The GDPR is not the first privacy legislation: it builds and improves over an existing legislation that already defined strict requirements for the management of personal data and clear responsibilities and roles for the “data processor” and the “data controller”.
If you manage personal data you were already subject to strict privacy regulations before the GDPR. Privacy requirements in the GDPR aren’t completely new or totally different from the legislation that predates it.
GDPR introduces some new important concepts like “privacy by design”, which is mostly about company processes and encourages those already widely used “good practices”.
So, nothing completely new but still it is a good opportunity to review our privacy and security posture.
The following paragraphs provide clarifications that can help identifying the role of the Libraesva email security virtual appliance in relation to personal data.
Remember: the focus of the GDPR are the processes, not the tools.
In an on-premise installation of the Libraesva email security virtual appliance, Libraesva provides you with the software, the security updates and the support services. You provide the infrastructure and the management.
In this configuration the data is stored on your own infrastructure and Libraesva does not have access to it.
The email security virtual appliance does not provide to libraesva any personal data. The emails and their metadata always remain on your own appliance within your own infrastructure.
Libraesva does not have any administrative right on your appliance. You get to decide what is stored, for how long and who has access to the data with which privileges.
Libraesva can gain access to your appliance only through the “remote support” feature.
The “remote support” is possible only if initiated by yourself through the web interface or through the console interface of the appliance. Libraesva cannot autonomously connect to the appliance, only through the active action of enabling the “remote support” connection, which can be done only by the administrator of the appliance.
The “remote support” is an exceptional measure that may be agreed, if necessary, with our support service during the management of a support ticket. Outside of this remote support context, we cannot access your appliance.
Libraesva cloud service
If are also buying from us the Libraesva cloud service, all of what has been said above about the on-premise setup applies to you, but there’s more.
When your appliance is in our cloud we are also providing the hosting service. Your appliance is still private and you retain all of the administrative rights, however in this case we also provide the infrastructure, therefore we are a processor in relation to the data.
We provide the cloud service through cloud infrastructure operators that adhere to the CISPE code of conduct. You can read in this code of conduct all of the details about the security and privacy of the infrastructure.
Please note that our model is the “private cloud” model: you have your own virtual machine and your retain full administrative control over your appliance, just like in the on-premise scenario.
Libraesva features for the privacy
Libraesva provides the following privacy-related features which you can take advantage of in your path towards the compliance to the GDPR.
- “Right to erasure” or “right to be forgotten”: with a single operation you can easily erase all of the information about one user, both from the email archive and from the metadata
- BEC (Business Email Compromise) protection engine: it prevents targeted attacks impersonating company managers (also called “whaling”)
- DLP (Data Loss Prevention) engine: prevents accidental loss of sensitive information
- Logging: all of the logs can be archived remotely in real time through the standard rsyslog protocol
- Auditing: all of the sensitive information are logged in an non-erasable audit log
- Email tracking prevention: removes beacons in emails that can track the phisical location of the reader and gather intelligence about working habits
- Phishing and malware protection: over 90% of the data breaches start in this way