Nuvolex GDPR Information

Last Update: 5/19/21

What is GDPR and how does it apply to Nuvolex and their European customers?

The GDPR (General Data Protection Regulation) comes into force on 25 May 2018 and represents a significant overhaul of data protection law in the EU. It strengthens the rights of data subjects in relation to the uses that governments, businesses and other organizations can make of their personal data and imposes new legal obligations on those organizations about how they hold and process personal data relating to their staff, customers, suppliers and other stakeholders. This FAQs list provides more detail about the concept of personal data, the kinds of personal data that we hold, and what we have been doing as a company to prepare for GDPR.

 

What steps have we taken within Nuvolex to prepare for GDPR?

  • Undertaking an internal data-mapping exercise, to ascertain exactly what kinds of personal data we hold, the sources from which it is obtained, and how it is used.
  • Ensuring that we only process personal data where this is permissible according to the one or more of the “lawful bases” of processing set out in the GDPR, including for example, that the data subject has given consent to the processing, that the processing is necessary for the performance of a contract with the data subject, or that the processing is necessary for the purposes of the organization’s “legitimate interests”.
  • Updating our cookie policy and privacy notices to ensure that data subjects such as customers and staff are properly informed about all the details that GDPR requires us to notify them about, including the identity and contact details of Nuvolex as the controller of the personal data, the contact details for the person responsible for data protection within the organization, the purposes of the processing, and the “lawful basis” for it.
  • Developing and implementing several new policies and procedures to ensure that we are able to respond efficiently to data protection issues, including a Subject Access Request Procedure and a Data Retention Policy; and
  • Creating a Data Protection Addendum to our standard terms of engagement that addresses the GDPR’s requirements regarding contracts between data controllers and data processors where we are handling personal data on behalf of a client.

 

What does the concept of “personal data” cover?

The GDPR applies to “personal data”, which means any information relating to a living person who can be identified (directly or indirectly) from that data by itself, or by reference to some identifier such as a name or user ID, location data, or an IP address or other online identifier.

The GDPR applies both to personal data held electronically and to personal data held in manual filing systems, if the information is accessible according to specific criteria. This could include chronologically ordered sets of manual records containing personal data.

Even personal data that has been anonymized or pseudonymized can still fall within the scope of the GDPR, if it is practicable to “reverse engineer” the anonymization or pseudonymization in such a way as to associate the data with a given individual.

 

What kinds of personal data do we hold within Nuvolex?

Nuvolex generally holds quite a limited set of personal data. The main category of personal data that we hold is information relating to individuals within our corporate customer base, such as:

  • Contact Data – When someone submits an inquiry through the Nuvolex website, either by completing our contact form or requesting a product demo, their contact information will be recorded and stored in our secure database.
  • Profile Data – We may collect and store information about our contacts that is obtained through cookies, log files, and/or third parties (e.g., Google Analytics) to create a profile of our users. The purpose of such a profile is to better understand how users’ access and use the Nuvolex service to provide offers and make improvements.
  • Registration Data – When someone signs up to Nuvolex, they will be asked for their company name, address, billing address, e-mail address, and phone number. Our primary purpose in collecting this information is to provide our customers and Customers with a customized, efficient, and easy to use service.

 

What kinds of personal data is processed by The Nuvolex ManageX platform?

When a Nuvolex customer onboards one or many tenants from cloud services such as Microsoft 365, personal data from the users inside the tenant is captured and stored in a secure database. The tenant data that is imported directly from each cloud service supported on the platform is limited and only relevant to the functionality of the Nuvolex ManageX platform. The ManageX platform has a very limited scope of personal information that is processed and stored. At no time are we processing or storing any user data outside of the defined scope of the ManageX platform.

Nuvolex ManageX User Data Requirements:
  • First Name, Last Name 
  • Display Name 
  • Phone Number  
  • Department 
  • Address 
  • Job Title 
  • Microsoft 365 Service Usage Location 
  • Group Memberships 
  • Azure AD and/or Active Directory User Principal Name 
  • Primary SMTP Email Address 
  • User Mailbox Aliases  
  • Account Status    
  • Immutable ID 
  • User Source Data

Personally identifying information is also gathered and processed on Nuvolex ManageX Administrator Accounts for the purpose of identifying logged in users and applying authorization and access policies to the ManageX service. This information may also be used in support scenarios such as responding to support requests, sending product update information or information around planned downtime. Nuvolex uses this information for the purpose of authentication, authorization and product support.

Nuvolex ManageX Administrator Data Requirements
  • First Name, Last Name 
  • Email Address  
  • IT Administrator Privileges 
  • Azure AD User Principal Name

 

Where does Nuvolex host the personal data processed by the ManageX platform?

The personally identifying information that is gathered and processed on Nuvolex ManageX platform is currently located on one of two Microsoft Azure datacenters.  For North America customers, Nuvolex runs the ManageX application and stores all data in the Microsoft Azure California datacenter.

For European customers, the ManageX application and all personal data is located in the Microsoft Azure Frankfurt, Germany datacenter.

 

Who at Nuvolex has access to the personal data and what can they do?

Due to the high degree of sensitivity to end customer personal data, only the following Nuvolex employees have access to this information:

  • Nuvolex Support Staff
  • Nuvolex IT Staff
  • Nuvolex Account Manager

Nuvolex Support Staff may use personal data for the purposes of troubleshooting issues as well as contacting customers to assist with support cases.

Nuvolex IT Staff manage the Nuvolex Azure Databases where personal data is stored and are limited to database administration activities such as managing backups, DB optimizations, and resolving DB issues.

Nuvolex Account Managers may use personal data to contact customers for the purposes of managing customer relationships and accounts.

 

Do’s and don’ts we observe regarding personal data?

  • Ensure security for personal data
    • The GDPR requires that personal data is processed in a manner that ensures its security. This includes protection against unauthorized or unlawful processing and against accidental loss, destruction or damage. It requires that appropriate technical or organizational measures are used. Nuvolex has put in place suitable measures, which are discussed in more detail in Section 8 below, and we have also stressed to our staff the importance of ensuring security.
  • Keep personal data accurate and up to date
    • The GDPR requires that any personal data we hold is kept accurate and up to date. Nuvolex staff regularly check the contacts for whom they are responsible, to make sure that the details that we hold in our systems remain current. The Nuvolex ManageX platform automatically synchronizes data from cloud services to ensure the data is kept up to date and accurate
  • Use “opt-in” language on future sign-up screens
    • The GDPR restricts most forms of unsolicited communications and requires that people actively opt-in to receiving electronic marketing communications. This means that pre-ticked boxes, opt-out boxes or other default settings, which rely on the individual’s inertia as consent – rather than a positive, affirmative step – no longer constitute valid consent. We have endeavored to make obtaining consent as granular as possible, so that we are only communicating with people about the products and services they are interested in, and through the channels (email, telephone, post) that they prefer.

 

Where to go if I want to know more about what Nuvolex does with my personal data?

All users of the Nuvolex service, and any other interested parties can find more details on how Nuvolex handles personal data in the following links:

Nuvolex Privacy Policy

Nuvolex GDPR Addendum

 

What measures do we have in place to ensure the security of personal data relating to users?

Security and privacy have been designed into Nuvolex from the start, and some of these measures are set out below:

  • We minimize the personal information we collect about users, and only collect such information when we have the user’s explicit permission.
  • All our systems and data are hosted with a highly certified Tier 1 hosting provider, currently Microsoft Azure.
  • All data stored using Azure DB services with encryption enabled for data at rest as well as data in transit.
  • Strict organizational access controls and procedures have been put in place to limit Nuvolex internal access and handling of user data.
  • EU-based customers may choose to access the ManageX platform that resides in our EU site (Frankfurt, Germany), in order to be sure that they benefit from the protections that the GDPR affords such as limitations of external data transfers.
  • Additional information on the Nuvolex ManageX platform security measures can be obtained by request.

 

What happens if Nuvolex becomes aware that personal data has been lost, stolen or corrupted?

A “personal data breach” is any breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, personal data. This might include, for example, unauthorized accessing of personal data by Nuvolex staff or third parties; sending personal data to an incorrect recipient; or laptops or mobile phones containing personal data being lost or stolen.

In the event of a personal data breach, Nuvolex may be legally required to notify the authorities and/or the data subjects themselves, and to do so within very tight timescales. Our staff are trained to know that any actual or suspected breach must be reported to their manager, who should also be provided with full details, in order that we can start our formal process of deciding how to respond.

 

Who is your Data Protection Officer?

Not all companies are required by law to formally appoint a Data Protection Officer (or DPO). In the case of Nuvolex, we have decided not to appoint a DPO, and have instead designated a senior member of our team as the lead person with responsibility for data protection:

dpo@nuvolex.com
459 Hamilton Ave, Suite #303
Palo Alto, California 94301

If you have any requests as a data subject (including without limitation subject access requests, requests for data rectification, or requests for erasure of personal data), or if you are aware of or suspect a personal data breach relating to personal data, please notify Nuvolex using the contact details set out above.

 

Where do I go for more information?

If you have any further questions about how we use personal data or how we comply with GDPR, please contact Nuvolex using the contact details in Section 9 above.

Further information about GDPR generally can also be obtained from the website
www.edps.europa.eu.

Nuvolex GDPR Addendum 

Last Update: 5/19/21

The EU’s new General Data Protection Regulation (known as GDPR) originally came into effect on May 25, 2018. This new standard defines how businesses need to protect the privacy of EU residents and replaces the Data Protection Directive 95/46/EC. GDPR is designed to standardize the way personal data is processed and stored and to protect the data privacy of all EU citizens.

Security and privacy are of highest priority at Nuvolex. Our Platform and related processes are GDPR compliant, and a number of our policies have been adapted to reflect GDPR legislation.

The below information outlines the different elements of how Nuvolex handles data, privacy and compliance with GDPR.  For further information, please contact DPA@nuvolex.com.

  1. Introduction

1.1 This Addendum applies to any Personal Data that our Customers store using the Services. It sets out the parties’ respective rights and obligations regarding the treatment of any such Personal Data that Nuvolex processes while providing the Services.

In This Addendum

Data Protection Legislation” means (i) the GDPR, unless and until the GDPR is no longer directly applicable, and then (ii) any successor legislation to the GDPR or the DPA.

DPA” means the UK Data Protection Act of 2018, as amended or updated from time to time.

GDPR” means the General Data Protection Regulation ((EU) 2016/679) and any national implementing laws, regulations and secondary legislation, as amended or updated from time to time.

Other Applicable Laws” means the laws of any member of the European Union or the laws of the European Union applicable to Nuvolex concerning the Processing of Personal Data, other than the Data Protection Legislation.

Special Category Data” has the meaning set out in the Data Protection Legislation, and includes for example information about a data subject’s ethnic origin; politics; religion; trade union membership; genetics; biometrics, health; sex life; or sexual orientation.

1.3 In this Addendum, the terms “Personal Data”, “Data Subject”, “Processing”, “Data Controller” and “Data Processor” have the meanings set out in the Data Protection Legislation.

1.4 Annex 1 to this Addendum sets out the categories of Data Subject whose Personal Data will be processed, the types of Personal Data, the scope, nature and purpose of the intended Processing, and the duration of the Processing.

  1. General Obligations of the Parties

2.1 The parties acknowledge that for the purposes of the Data Protection Legislation, the Customer or as defined in the Terms of Use Policy is the Data Controller and Nuvolex is the Data Processor.

2.2 The parties will comply with all applicable requirements of the Data Protection Legislation. The provisions of this Addendum are in addition to, and do not relieve, remove or replace, a party’s obligations under the Data Protection Legislation.

  1. Obligations of the Customer

3.1 Without limiting paragraph 2.2, the Customer is responsible for ensuring that it has all necessary consents and notices in place to enable lawful transfer of the Personal Data to Nuvolex for the duration and purposes of the Services.

3.2 The Customer must not submit, collect or use any Special Category Data with or to the Services, and Service Providers must ensure that none of its Clients submits, collects or uses any Special Category with or to the Services. The Customer agrees that Nuvolex shall have no liability for Special Category Data received from the Customer or any Client, notwithstanding anything to the contrary herein, and all such liabilities are hereby excluded to the fullest extent permitted by law.

3.3 The Customer shall indemnify Nuvolex in respect of any claim by a Data Subject that the processing by Nuvolex of Personal Data submitted by the Customer or by any Client is unlawful on the grounds that Nuvolex was not entitled to process the Personal Data.

  1. Obligations of Nuvolex

4.1 Without limiting paragraph 2.2, Nuvolex shall comply with the following provisions of this Section 4, in relation to any Personal Data processed in connection with its performance of the Services.

4.2 Nuvolex shall process the Personal Data only on the written instructions of the Customer or Client, unless Nuvolex is required otherwise by Other Applicable Laws. Where Nuvolex is relying on Other Applicable Laws as the basis for Processing, Nuvolex shall promptly notify the Customer of this before performing the processing required by the Other Applicable Laws (unless those Other Applicable Laws themselves prohibit Nuvolex from doing so).

Nuvolex shall ensure that all personnel who have access to and/or process Personal Data are obliged to keep the Personal Data confidential.

4.3 Nuvolex shall ensure that it, and any sub-processor it engages with, has in place appropriate technical and organizational measures to protect against unauthorized or unlawful processing of Personal Data and against accidental loss or destruction of, or damage to, Personal Data. In this paragraph 4.3:

4.3.1 “appropriate” means that the measures are appropriate to the harm that might result from the unauthorized or unlawful processing or accidental loss, destruction or damage and the nature of the data to be protected, having regard to the state of technological development and the cost of implementing any measures; and

4.3.2 the measures in question may include, where appropriate, pseudonyms and encrypting Personal Data, ensuring confidentiality, integrity, availability and resilience of Nuvolex systems and services, ensuring that availability of and access to Personal Data can be restored in a timely manner after an incident, and regularly assessing and evaluating the effectiveness of the technical and organizational measures adopted by it.

4.4 Nuvolex shall assist the Customer in responding to any request from a Data Subject and in ensuring compliance with its obligations under the Data Protection Legislation with respect to security, breach notifications, impact assessments and consultations with supervisory authorities or regulators.

4.5 Nuvolex shall delete or return Personal Data and copies thereof to Customer on termination of the Services, in accordance with Section 8 of the Terms of Use Agreement, unless required by the Data Protection Legislation or Other Applicable Law to retain the Personal Data.

4.6 Nuvolex shall maintain complete and accurate records and information to demonstrate its compliance with this Addendum and make them available for inspection from time to time as legally required by the Customer or its designated auditor.

4.7 Nuvolex shall immediately inform the Customer if, in its opinion, an instruction infringes Data Protection Legislation or Other Applicable Laws.

4.8 Nuvolex, or any of its Sub-Processors, shall not, without the prior written consent of the Customer, transfer any Personal Data processed on behalf of the Customer, outside the European Economic Area unless (a) the Customer onboards their Personal Data or the Personal Data of Clients to Nuvolex data centers that are located outside of the EEA.

  1. Engagement of Sub-Processors

The Customer consents to Nuvolex appointing one or more subcontractors as third-party processors of Personal Data under this Agreement. Nuvolex confirms that it has entered or (as the case may be) will enter into a written agreement with each third-party processor incorporating terms which are substantially similar to those set out in this Addendum. If so requested by the Customer, Nuvolex shall notify the Customer in writing with details of the relevant subcontractors (including company name, scope of processing and location of services) whenever a new subcontractor is engaged, and with details of all subcontractors at least once in every 12-month period. If the Customer objects to the selection of any sub-processor selected by Nuvolex, they have the right to discontinue use of the Nuvolex platform.  As between Nuvolex and the Customer, Nuvolex shall remain fully liable for all acts or omissions of any third-party processor appointed by it under this provision.

Annex 1 to the Addendum

Particulars of Processing

[Details to be completed by the parties, having regard to the nature of the personal data that will be processed under this Agreement. GDPR requires this information to be included in any Controller-Processor arrangement.]

1 Categories of Data Subject

2 Types of Personal Data to be processed.

3 Scope, nature and purpose of Processing

4 Duration of Processing