IT & Data Security Policy
Pursuant to the provisions of Article 32 of the EU Reg. 2016/679 (hereinafter, also GDPR), Dilaxia is obliged, whether it processes personal data as Data Controller or Data Processor at operation, to take "appropriate technical and organizational measures to ensure a level of security appropriate to the risk."
The purpose of this document is to indicate the technical and organizational, structural and technological measures that are implemented by Dilaxia S.p.A. on the SaaS Utopia, dedicated to the management of personal data protection compliance, as per EU Reg. 2016/679 and Legislative Decree No. 196/2003 as amended, in order to ensure an adequate level of security and protection of personal data stored and processed through the application.
UTOPIA is the cloud-based solution for adapting the privacy management system of organizations to the new European Data Protection Regulation 2016/679.
SaaS is also aimed at consultants, private and public companies of all sizes as it provides a set of easy-to-use tools to fulfill all the obligations introduced by the GDPR and, in a nutshell, allows them to:
- Building the log of the activities of operation
- Generate the privacy policies privacy
- Perform Data Protection Impact Assessment (DPIA)
- Tracking any type of data breach
- Track requests by interested parties to exercise a right
The application is available for PCs and tablets.
Dilaxia uses datacenters located exclusively in the EU. All services connected to Utopia run in the cloud.
Amazon Web Services
The Amazon Web Services (hereafter, AWS) Data Center, Provider/Responsible for operation of Dilaxia, belonging to the "EU-west-1 Region" is located in Ireland.
To better understand the meaning of the term "Region," as interpreted by AWS, please refer to the following link:
For ease of reading, an excerpt is given below.
Through AWS's EC2 service console , to which the virtual servers purchased by Dilaxia and used by Dilaxia to provide Utopia-related services belong, it is possible to define in which Region the environment is run.
AWS contractually guarantees that data is not transferred from the Storage Region of choice through the administration console in use by Dilaxia.
Atlas - MongoDb
The Atlas Data Center, Dilaxia's supplier/manager of MongoDB Databases, is located in Ireland. (Region eu-west-1).
Specifications on the safety and security of the systems provided by Atlas can be found at:
Specifications on the safety and security of the systems provided by Heroku, as the Cloud Application Platform for the development and maintenance of Utopia, can be found at:
Specifications on the safety and security of systems provided by Stripe, as the provider of payment processing systems for SaaS purchases through the utopiathesoftware.com website, can be found at:
Personal data and information entered into Utopia is transcribed within a MongoDB Database, hosted in an AWS infrastructure in the EU.
The up-time guaranteed by the application through the measures prepared by its strategic service providers to the delivery of the software is 99.98 percent. From this percentage must be excluded the time required for scheduled service interruptions aimed at the release of new features, malfunction corrections and system optimizations.
Auditing & Penetration Testing
Dilaxia, as the developer of Utopia:
- at least annually, mandate a third party to perform a specific Vulnerability Assessment & Penetration Test activity. Upon the licensee's request, Dilaxia can provide an excerpt of the latest report with the results of the VA/PT test performed on Utopia.
- also as Head of operation, agrees, as provided for in Art. 28(3)(h) and (3), GDPR, that Utopia's licensees may carry out inspections and audits, reserving the right to verify the practicability and/or reasonableness of the same on a case-by-case basis.
Amazon Web Services governs how Penetration Testing is practicable: http://aws.amazon.com/security/penetration-testing/. In addition, the security service provided by AWS sends any unauthorized intrusion attempts to Dilaxia through an alert system.
Policy for extracting data from the application
Based on the logic by which Utopia was developed, specific features were created within the software to extract, at any time, information and documents contained in the application.
The extraction of data and information from the application is a logging operation.
Log Access user activity
Every action performed by the User within Utopia is recorded through a logging system.
The actions that are recorded are:
- User Login / Logout
- Data entry
- Edit data
- Data Deletion
Deletion of data and information
Individual data or information
The deletion of specific information or data by the User through the features provided by the application, is not a definitive deletion because it is a reversible operation through technical intervention by Dilaxia: such intervention is subject to certain conditions.
Deletion of the entire database, structured and unstructured, can be performed independently by the licensee through the "Destroy Domain" function within SaaS.
Dilaxia provides additional internal procedures for possible extraction or deletion of data and information from the application.
Data return and information
Regarding data in structured format, the licensee has the option at any time to use the download function provided in SaaS.
Upon termination of the contractual relationship with Dilaxia, for whatever cause intervened, the structured data shall be stored within a MongoDB database in the native format provided by that application for a period of 90 (ninety) days.
The data, although maintained by Dilaxia, are and remain the exclusive property and ownership of the licensee who may request their return in a commonly used format.
Web portal access
The policy for accessing Utopia and the data contained therein is stringent:
- Unique credentials and complex passwords;
- Temporary user account lockout following 3 incorrect login attempts;
- Password expiration after inactivity of 6 months.
Access by Dilaxia to the environment where the data are stored
The policy for access to Utopia by Dilaxia's technical staff is equally stringent:
- The servers running the application are accessed only from Dilaxia's public IP, which is associated with the Company's local connectivity;
- To access the database, one must authenticate through personal login credentials.
- Listing of System & Database Admins for personnel with that function, with periodic review of permissions and authorizations.
Access by Dilaxia technical staff is through a two-factor authentication system.
The administrative users(System & Database Administrators) are managed by Dilaxia in deference to the requirements imposed by the November 27, 2008 Provision of the Guarantor for the Protection of Personal Data, as amended, with particular reference to the identification, qualification and written designation of individual System and Database Administrators and the unambiguous and secure assignment of complex authentication credentials.
Dilaxia is available to provide an up-to-date list of its Utopia System Administrators and Databases.
Dilaxia Log Access
The activity of Dilaxia's System and Database Administrators is tracked via Access Log system, with the following features:
- Integrity with possible ex post verification
- Time references (timestamp) and summary description of the event (log-in and log-out, success or failed).
Backup & Disaster Recovery Policy
Utopia's Backup Plan includes:
The role of Dilaxia
DILAXIA, as the developer of Utopia, as a result of the development and maintenance activities carried out on the application, acts as the person in charge of operation, as provided for in Article 28 of EU Reg. 2016/679, on behalf of the SaaS licensee.
The Utopia licensee may qualify as an autonomous data controller operation, pursuant to Art. 4 par. 1 no. 7, of EU Reg. 1026/679, of the personal data processed for the management of the obligations arising from the relevant applicable legislation or it may be framed as a (first or other) data controller operation on behalf of different and autonomous data controllers operation (we refer, for example, to the case of a consultant who uses Utopia for its client organizations). In this case, Dilaxia holds the title of other (Sub-)Manager of operation personal data, within the meaning and effect of Art. 28(4), EU Reg. 2016/679, processed by the licensee on behalf of the owner of operation.
Dilaxia, although it does not have any ownership of the data processed through the SaaS, as a controller or other person in charge of operation ex art. 28 EU Reg. 2016/679, is able to ensure that the application is technically adequate to comply with the security and protection requirements established by the applicable EU and national data protection legislation, and that adequate protection technologies, physical and logical, of the data contained therein are implemented on the application.
Compliance of SaaS Utopia
Utopia complies with the data protection regulations set forth in EU Regulation 2016/679 and Legislative Decree No. 196/2003, as amended, as well as - specifically - the principles of privacy by design and by default with respect to:
- Adequacy, relevance, and minimization of requested information;
- Profiled user management and access control;
- Data storage and backup;
- Adequacy of security measures, technical and organizational, ex art. 32 EU Reg. 2016/679.
National Cybersecurity Agency - ACN
Public Register of Software at SIAE
Utopia is registered with the Special Public Register for Computer Programs established with the Italian Society of Authors and Publishers (SIAE).
Registration Number: D012554 Prog. 013487 dated 20/05/2019.
Dilaxia is certified to ISO 9001:2015 - Quality Management Systems in the following fields of application:
- Design and development of software solutions
- Product delivery in software
- Design, implementation and maintenance of IT infrastructure
- Consulting and training services in information technology to accompany the services provided
Certifying Body: Bureau Veritas Italia S.p.A.
Dilaxia's Privacy Organizational Model
In addition to the organizational measures to protect the personal data processed such as, but not limited to, drawing up the Register of Activities of operation, signing Data processing Agreement with responsible persons and authorization profiles with technical personnel, as established by the applicable legislation on the subject, Dilaxia has adopted the following additional measures:
Internal Compliance Team
Dilaxia is equipped with specialized legal and IT professionals who form the Legal, Privacy & Compliance Team.
The Team can be contacted by writing to firstname.lastname@example.org
Data Protection Officer
Dilaxia, in order to supervise the observance of compliance with the principles on personal data protection in its processes of operation of personal data in the Company, has considered it strategic to have a Data Protection Officer, with the competencies set forth in Art. 37 et seq. EU Reg. 2016/679.
The DPO can be contacted at email@example.com
Rights of data subjects
Dilaxia is capable of handling and responding, within the terms of the applicable data protection regulations, to requests that may prevent from data subjects involved in operation personal data.
A dedicated communication channel has been implemented: firstname.lastname@example.org
Dilaxia uses the services of:
- Amazon (Amazon Web Services).
- Atlas (Mongo DataBase).
- Heroku (Cloud Application Platform)
- External suppliers, for the development of certain features limited to particular sections of the application (if any).
Each service provider has been qualified as a Data Processor/Sub-Responsible for operation, pursuant to and in accordance with Article 28 of EU Reg. 2016/679, by signing specific agreements (Data Processing Agreements).
Responsibility for personal data processed
The accountability model for AWS service-based solutions is as follows:
In a nutshell:
- The Utopia licensee is responsible for the first layer: "Customer Data," so it is the user of the tool who must ensure the genuineness of the personal and/or particular data entered and then stored in Utopia;
- Dilaxia is responsible for the blue layers below: Platform, Applications (Logic and Storage), Operating System, Encryption, Network Traffic Protection,
- AWS, Sub-Responsible, is responsible for the orange layers: compute, storage, database, networking, global infrastructure
What are AWS's security incident reporting procedures?
AWS informs through the Service Health Dashboard of any temporary service interruptions or data loss(https://status.aws.amazon.com/#EU_block).
Dilaxia has also subscribed to the relevant RSS feed that informs it of any service disruptions or loss of data on the target area, in an active manner.
What are Dilaxia's data breach reporting procedures?
Dilaxia, in its role as the Data Controller or Sub-Director of operation personal data, has an obligation to inform the Data Controller or Sub-Director of operation without undue delay after becoming aware of a personal data breach event.
Dilaxia, in order to ensure the timely handling of any possible security breach event on processed personal data, has implemented specific internal policies and operating procedures.
The following is a brief summary of the Data Breach Management procedure currently adopted by Dilaxia:
Dilaxia has identified the Privacy Team as the company's in-house person in charge of managing Data Breaches - email@example.com
Data Breach or Personal Data Breach is defined as a "security breach that results-accidentally or unlawfully-in the destruction, loss, modification, unauthorized disclosure of, or access to personal data transmitted, stored, or otherwise processed."
A personal data breach can compromise the confidentiality, integrity , or availability of personal data.
Dilaxia has instructed employees that whenever there is a suspicion that a data breach has occurred, they should promptly file a report with the dedicated Event Management Work Team.
The following are examples, but not exhaustive, of the main cases of Data Breach:
- Access or acquisition of data by unauthorized third parties;
- The theft or loss of computer devices containing personal data;
- The deliberate alteration of personal data;
- The inability to access the data due to accidental causes or external attacks, viruses, malware, etc;
- The loss or destruction of personal data due to accident, adverse event, fire, or other calamity;
- Unauthorized disclosure of personal data.
- Suspicion of unauthorized access into one's PC
- Abnormal behavior of one's PC or computing device
Upon receiving the report, the Team preliminarily assesses whether the report may have the contours and characteristics of a personal data breach processed by Dilaxia
The Team in case the preliminary investigation yields negative results can close the procedure.
In case the event possesses the characteristics of a Data Breach, it should proceed as follows:
- Involve the Function Manager by initiating an analysis aimed at gathering information concerning the incident, for this purpose using the "Data Breach Event Sheet," containing all the information necessary for analysis.
- Involve the data protection officer
- The Team, having analyzed the event, produces a report on the consequences of the Breach highlighting within the document the corrective and/or ameliorative actions that will be taken.
- The Team should note the event within the Violation Log, ex art. 33 GDPR.
Dilaxia S.p.A., through the implementation of its extensive technical and organizational measures, wants to guarantee its software licensees a high standard of information security and protection of personal data processed through its digital applications.
This document expresses the level of compliance and competitiveness of Dilaxia S.p.A. and its SaaS products in compliance with the principles of accountability, privacy by design and by default set forth in European Regulation 2016/679 and Legislative Decree No. 196/2003, as amended.