FRENDS & GDPR

FRENDS is fully a GDPR compliant integration platform. Learn more about the regulation and FRENDS here.

What is GDPR?

Regulation passed by the European Parliament to ensure data protection of all individuals in the EU

The regulation affects all systems that store or process personal data of any EU citizen

Personal data is any information related to a natural person, that can be used to directly or indirectly identify the person. It can be anything from a name, a photo, an email address, bank details, posts on social networking websites, medical information, or a computer IP address.

Comes into effect on 25.5.2018

Maximum penalty of 4% of the organization's yearly revenue

FRENDS is a Data Processor Entity

In GDPR the personal data which is covered by the legislation has two distinct actors: Data Controller and Processor.

A controller is the entity that determines the purposes, conditions and means of the processing of personal data

A processor is the entity which processes that personal data in some manner on behalf of the controller

This means that our customers are identified as the data controllers while FRENDS is a data processor

In this regard FRENDS will ensure that you as the data controller will be able to fullfill all of your legal obligations regarding GDPR inside FRENDS

GDPR & Data Rights

Data processors such as FRENDS must be able to fullfill the following rights given to all individuals regarding GDPR:

Breach Notification

FRENDS actively monitors possible data breaches on a platform level using Azure Security Center best practices outlined here ( Detecting Threats With Azure Security Center)

We will commit to notifying you within 36 hours of a detected breach and it's severity

This will give you enough time to notify your end users as a data controller of the breach

We will also expect you to notify us of a breach resulting in other systems within 72 hours

Right to Access

Under GDPR any individual within EU can ask you, the data controller, if their personal data is being processed, where and for what purpose

FRENDS has native monitoring tools and supports full data auditing, meaning you can find all integration flows where an individual's data has been processed

From this monitoring data you can discern where the data has been used and for what purpose

You can use any data fields or combination of fields to search for integration flow executions containing an individuals data

Note that only data that has actually been processed in FRENDS can be searched. If for example FRENDS only transferred a secured file, where the contents of that file contain personal data, that is not considered to have been processed in FRENDS.

Right to be Forgotten

Under GDPR any individual within EU can ask that you, the data controller, erase all personal data regarding that individual

In FRENDS similarly to finding all integration flow instances containing an individuals data those same integration flow instances can be deleted, using FRENDS native features, from all data locations within FRENDS.

Deleting an integration flow instance removes all data associated with that integration flow instance, meaning you will lose the data itself and the information on where it was used

Note that while you are able to remove personal infromation of an individual in FRENDS, FRENDS is not able to remove that information from the systems that have been integrated into

Using the features listed under 'Right to Access' you can find out specifically each system and application where FRENDS has used the personal information in

Privacy by Design

GDPR introduces the concept of 'Privacy by Design' which means that data controllers and processors should take steps to minimize the risk involved in handling personal data

In FRENDS we tackle this by enabling customers to use 'data minimization', where the integration flows can be implemented to only process the absolute minimal amount of personal data

This 'data minimization' can be implemented when accessing personal data or systems by dropping (scrubbing) data fields that contain unnecessary personal data

Data minimization can also be natively configure in regards to FRENDS logging, meaning you can process data fields, but drop/scrub them when logging monitoring and audit trail infromation

FRENDS also contains out-of-the-box fine grained user management tools, which you can use to limit the number of people who can view monitoring data containing personal information

User management can also be tailored to fit your organizations authentication protocols and security policies

DATA PROCESSING

When using FRENDS your data will pass through five components described here in perfect detail.

FRENDS Agent

When executing integration flows, the actual data processing happens on a FRENDS Agent. Due to the hybrid architecture of FRENDS Agents can be installed either on-premise or in the cloud

When executing integration flows the Agent first executes all of the required data processing directly in the virtual machine memory

After integration flow execution the Agent first locally persists the configured logging data, the level and fidelity of which can be freely configured by the customer, and then sends that data to the Service Bus in the next step.

Agents in the Cloud

In the cloud FRENDS Agents are hosted in a virtual private network dedicated for each customer

Each Agent has a dedicated Azure virtual machine resource placed in the virtual private network

Agent's are using D2v3 series virtual machines described in more detail here

The Agent's are hosted using two data centers within the EU: Azure North Europe (Ireland) and Azure West Europe (Netherlands)

Agents On-premise

In on-premise installations the FRENDS Agent is installed on a Windows Server specified by the customer

In these scenarios the customer is responsible for the security of the hosting server and all related concerns

1

2

Azure Service Bus

After an integration flow, which has processed data, has been executed the data is sent to an Azure Service bus queue. The connection between the Agent and the Service Bus is always secured with SSL using an internally generated FRENDS certificate.

Each customer agent has their own isolated and dedicated queues to ensure no data is contaminated by other customer installations

The Service Bus is hosted using two data centers within the EU: Azure North Europe (Ireland) and Azure West Europe (Netherlands)

The Service Bus is responsible of persisting the data untill it can be processed to it's final resting place in the FRENDS Logging Database

This means that the data can temporarily be persisted outside of transport in the Service Bus

To ensure this is not an issue each message in the service bus is given a hard-capped time-to-live of 36 hours after which the data is deleted regardless

Read more about the Azure Service Bus here

FRENDS Message Processor

The FRENDS Message Processor -service is attached to the FRENDS User Interface and is responsible for reading the processed data from the Azure Service bus and processing it to the FRENDS Logging Database.

Each customer agent has their own isolated and dedicated FRENDS Message Processor -service to ensure no data is contaminated by other customer installations

The Message Processor -service is hosted using two data centers within the EU: Azure North Europe (Ireland) and Azure West Europe (Netherlands)

The Message Processor -service will not persist any of the data at any point and only processes it to a final format used by the FRENDS Logging -database

3

4

FRENDS Logging Database

The FRENDS Logging Database is the final resting place of any and all monitoring and audit trail information executed by the FRENDS Agents

Each customer agent has their own isolated and dedicated FRENDS Logging Databases to ensure no data is contaminated by other customer installations

The FRENDS Logging Database is hosted using two data centers within the EU: Azure North Europe (Ireland) and Azure West Europe (Netherlands)

The data is encrypted and secured according to the best practices outlined here

Access to the data monitoring and audit trail data contained in the FRENDS Logging Database is accessed through the FRENDS User Interface described below

Administrative technical access to customer specific FRENDS Logging Databases is strictly restriced to FRENDS employees only

FRENDS User Interface

The FRENDS User Interface is used to access the monitoring and audit trail data logged by the FRENDS Agents during integration flow executions

Each customer agent has their own isolated and dedicated FRENDS User Inteface to ensure that access to each customer specific FRENDS User Interface is restriced to only the users configured by the customer using FRENDS User Management

The FRENDS User Interface is hosted using two data centers within the EU: Azure North Europe (Ireland) and Azure West Europe (Netherlands)

Access to the User Interface including Authentication and fine-grained authorization is implemented using OAuth 2.0 and OpenID protocols using Windows Identity Foundation

It is up to the customer using FRENDS to secure and limit access to sensitive data using FRENDS User Management

5

Thank you for subscribing to our newsletter :)