As a Controller
SmartFile needs to understand, at least partially communicate, and record internally, data on the consumers of our services (name, contact information, IP address, and billing information.) By agreeing to our Terms of Service, users provide express consent.
We do not use tracking cookies, nor do we sell or transfer any of this data to third parties. We use third parties for certain supporting services. Currently, these include our helpdesk, subscription management, and marketing systems.
As a Processor
SmartFile is a file storage and management service serving business customers. The two ways our service is utilized are in the cloud (on our servers) and with our on-premise solution, both of which are where files are uploaded for storage and management. Our customers (controllers) control and determine what data and files are uploaded (some of which may contain personal data), who has access and rights to those files, and how long the records are stored. SmartFile, as an enterprise supporter and service provider, does its part to ensure appropriate safeguards and measures are in place that underpin these functions.
Article 32 of the GDPR addresses the security of processing activities and requires organizations to have the appropriate technical and organizational measures in place to effectively and securely process data. At SmartFile, we have always taken this role seriously and provide a multifaceted approach, some of which include SAAS 70 and HIPPA certifications, encryption in transit and at rest, and control over connections and data transfer methods. For a detailed look at our security, please click here.
System access, stability, and resiliency are critical to the health and operations of any business. We have multiple systems in place to ensure safety to that end including redundancy, multiple firewalls, alerts, activity logs, and direct access to view system status and downtime. We even post system updates and notification to social media. To view our current system status, please click here.
Data Subjects Rights, Requests, and Investigations
The rights of data subjects included within the GDPR regulation is one area where requirements have become more expansive (as noted in Article 5 and 12-21). Once our customers have taken the necessary precautions on their end for express consent and notification of data collection, SmartFile can support them in assisting with the protections, access to, requests of, and general management of that data. Our customers have complete autonomy and authority to determine what is stored and for how long, who has access, and the ability to make any necessary changes and updates upon request of the data subject or according to business need. Customers can also run reports to determine what has been done with files and respond accordingly. Our customers determine what data is obtained and stored and SmartFile keeps that data secure. We also have Support and Help/Tutorials to assist in these functions. Should our customers require assistance in performing any of these functions in the regular course of business, upon the request of a data subject, or as a result of an investigation, SmartFile can help our customers respond in a timely manner. For more information, please click here.
In Article 46 of the GDPR, the regulation speaks to appropriate safeguards being in place to ensure reasonable protections for personal data along with “enforceable data subject rights and effective legal remedies for data subjects”, especially when transferring that data to a third country or international organization. Our customers need to be sure that their business partnership with us is legal, binding, and in compliance with GDPR standards.
SmartFile addresses this in our Terms of Service and Data Processing Agreements so that our customers can maintain confidence in partnering with us. Our customer contracts are legally binding and contain language with the necessary inclusions to be GDPR-compliant. For a link to our Terms of Service, a sample Data Processing Agreement (or request for one), or to contact us directly for more information, please click here.
Data Breach Notification
Keeping data secure is our number one priority and one of the main reasons our customers choose to do business with us. We pride ourselves on security. In today’s world, there is always a risk of a data breach, even with the best, most up-to-date measures in place to prevent it. In the event a data breach does occur, we have appropriate policies and procedures in place to provide timely notice to our customers, and any required agency, as stated in Articles 33 and 34 of the GDPR. You can view that policy here.