On May 25th, 2018 the European Union tightened its requirements for the protection of personal data. The General Data Protection Regulation (GDPR) reinforces the rights of individuals and the obligations of organizations that collect and process such data.
The purpose of this document is to make eXo customers aware of their regulatory obligations to comply with the GDPR, and to inform them of its impact on their eXo Platform installation.
Is your organization impacted?
Although these data are generally freely provided by users, they meet the definition of personal information in the regulation. So you must make sure you’re in compliance.
Who is responsible for the data?
Your organization is the controller of the personal data stored on your eXo Platform, wherever those data are hosted (in the cloud or on your premises) and whatever they are used for.
When you have a subscription contract with eXo Platform, we act as a processor because we sometimes host this data. But we also maintain the software that uses it. We are therefore subject to the responsibilities set forth in Article 28 of the regulation.
As such, we also have an obligation to assist you in your compliance efforts. In addition to the recommendations contained in this guide, we remain at your disposal through the support channel for any request for information or impact analysis concerning personal data.
Our engineers and consultants are aware of and trained in personal data protection matters. They have all the expertise and resources necessary to study your questions in relation to our software, and to propose remediation solutions or implementation advice.
What are the personal data?
In eXo Platform, the main personal data are collected on the user profile screen. They include: family name, first name, gender, email addresses, phone numbers, instant messaging handles, internet addresses, and a portrait photo. An “About me” section allows you to add a personal introductory paragraph.
Users can also add their past experiences and skills:
How are the data processed ?
eXo does not use the personal data of your eXo Platform users and does not transfer this data to third parties without your knowledge. As a software company, we are committed to protecting the data we host directly, and to enabling you to do the same when you host it yourself.
Be careful, however, if you have installed any add-ons that are not from eXo. We cannot guarantee that third party software installed on the platform does not access this data.
Again, even if it’s not an obligation, open source gives you the advantage to audit the code you install to make sure it doesn’t actually process your users’ personal data.
Data is either entered manually by administrators or users themselves, or synchronized with an enterprise directory. Under the GDPR, this synchronization treatment must be added to the records of processing activities that you must be able to produce upon request.
As part of our hosting services, a data backup processing is performed. All data is processed indistinctly so that it can be restored in the event of an incident. These backups are made daily and are stored on a redundant and separate secure infrastructure for up to 30 days.
Keep the users informed
You must inform your users of the purposes for which you collect their personal data. For example, you can do this by means of a user charter to be accepted at the first connection or by consent at registration time. In both cases you must obtain their explicit consent, usually through a checkbox in a form. These are easy things to implement with eXo Platform. Our technical teams will be able to explain to you how to set them up easily in your particular case, upon your request via the support.
In eXo Platform, the above profile data are there only to represent the digital identity of the person in the system. They are used in the context of collaborative and social functionalities, mainly for purposes of representation (to be identified, recognized, or contacted, and to be able to attribute their contributions) and interaction (chat, mention, comment, etc.).
The other profile information remains on the profile sheet. It is indexed in a database so that people can be found from their expertise and experience.
Enabling users to exercise their rights
Your users have the right to access, correct, or delete their personal data. To do this, the standard profile screen allows each user to modify all fields in order to exercise the first two rights. To hand over a user’s profile data, it is possible to obtain them in JSON format via API.
For the deletion right, the operation can be carried out very simply by an administrator. It consists of deleting the user’s account. Take note: that will prohibit access to the platform for that user in a definitive and irremediable way. If it is a less drastic request, to suspend access to data, think of the account deactivation function. The profile of a deleted or disabled user account will automatically be inaccessible.
We recommend that you set up a simple and easy way to make the rectification request. For example, you can develop a data correction request form using the ECMS functions, or simply send an email to the person designated as data protection officer. Here again, our technical teams are at your disposal to guide you through the implementation of such a form in eXo Platform.
Access to accounts is secured with an encrypted password. However, you should ensure that your users can change their passwords to secure their data as soon as they think their passwords may have been compromised. Resetting the password is a standard feature in the product that you should leave accessible from the login page.
In many cases, you manage passwords in a system other than eXo Platform, such as a directory or a single sign-on (SSO) service. Again, these passwords must be secured. Talk to to your service providers about that matter.
Except for the password, data is not stored encrypted in the database. If you host your own data yourself, you must ensure that your database management systems are sufficiently protected. Contact your database solution vendor to learn about the best practices.
As part of our hosting services, database servers are inaccessible from the internet. In addition, the stored data is encrypted on the disk.
Finally, access to the service forces the use of the HTTPS protocol, which encrypts data in transit between the browser and the server. eXo leverages leading cloud infrastructure providers (OVH and Google) that are certified on industry standard of security compliance labels. You can view their GDPR compliance commitments here:
Privacy by Design
The fact that it limits personal data to user profile fields is a design choice of the eXo Platform software (privacy by design).
On the other hand, the many collaborative applications it contains offer a multitude of free-form input fields, since this is the very principle of collaboration. We can therefore obviously not prevent your users from disclosing personal information in places not intended for this purpose (for example by giving a phone number in a post, or forum, or task, or event, etc.).
To deal with these cases, the software always gives administrators the possibility to delete the data in question (see our article on moderation tools). Similarly, as part of our hosting services, your functional administrators will have this possibility.
In the highly unlikely event that the deletion of certain personal data by the administration functions proved to be impossible, the system administrators will always have the possibility to perform the operation directly on the database. Our technical teams will guide them, step by step. Simply open a support ticket with the ‘privacy’ label, and it will be treated as a high priority.
Other questions ?
We are particularly sensitive about data protection and we take the utmost care in the design of our software, in our internal procedures and in the training of our teams, so that you can benefit from our services in complete security and in full compliance with regulations.
For any other request related to data confidentiality, contact us at the following address: