How is data protection ensured by Saaswedo?

Across its business and technology platforms (MyTEM360 and Datalert), Saaswedo complies with the regulatory requirements of the GDPR.

Saaswedo and its clients sign a GDPR contract that commits the parties to comply with its provisions.

 

Main provisions of GDPR compliance

Who is the Data Controller?

As defined by Article 28-1 of the GDPR, Saaswedo is not the Data Controller, but the processor.  As such, Saaswedo provides sufficient guarantees to implement appropriate technical and organizational measures in such a manner that processing will meet the requirements of this Regulation and ensure the protection of the rights of the data subject. The Data Controller is the client.

 

How is data retention/purge managed?

Personal data is stored only within the scope of projects assigned by the Data Controller. 

Our standard practice is to store raw usage data for one year in the Saaswedo database.  For performance reasons, reporting statistics and aggregates are displayed in the application with the previous two months of history.

The data (which is the Client’s property) pertaining to the Client and its users are stored for the duration of the contract and one year after contract termination.

 

How is the right to oblivion managed?

If the client makes a written request, Saaswedo can delete or anonymize data pertaining to a user.

In this case, the results provided by the application could potentially include errors (e.g.: statistics or erroneous analytical results).

Raw billing data transmitted by operators and raw HR data transmitted by the business are not included in this scope, as deletion of this data needs to happen at the source.

  

How is user consent managed?

Obtaining user consent for Datalert to store and process data is the Client’s responsibility (Data Controller).

 

How are (potential) cases of data breach managed?

In the event of any security incident that leads to a data breach (e.g. intrusion or disclosure, data loss, etc.), Saaswedo will alert the Client and provide information pertaining to the incident.  The Client is responsible for informing users.

 

How does Saaswedo guarantee data accuracy?

Saaswedo does extensive testing in software development to ensure accuracy of data generated through its processing, and validates that the processing operates in the production environment.

The Client is nevertheless responsible for the accuracy of data inputs, particularly data concerning its organization and its users. 

 

How does Saaswedo guarantee data integrity?

Saaswedo leverages a secured, redundant architecture to ensure service availability 24/7. 

In addition, data is backed up incrementally on a daily basis, and fully on a weekly basis.

 

Has Saaswedo appointed a Data Protection Officer (DPO)?

Yes, Saaswedo has a DPO.

 

Types of data processed

Does Saaswedo process sensitive data?

No, Saaswedo does not process any sensitive data (Racial or ethnic origin, political opinions, religious or philosophical convictions, trade union memberships, genetic data, biometric data that could identify an individual’s unique physical characteristics, health-related data, data regarding sexual activity or sexual orientation).

 

Does Saaswedo process personal data?

Yes, Saaswedo’s business involves processing of personal data as part of processing telecom usage and billing data as well as HR data related to the client’s enterprise (directly or indirectly) and the Data Controller.

 

What data is stored in the Saaswedo databases?

For Datalert:

• For each user: Full name, email, EID, carrier, plan, policy, data volume used on (15’ pace), country of traffic, usage split per App (Android only), Datalert activity historical.
• On a company level: carriers, plans details, policies, MDM settings, company logo, administrator credentials.

For MyTEM360

• For each user: Full name, email, EID, line number, carrier, plan and options attached to the line, telecommunication costs and volumes, CDRs (no content of it), devise, employee's manager name, cost center. Data historical for the purpose of the mission.
• On a company level: carriers, plans details, policies, MDM settings, company logo, administrator credentials.

Of this data, which is considered personal data?

Data that identifies the user (name, email, telephone number), as well as usage data.

 

Is Datalert transmitting any details on the content of the used App?

No, Datalert only tracks the amount of data used. No access to any kind of content is tracked or accessed by Datalert.

 

Where is client data located?

The client can choose to house its data either on the Amazon Web Services (AWS) platform in the “Europe-Frankfurt” region or on the AWS platform in the “US-Northern Virginia” region. The data is thus located in the data centers of the selected region.

For operational reasons, Saaswedo can change the location of its EU platform to another AWS European region, and of its US platform to another AWS US region.

AWS does not move client content outside of the client’s selected regions, unless necessary to comply with a law or official decree. AWS Risk and Compliance Overview

 

Data processing

What types of analysis are conducted on usage data?

Usage data is aggregated to enable an administrator to manage telecom resources of enterprise users and to enforce rules for usage of these resources.

Usage data allows real-time forecasting of expected costs to be billed by telecom carriers.

 

Securing data on the user device

On the device, the Datalert application (agent) that collects usage data does not share any information with other applications or the device.

In the event that the agent is uninstalled, the data in the application container is deleted.

The data transfer that occurs every 15 minutes is encrypted (https protocol).

 

Securing data on the Datalert platform

The Datalert platform is hosted by Amazon. Amazon guarantees the physical and logical security of its data centers and the environment in which the Datalert platform operates.

Saaswedo implements AWS resources and application rules enabling protection of access to data.

• encryption of data in the database
• network filtering
• restriction of access to the platform

 

Data access

Client access via the Datalert application

Access to the Datalert application is password protected, which controls administrators’ and users’ access rights.

User management is the responsibility of administrators.  The Datalert application enables secure creation of new logins/passwords and offers enrollment procedures for administration of MDM.

 

Administration of passwords for Client users and administrators

The application enforces a standard password administration policy: minimum number of characters, mixed types of characters, required scheduled renewals.

 

Access to the platform for maintenance and production

Only the Saaswedo team authorized to work on the platform is allowed direct access to data in the database.

Authorization is managed using the appropriate AWS authentication tools (AWS IAM).