The General Data Protection Regulation (GDPR / DSVGO) is the toughest privacy and security law in the world. Though it was drafted and passed by the European Union (EU), it imposes obligations onto organizations anywhere, so long as they target or collect data related to people in the EU. The regulation was approved by the EU Parliament in April 2016 and came into effect on May 25, 2018.
GDPR is especially concerned about protecting personal data of individuals. Personal data (Art. 4 GDPR) consists of any information that allows us to identify a person directly or indirectly and can be anything such as a name, email address, credit card number, or documents with personal information.
A subprocessor is a third party data processor engaged by Cloud-IAM, including entities from within the Cloud-IAM group, who has or potentially will have access to or process Customer Content (which may contain Personal Data). Cloud-IAM engages different types of subprocessors to perform various functions as explained in the tables below.
Cloud-IAM use the following sub-processors to provide Cloud-IAM's customers cloud infrastructure environment and storage for Cloud-IAM's Keycloak Clusters. Personal data of Cloud-IAM's customers's customer will only be stored there:
Processing of Cloud-IAM's Customer Content.Cloud-IAM work with various subprocessors that monitor, maintain and otherwise support the Cloud-IAM control-plane (Cloud-IAM's dashboard and Cloud-IAM's REST API). In order to provide this functionality these subprocessors may, but not necessarily will, have access to Cloud-IAM's Customer Content but never Cloud-IAM's customer's customer content.
* Note, the list of subprocessors applies to any new Cloud-IAM customers as of that date, or existing Cloud-IAM customers who have not otherwise received notice of a different effective date of this list.
As a French SaaS we can provide the highest degree of GDPR compliance. We rely on best-in-class global companies to provide our customers with the best possible confidentiality, integrity and availability. We understand that you might not want to rely on our or our sub-processor's controls and measures to safely handle personal data of you and your customers. We can provide high-quality, that include access to our support services without accessing your data.
We have batched analyzing last date of connection and activity from our customers, as well as batch deletion after 6 month of inactivity.
There are no data transfers between your deployment outside UE (I assumed your deployment will be in UE). The only data transfers that exists with our customer deployment are the cold backup we generate for disaster recovery and they are stored in a French datacenter. Furthermore, all our operatives and consultants that might access your deployment are UE located.
Cloud-IAM does not manage these users for GDPR. Regarding your own user database (i.e., your deployment), you must establish the required processes to comply with GDPR yourself and declare all data transfers that you handle independently. In this case, Cloud-IAM acts as a subprocessor, and our DPA specifies what we do.