General Data Protection Regulation (GDPR)

General Data Protection Regulation

The EU's General Data Protection Regulation requires companies to protect the privacy of their EU customers. This means that personally identifiable information (PII) must be protected. Here's what you need to know.

Servers and backups

Our hosting policies are as follow: 

  • Firewalls protect the server, which is also monitored to prevent and protect from external intrusions.
  • We hire security experts who regularly analyze our server logs to detect potential security flaws.
  • Infrastructure and operating systems are regularly updated with the latest security upgrades and best practices.
  • Each service of the application (webserver, database, email) are either on a separate server or use a separate SaaS.

Backups

  • Backups are made daily and stored for as long as necessary (by default, they are kept for 30 days).
  • Whenever files are to be exported outside the server infrastructure, encryption is performed using GPG.

Disaster recovery

Our deployment process is automated. In the event of a component failure, it's relatively simple to recreate a new server instance. A failure in the database would be the worst-case scenario, since this is the only persistence layer that cannot be restored from another data source. In this case, our cloud hosting service regularly provides server snapshot from which we can load and restore a SQL backup copy.

PII storing

PII stored in LogAlto are:

  • E-mail address (username)
  • Full name
  • IP address
PII are stored in database and web server access logs. We transfer PII to Rollbar for platform error monitoring.

Other PII stored in LogAlto will vary depending on how the forms module is used (for example: if you create a “Beneficiary” form, you might store other PII in LogAlto). Normally, users should obtain consent from beneficiaries before using information in LogAlto, and should manually delete any information if the beneficiary requests it. It is also possible to delete backups at the customer's request. However, we will make improvements to help customers comply with GDPR standards when using LogAlto. For example:

  • Facilitate batch-deletion records
  • Facilitate creating/attaching consent forms

Contact us for more information!