GDPR

OpenNDC has always honored its users’ data privacy and protection rights. Over the years, we’ve demonstrated our commitment to this by consistently exceeding industry standards. We do not need to collect and process users’ personal information beyond what is required for the functioning of our products, and this will never change. We have a privacy-conscious culture here, and GDPR is an opportunity to strengthen this even further.
 

1. What Is Personal Data?

Any data that relates to an identifiable or identified individual. GDPR covers a broad spectrum of information that could be used on its own or in combination with other pieces of information to identify a person. Personal data extends beyond a person’s name or email address. Some examples include financial information, political opinions, genetic data, biometric data, IP addresses, physical addresses, sexual orientation, and ethnicity.
 

2. How Prepared Is OpenNDC For GDPR?

We have acted on many fronts to adhere to this new regulation.

2.1. We have raised awareness across the organization through frequent discussions on our internal channels and trained employees to handle data appropriately. They now understand the importance of information security and the high standards set by GDPR.

2.2. We have assessed all OpenNDC products individually against the requirements of the GDPR. We have implemented new features that will give you more control over your data and ease your burden of achieving GDPR compliance.

2.3. Please look at what some of our products have done to be GDPR-ready.

2.4. We have constituted an Information Asset Register (IAR), which includes information on all the roles OpenNDC assumes, such as a data controller and processor. It details various categories of personal data processed by our organization and which department is getting access to which data and for what purpose. It has comprehensive coverage of all our processes and procedures.

2.5. We have assessed our sub-processors (third-party service providers, partners) and streamlined the contract process to ensure that they have addressed the pressing needs of the current security and privacy world.

2.6. We have appointed internal privacy champions for all our teams. We have also appointed a Data Protection Officer (DPO).

2.7. Our application teams have embraced the concept of privacy by design and have provided you with more control over the data you store in our systems. These provisions may vary based on a product’s characteristics and domain. We constantly endeavor to provide you with more enhancements, which shall be rolled out in phases.

2.8. We have amended our Data Processing Addendum (based on Model Contractual Clauses) to be compliant with the data processing requirements of GDPR. If you are the

organization administrator and would like to sign a DPA with us, please drop an email to corp_comm@claritytts.com to request a copy of the Data Processing Addendum mentioning which Data Center you've signed up for your OpenNDC account.

2.9. We conducted Data Protection Impact Assessments (DPIA). Based on the results, we have put appropriate controls on data processing and management in place.

2.10. We conducted internal audits of our products, processes, operations, and management. The findings were communicated to our teams, who have worked out the solutions to the identified problems.

2.11. Based on the DPIAs and internal audits, we have improved our data security methods and processes. This includes encrypting data at rest, based on the level of sensitivity and likelihood of risks. We have developed in-house tools for better governance and discovery of data.

2.12. We have cleaned up our databases to ensure that we have only the latest and most accurate information. This cleanup process includes removing terminated and dormant accounts as per our Terms of Service.

2.13. According to our internal Privacy Incident Response policy, breach notifications will be done when needed. Customers will be notified of a breach within 72 hours (about 3 days) after OpenNDC becomes aware of it. We will notify users through our blogs, forums, and social media for general incidents. For incidents specific to an individual user or an organization, we will notify the concerned party through email (using their primary email address).

2.14. We have revised our Privacy Policy to incorporate the requirements of the applicable privacy laws based on our data inventory, data flows, and data handling practices.