Politique de confidentialité
Subject to the terms of this Agreement, Company will use commercially reasonable efforts to provide Customer the Services (as such term is defined in Section 1.3), [including an application programming interface (the “Elba API”)]. Company reserves the right to update or modify the Services at any time, including to add or remove features with or without prior notice. As part of the registration process, Customer will identify an administrative user name and password for Customer’s Company account (the “Administrative Account”). Customer may register additional user accounts, provided that such accounts shall be associated with a specific individual, and accounts and passwords may not be shared or disclosed to other individuals within or outside of Customer’s organization. Customer will be responsible for any actions taken by parties with access to such usernames and passwords. Customer will inform Company immediately if it discovers that any such account and/or password has been disclosed or made available to a third party. Company reserves the right to refuse registration of, or cancel passwords it deems inappropriate.Subject to the terms hereof, Company will provide Customer with reasonable technical support services in accordance with the Company’s standard practice.
1 - Data collected by elba & purposes of processing
In accordance with its subscription to the contract which binds us, Elba collects the following data:
Client's data
- Name, surname, email address of the contact
- Corporate name
- Public information (such as legal form of the company, registration number, address, share capital)
- Invoice contact
For this processing, elba must be qualified as controller of the data, provided that we determine the purposes and means of the processing of the data.
Data provided by the client in order for elba to be able to provide the phishing campaign survey report and deliver security awareness program
- Employee ID
- Gender
- Job title
For this processing, Elba must be qualified as processor, as we process data on Your behalf. Elba's use and transfer of information received from Google APIs to any other app will adhere to Google API Services User Data Policy, including the Limited Use requirements.
2 - Our working environment
Elba offices are located in Vannes, Paris (France) and Tampa (United States).
The persons with access to the company premises are as follows
- Personnel duly authorized by Elba, subject to an employment contract or a traineeship agreement
- Any service providers for the strict performance of their mission, duly authorized by Elba, but not benefiting from any means of access, even temporary (badge) and accompanied by authorized staff in all circumstances
- Couriers and delivery personnel, if any, duly authorized by elba, but not benefiting from any means of access, even temporary (badge) and accompanied in all circumstances
The premises are accessible as follows
The entrance door is double locked (two digicodes), only managers and employees duly authorized by elba are given the 2 entry badges. The badges are non-reproducible. Elba employees are obliged to be equipped with an entry badge at all times. The badge is kept by the employee for the duration of the employment contract. At the end of the contract, it is returned to the management of elba. All access to data in critical technical areas by personnel has to be duly authorized by the founder of elba entry to the premises is controlled by a video surveillance system. The cameras operate 24 hours a day, 7 days a week and are located at the entrance to the premises.
3 - Data accesses & security
Elba has put into place all necessary technical and organizational appropriate measures in order to ensure the safety of the processing that is carried out within the framework of our contract and guarantee the protection of the rights of the persons concerned by the processing and meet the requirements of the applicable regulation.
Only the founder of elba has access to the solution on which the data is processed internally in order to provide the phishing report. Elba uses a unique identifier and password per application used. The identifiers are confidential and there are no shared accounts, identifiers or logins. Passwords are changed quarterly according to a specific procedure (complex passwords, numbers and punctuation). An automatic session locking mechanism (every 10 minutes) and the installation of a firewall are installed on our devices and computers. The internal WIFI has a password specifically dedicated to employees (subject to very strict confidentiality rules) and a different password specifically dedicated to guest users which can only be communicated to the latter (i) when necessary and (ii) by an employee duly authorized for this purpose. No passwords are posted on the company's premises.
We are subject to an obligation of confidentiality and discretion regarding the data to which we have specific access. We must ensure that the data to which we specifically have access cannot be read, duplicated, copied, modified or deleted without the appropriate authorization.
We have set up a system for the daily recording of the identifiers of employees and users on our solution, their connection times, the type of data consulted and the related references.The event logs are monitored every day in order to detect any anomalies. The logging policy includes the following elements: list of data collection sources, list of events to be logged by data sources, purpose of logging by event, frequency of collection and time base used.
Elba asks its clients to provide the data on a secured Google Drive which is only accessed by its founder. Furthermore, elba never prints data of any kind on paper.
4 - Our staff
Staff with access to the data is subject to a clause specifically aimed at the confidentiality of the data to which elba has given them access to for the execution of their mission. All elba staff members have been duly trained and informed of the provisions of the applicable regulation and its consequences. Each new employee also receives a training course on the subject.
Any violation of the obligation of confidentiality to which it is subject and/or of the procedures imposed by elba will lead to a sanction of the employee at the origin of the fault that may go as far as the withdrawal of his specific access rights and/or his dismissal - in compliance with the provisions of the legislation and regulation in force and depending on the degree of seriousness and the consequences.
The founder of elba has been appointed as security manager in charge of defining the procedure to be followed in the event of a data breach and possibly to evaluate the appropriateness and/or the obligation to notify the CNIL/persons concerned (if requested by the applicable regulation) by the breach.
He has also been appointed as manager of the rights of the concerned persons, and is therefore in charge of responding (if needed) and collaborating with the client on requests to exercise the rights of data subjects (right of access, rectification, deletion, limitation of processing, opposition, portability).
You can write to the founder at the following address: gdpr@elba.security
5 - Data retention
Subject to the mandatory preservation period of all data related to client’s files, which is five (5) years as of the end of the contractual relationship, the client’s identification data shall be retained by elba for a period that shall not exceed same period. In accordance with the applicable legislation, the accounting billing data is kept for a period of ten (10) years.
Elba hereby confirms that it deletes the data provided by the client within 2 years after it was provided to elba.
6 - Management of crisis situations
In case of violation of systems and databases, elba undertakes to take all useful precautions with regard to the nature of the data and the risks presented by the processing in order top reserve the security of the data.
To this end, elba has put into place an internal policy in the event of a real or supposed violation or attempted violation of data including all internal procedures and technical and organizational measures to ensure:
- That the means previously implemented by elba render it possible to avoid cases of data violation
- That all internal procedures put into place to ensure the communication of the mandatory instructions in a case of real or supposed data violation are properly informed (disconnection of the machine, machine maintained under power, live warning of the security manager, copy of the hard disk)
- In the event of an actual breach, that a detailed report is drawn up by the appointed teams, signed by the security manager (who is also the legal representative of elba),including the list of persons in charge of analyzing the breach, the successive stages of the analysis, the nature of the intrusion, the approximate number of people concerned by the breach, the probable consequences of the breach and the measures envisaged by elba to deal with and mitigate it.
In addition, a self-assessment is carried out, annexed to the violation analysis report, including the level of seriousness of the violation on the rights and freedoms of the persons concerned.
In the case where the violation entailed a risk for the rights and freedoms of the data subjects, a procedure for notifying the competent authority (for France: Commission Nationale de l’Informatique et des Libertés, the French “CNIL”) and the data subjects is provided in the internal violation policy.
These provisions, as well as the internal data violation policy is applicable to situations in which Elba is the data controller within the meaning of the regulation, but also in cases in which Elba is a processor within the meaning of the same regulation, it being specified that in the latter case Elba will provide its full collaboration to the data controller and undertakes to notify the existence of a violation immediately after its discovery and to document it according to the same procedure if required by the aforementioned regulation.
7 - Our data processors
Elba hereby informs the client that it employs the following subcontractors:
- Subcontractor: AWS ; Function: Data hosting; Privacy policy: AWS
- Subcontractor: EU Customers ; Function: Data hosting ; Privacy policy: AWS - Frankfurt
- Subcontractor: US Customers ; Function: Data hosting ; Privacy policy: AWS - North Virginia
Elba informs its client that it has only employed subcontractors who have put in place all technical and organizational measures in order to respect the guarantees required by the applicable regulation.
8 - Data hosting and transfers
As described in the previous article, the client’s data as well as data provided by the client in order to provide the Report, as well as the Report itself are hosted on Google’s servers which are located in the European Union. Therefore, no data is subject to any transfer outside of the European Union area.
Elba also informs its clients that the only recipient of the data (clients’ data as well as data provided by the client) is elba and especially its founder (notwithstanding communication to the public competent authorities if required by regulation and the host of the data).
Contact us
For any further information, please contact us at: gdpr@elba.security.