How is personal data processed, accessed, stored, and managed?

<< Click to Display Table of Contents >>

Navigation:  Bizagi Studio Collaboration Services > Security and compliance > Regulatory compliance > GDPR Compliance > GDPR compliance in the Work Portal > Aspects to consider for GDPR compliance >

How is personal data processed, accessed, stored, and managed?

note_pin

Consider the following GDPR tips, regarding individuals being entitled to know how is personal data: processed, accessed, stored, protected and managed in general:

GDPR Articles 5 ("Principles relating to processing of personal data") and 32 ("Security of processing") emphasize about having security measures in place to comply to data privacy and data security; as well as providing individuals the opportunity to learn which measures are in place.

 

Note that individuals may ask for clarifications about the treatment given to personal data, such as its category, who is it disclosed to, the period for which it is expected to be stored; or also be informed about appropriate safeguards regarding overall protection, and management of personal data (e.g., such as those applying in the event of personal data transferring).

 

Conclusion

Consider the information in the following table, which describes applicable concepts for Bizagi processes in either of the two setups: on-premises, or in the cloud (i.e., Automation Service).

 


On-Premises

Automation Service

Processing

Processing of data is implicit in your process design and done by Automation Server (as introduced at http://help.bizagi.com/bpm-suite/en/index.html?process_execution.htm); and also restricted by you, while following your organization's security standards, policies and procedures.

Processing of data applies the same as in on-premises.

 

 

Access

Logical access through Bizagi processes is implicit in your process design; and also restricted through different configuration options:

Authentication in place to work on processes or view their information: http://help.bizagi.com/bpm-suite/en/index.html?authentication.htm.

End users

ACLs for menu options and processes: http://help.bizagi.com/bpm-suite/en/users_authorization.htm.

Case security to allow visibility of process instances only to involved participants: http://help.bizagi.com/bpm-suite/en/index.html?case_security.htm.

 

Physical access is restricted while following your organization's security standards, policies and procedures.

Logical access applies the same as in on-premises.

 

Physical access relies on having data centers physically constructed, managed, and monitored 24/7 to shelter data and services from unauthorized access and environmental threats.

Azure physical security policies are in place for site entry control and multi-factor authentication is used to control access to server areas and to monitor internal site activity.

The physical security in data centers is maintained and secured through the use of guards, locks, cameras, biometric devices, card readers, and alarms. These data centers also are subjected to PCI scans to make sure security.

Environmental sensing technologies protect data, by using sensing technologies that include humidity and moisture control, fire and smoke detectors, fire alarms and extinguishing agents.

Storage

A file server or ECM system for attachments.

A database engine, either SQL Server or Oracle.

 

Further information starting at the http://help.bizagi.com/bpm-suite/en/index.html?technical_requirements.htm topic, according to either a .NET or JEE platform and while following your organization's security standards, policies and procedures.

Different assets and services are in place to manage the different type of information managed by processes: A SQL Azure database along with others (such as table storage or blob storage services).

 
Further information at http://help.bizagi.com/automation-service/en/index.html?cloud_architecture.htm.

Protection

These measures apply to hardening data protection:

Database attributes encryption: http://help.bizagi.com/bpm-suite/en/index.html?encryption.htm

You may manually enable and configure the use of encrypted connections to the database engine, as supported by that engine (e.g., https://docs.microsoft.com/en-us/previous-versions/sql/sql-server-2012/ms191192(v=sql.110)).

You may manually enable and configure the use of TDE for database physical files, as supported by the database engine (e.g., https://docs.microsoft.com/en-us/sql/relational-databases/security/encryption/transparent-data-encryption?view=sql-server-2017).

Encryption for data at rest is automatically set (at the page level) by using TDE. The pages are kept in an encrypted database using this technology and are encrypted before they are written to disk and decrypted when read into memory.

This measure prevents reading of data from the physical media by potential attackers (i.e, stealing files), while supporting the use of highly secure algorithms such as AES and the use of a 256-bit symmetric key.

 

Encryption of data in transit is assured by using TLS certificates that protect the channel. This applies both to: the communication between Automation Service components and the database, and to the communication of end users when accessing Automation Service (in which case, HTTPS is used). This measure prevents tampering of packages, spoofing, and man-in-the-middle attacks at the transport layer.

 

Further information at http://help.bizagi.com/automation-service/en/index.html?cloud_encryption.htm.

Management

Management of personal data is enforced by you, while following your organization's security standards, policies and procedures.

Management is enforced by an appointed team of experts in Bizagi  taking care of all underlying infrastructure, components and services; and in charge of all IT-related tasks (provisioning, maintenance, tuning, technical support and 24/7 monitoring).

Personnel of this team of experts, course periodical training, undergo strict security controls, segregation of duties and signs NDAs.

Bizagi, as a service provider, along with its IaaS business associates (Microsoft Azure), adheres to protecting the information in terms of implementing physical, technological and administrative safeguards, all based on the ISO 27001 standard.