protection Impact Assessment plan is continually updated and revised so we can be prepared for anything that might come.
Should you have additional questions, we'd like to hear from you!
Contact us at privacy(at)fotoware.com
Olav Andreas Frenning, Data Protection Officer at FotoWare
Steps taken by FotoWare to protect your data
The points below summarize what FotoWare is doing to protect your data and deals with some of the questions that often come up with regard to security and GDPR.
FotoWare IT Security
Both management and employees at FotoWare are aware of the risks in this context and take responsibility for their respective roles in IT security:
- The supervisors appointed have clearly defined areas of responsibility, with which all employees are familiar
- The company takes steps to secure data and systems responsibly, irrespective of which platform, environment or country is involved in the storage, processing or copying of these data.
- FotoWare has a system and contingency plans – based on preventative control measures and warning systems combined with vigilant employees – to deal with breaches, viruses, natural disasters (such as fire and water leaks) and hacking
Access to the FotoWare customer database is only granted to authorized users, and must be documented and updated at all times. The systems are checked regularly for risks and vulnerability.
- Approved virus scanning software has been installed on all computers connected to the FotoWare CRM and ERP databases.
- The antivirus software is kept updated at all times
- Backups are taken daily
To log onto the customer database, users need valid credentials, and must comply with the password regulations that apply to all FotoWare employees as set forth in the Data Discipline Declaration, and which they signed as part of their contract of employment.
Data Discipline scheme for FotoWare staff
- All employees have signed a Data Discipline declaration confirming that they understand, accept and undertake to comply with the data discipline regulations.
- All users of FotoWare CRM and ERP systems must sign the data discipline declaration before they are authorized to use these systems. FotoWare's IT staff is responsible for ensuring that employees sign the declaration on being allocated their user profiles. The agreement must also be signed by temporary staff, such as summer substitutes, interns and consultants.
- FotoWare's CEO and CTO are jointly responsible for ensuring that all internal users sign the declaration. Signed declarations are filed.
- FotoWare employees undertake to comply with FotoWare rules for IT security, as defined in the “Data discipline declaration for employees” and general rules and regulations for data security. Employees understand and accept that failure to comply with these rules and regulations may have serious consequences, possibly, depending on the gravity of the failure, resulting in the immediate termination of employment.
Data Backup routines
FotoWare takes daily backups of servers and databases. The process runs automatically, but additional manual backups can be taken as and when required. Backups are taken using Microsoft Azure Recovery Service Vaults.
Disk backups are run automatically every day to allow FotoWare to restore its files, databases and systems more rapidly if necessary.
FotoWare reviews its backup routines annually. These reviews involve quality assurance, checking which data is stored where, and confirming that backups are being made as stipulated. The IT Supervisor is responsible for performing the routine review.
The IT Supervisor also logs the review and ensures that the logs are available for IT staff on an intranet wiki.