ForewordSAAS UTOPIATechnical MeasuresData ManagementData storageGuaranteed Up-TimeAuditing & Penetration TestingData ExtractionLog Access user activityDeletion of data and informationReturn of data and informationAccess PolicySystem AdministratorsLog AccessBackup & Disaster RecoveryOrganizational MeasuresThe Role of DilaxiaSaaS ComplianceOrganizational ModelHubenture ManagersBreach ManagementConclusions

IT & Data Security Policy

Last updated 01/07/2024

Foreword

Pursuant to the provisions of Art. 32 of EU Reg. 2016/679 (hereinafter, also GDPR), Hubenture S.r.l. has the obligation, whether it processes personal data as Data Controller or Data Processor of operation, to take "appropriate technical and organizational measures to ensure a level of security appropriate to the risk."

The purpose of this document is to indicate the technical and organizational, structural and technological measures that are implemented by Hubenture S.r.l. on the Utopia SaaS, dedicated to the management of personal data protection compliance, as per EU Reg. 2016/679 and Legislative Decree No. 196/2003 as amended, in order to ensure an adequate level of security and protection of personal data stored and processed through the application.

SAAS UTOPIA

UTOPIA is the cloud-based solution for adapting the privacy management system of organizations to the new European Data Protection Regulation 2016/679.  

SaaS is also aimed at consultants, private and public companies of all sizes as it provides a set of easy-to-use tools to comply with all the obligations introduced by the GDPR and, in a nutshell, allows:    

  • Building the log of the activities of operation
  • Generate the privacy policies privacy
  • Perform Data Protection Impact Assessment (DPIA)
  • Tracking any type of data breach
  • Track requests by interested parties to exercise a right  

The application is available for PCs and tablets

Technical measures

Data Management

Hubenture S.r.l. uses datacenters located exclusively in the EU.

All services connected to Utopia run in the cloud; Hubenture S.r.l. does not operate its own routers, load balancing systems, DNS servers, or physical servers.

Amazon Web Services

The Amazon Web Services Data Center (hereafter, AWS), Provider/Director of operation of Hubenture S.r.l., belonging to the "EU-west-1 Region" is located in Ireland.  

To better understand the meaning of the term "Region," as interpreted by AWS, please refer to the following link:

For ease of reading, an excerpt is given below.

Through the console of the AWS EC2 service, to which the virtual servers purchased by Hubenture S.r.l. and used by it to provide the services related to Utopia belong, it is possible to verify in which Region the environment is being run.

AWS contractually guarantees that data is not transferred from the Storage Region of choice through the administration console in use by Hubenture Ltd.

Atlas - MongoDb

The Atlas Data Center, Hubenture S.r.l.'s supplier/manager for MongoDB Databases, is located in Ireland. (Region eu-west-1).

Specifications on the safety and security of the systems provided by Atlas can be found at:

Heroku

Specifications on the safety and security of the systems provided by Heroku, as the Cloud Application Platform for the development and maintenance of Utopia, can be found at:

  • https://www.heroku.com/policy/security

Stripe

Specifications on the safety and security of systems provided by Stripe, as the provider of payment processing systems for SaaS purchases through the utopiathesoftware.com website, can be found at:

Data storage

Personal data and information entered into Utopia is transcribed within a MongoDB Database, hosted in an AWS infrastructure in the EU.

Up-Time Guaranteed

The up-time guaranteed by the application through the measures prepared by its strategic service providers to the delivery of the software is 99.98 percent. From this percentage must be excluded the time required for scheduled service interruptions aimed at the release of new features, malfunction corrections and system optimizations.

Auditing & Penetration Testing

  1. Hubenture Ltd., as the developer of Utopia:
    • at least annually, mandate a third party to perform a specific Vulnerability Assessment & Penetration Test activity. Upon request of the licensee, Hubenture S.r.l. can provide an excerpt of the last report with the results of the VA/PT test performed on Utopia.
    • ‍alsoas the Person in charge of operation, accepts, as provided for in Article 28(3)(h) and (3), GDPR, the possible performance by Utopia's licensees of inspections and audits, reserving the right to verify on a case-by-case basis the practicability and/or reasonableness of the same.‍
  2. Amazon Web Services governs how Penetration Testing is practicable: http://aws.amazon.com/security/penetration-testing/

In addition, the security service provided by AWS sends any unauthorized intrusion attempt to Hubenture Ltd. through an alert system.

Policy for extracting data from the application

Based on the logic by which Utopia was developed, specific features were created within the software to extract, at any time, information and documents contained in the application.  

The extraction of data and information from the application is a logging operation.

Log Access user activity

Every action performed by the User within Utopia is recorded through a logging system.

The actions that are recorded are:

  • User Login / Logout
  • New item insertion
  • Edit existing item
  • Deleting existing item

Deletion of data and information

Individual data or information

The deletion of specific information or data by the User through the functionalities provided by the application, is not a definitive deletion because it is a reversible operation through technical intervention by Hubenture S.r.l.: this intervention is subject to certain conditions.

Database

Deletion of the entire database, structured and unstructured, can be performed independently by the licensee through the "Destroy Domain" function within SaaS.  

Hubenture S.r.l. provides additional internal procedures for possible extraction or deletion of data and information from the application.

Data return and information

Regarding data in structured format, the licensee has the option at any time to use the download function provided in SaaS.  

Upon termination of the contractual relationship with Hubenture S.r.l., for whatever cause intervened, the structured data are stored within a MongoDB database in the native format provided by that application for a period of 90 (ninety) days.

The data, although managed by Hubenture S.r.l., are and remain the exclusive property and ownership of the licensee who may request their return in a commonly used format.

Access Policy

Web portal access

The policy for accessing Utopia and the data contained therein is stringent:

  • Unique credentials and complex passwords;
  • Temporary user account lockout following 3 login attempts;
  • Password expiration after inactivity of 6 months.

Access by Dilaxia to the environment where the data are stored

The policy for access to Utopia by Hubenture S.r.l. technical staff is equally stringent:

  • The servers running the application are accessed only from Hubenture S.r.l.'s public IP associated with the Company's local connectivity;
  • To access the database, one must authenticate through personal login credentials.
  • Listing of System & Database Admins for personnel with that function, with periodic review of permissions and authorizations.

Access by Hubenture S.r.l. technical staff is through a two-factor authentication system.

System administrators

Administrative users(System & Database Administrators) are managed by Hubenture S.r.l. in deference to the requirements imposed by the November 27, 2008 Provision of the Garante per la Protezione dei Dati Personali e s.m.i., with particular reference to the identification, qualification and written designation of individual System & Database Administrators and the unambiguous and secure assignment of complex authentication credentials.

Hubenture S.r.l. is available to provide an updated list of its Utopia System Administrators and Databases.

Hubenture's Log Access

The activity of Hubenture S.r.l.'s System and Database Administrators is tracked through an Access Log system, with the following characteristics:

  1. Completeness
  2. Inalterability
  3. Integrity with possible ex post verification
  4. Time references (timestamp) and summary description of the event (log-in and log-out, success or failed).

Backup & Disaster Recovery Policy

Utopia's Backup Plan includes:

Continuous Backup

  • Retention Time (Retention Time): 4 weeks
  • ‍RPO(Recovery Point Objective): 1 minute
  • ‍Primary Region: EU-West-1
  • ‍Secondary Region: this backup is not redundant on a secondary region

This type of backup is done continuously, and data are kept for 4 weeks. The goal is to have a very recent copy of the data, with an RPO of only 60 seconds. The unique region for this backup is EU-West-1.

Daily Backup

  • Retention Time (Retention Time): 4 weeks
  • ‍RPO(Recovery Point Objective): 24 hours
  • ‍Primary Region: EU-West-1
  • ‍Secondary Region: EU-Central-1

This type of backup is done every day, and data are kept for four weeks. The goal is to have a daily copy of the data, with an RPO of 24 hours. Data copies are in both the primary region (EU-West-1) and a secondary region (EU-Central-1) to ensure disaster recovery.

Monthly Backup

  • Retention Time (Retention Time): 12 months
  • ‍RPO(Recovery Point Objective): 1 month
  • ‍Primary Region: EU-West-1
  • ‍Secondary Region: EU-Central-1

This type of backup is done monthly and the data are kept for 12 months. The goal is to have a monthly copy of the data, with an RPO of 1 month. Data copies are in both the primary region (EU-West-1) and a secondary region (EU-Central-1) to ensure disaster recovery.

Organizational measures

Hubenture's role

HUBENTURE S.R.L., as the entity that has engineered of Utopia, as a result of the development and maintenance activities carried out on the application, acts as the person in charge of operation, as provided by Article 28 of EU Reg. 2016/679, on behalf of the SaaS licensee.  

The licensee of Utopia can be qualified as an autonomous owner of operation, pursuant to art. 4 par. 1 no. 7, of EU Reg. 1026/679, of the personal data processed for the management of the obligations arising from the relevant applicable legislation or can be framed as a (first or other) responsible person of operation on behalf of different and autonomous owners of operation (we refer, for example, to the case of a consultant who uses Utopia for its client organizations). In this case, Hubenture S.r.l. holds the title of other (Sub-)Manager of operation personal data, pursuant to and for the purposes of Art. 28(4), EU Reg. 2016/679, processed by the licensee on behalf of the owner of operation.  

Hubenture S.r.l., although it does not have any ownership of the data processed through the SaaS, as the person in charge or other person in charge of operation ex art. 28 EU Reg. 2016/679, is able to ensure that the application is technically adequate to comply with the security and protection requirements established by the applicable legislation on the protection of personal data, EU and national, and that adequate protection technologies, physical and logical, of the data contained therein are implemented on the application.

Compliance of SaaS Utopia

Utopia complies with the data protection regulations set forth in EU Regulation 2016/679 and Legislative Decree No. 196/2003, as amended, as well as - specifically - the principles of privacy by design and by default with respect to:

  1. Adequacy, relevance, and minimization of requested information;
  2. Profiled user management and access control;
  3. Data storage and backup;
  4. Adequacy of security measures, technical and organizational, ex art. 32 EU Reg. 2016/679.

Public Register of Software at SIAE

Utopia is registered with the Special Public Register for Computer Programs established with the Italian Society of Authors and Publishers (SIAE).

ISO 9001:2015 and ISO 27001:2022

Hubenture S.r.l., as of the date of this document, is ISO 9001:2015 and ISO 27001:2022 certified in the following areas:

  1. Design and development of software solutions.
  2. Product delivery in software.
  3. Provision of software products and service delivery in Cloud mode.

ISO 27017 and ISO 27018 Extensions  

Hubenture S.r.l., as of the date of this document, is ISO 27017 and ISO 27018 certified in the following scope:

  • Provision of software products and service delivery in Cloud mode. (IAF33)

Agency for National Cybersecurity (ACN)

Hubenture S.r.l., as of the date of this document, is in the process of renewing its ACN certification.

Hubenture's Privacy Organizational Model

In addition to the organizational measures for the protection of personal data processed such as, but not limited to, drafting the Register of Activities of operation, signing Data processing Agreement with managers and authorization profiles with technical personnel, as established by the applicable legislation on the subject, Hubenture S.r.l. has adopted the following additional measures:‍

Compliance Team  

Hubenture S.r.l. benefits from specialized legal and IT professionals who form the Legal, Privacy & Compliance Team of Dilaxia S.p.A.

The Team can be contacted by writing to. [email protected]

Data Protection Officer

Hubenture S.r.l., in order to oversee the observance of compliance with the principles on the protection of personal data in its processes of operation of personal data in the Company, has considered it strategic to have a Data Protection Officer, with the competencies set forth in Art. 37 et seq. EU Reg. 2016/679.

Dilaxia Group's DPO can be contacted at. [email protected]

Rights of data subjects

Hubenture S.r.l. is capable of handling and responding, within the terms provided by the applicable data protection regulations, to requests that may prevent from interested parties involved in operation personal data.  

A dedicated communication channel has been implemented: [email protected]

Hubenture executives

Hubenture S.r.l. uses the services of:

  1. Amazon (Amazon Web Services).
  2. ‍Atlas (Mongo DataBase).
  3. ‍Heroku (Cloud Application Platform)
  4. ‍External suppliers, for the development of certain features limited to particular sections of the application (if any).

Each service provider has been qualified as a Data Processor/Sub-Responsible for operation, pursuant to and in accordance with Article 28 of EU Reg. 2016/679, by signing specific agreements (Data Processing Agreements).

Breach Management

Responsibility for personal data processed  

The accountability model for AWS service-based solutions is as follows:

Image containing screenshotAutomatically generated description
http://aws.amazon.com/compliance/data-privacy-faq/

In a nutshell:

  • The Utopia licensee is responsible for the first layer: "Customer Data," so it is the user of the tool who must ensure the genuineness of the personal and/or particular data entered and then stored in Utopia;
  • Hubenture S.r.l. is responsible for the blue layers below: Platform, Applications (Logic and Storage), Operating System, Encryption, Network Traffic Protection,
  • AWS, Sub-Responsible, is responsible for the orange layers: compute, storage, database, networking, global infrastructure.

What are AWS's security incident reporting procedures?

AWS informs through the Service Health Dashboard of any temporary service interruptions or data loss(https://status.aws.amazon.com/#EU_block).  

Hubenture S.r.l. has also subscribed to the relevant RSS feed that informs it of any service disruptions or loss of data on the target area, in an active manner.

What are Hubenture's data breach reporting procedures?

Hubenture S.r.l., in its role as the Manager or Sub-Manager of operation personal data, has an obligation to inform the Owner or Manager of operation without undue delay after becoming aware of a personal data breach event.  

Hubenture S.r.l., in order to ensure timely management of any security breach event on processed personal data, has implemented specific internal policies and operating procedures.  

The following is a brief summary of the Data Breach Management procedure currently adopted by Hubenture S.r.l:

Preliminary operations.

Hubenture S.r.l. has identified the Privacy Team of Dilaxia S.p.A. as the person in charge of handling Data Breaches - [email protected]

Data Breach or Personal Data Breach is defined as a "security breach that results-accidentally or unlawfully-in the destruction, loss, modification, unauthorized disclosure of, or access to personal data transmitted, stored, or otherwise processed."  

A personal data breach can compromise the confidentiality, integrity , or availability of personal data.

Hubenture S.r.l. has instructed employees that, whenever there is a suspicion that a data breach has occurred, they must promptly file a report with the Work Team dedicated to handling the event.  

The following are examples, but not exhaustive, of the main cases of Data Breach:

  1. Access or acquisition of data by unauthorized third parties;
  2. The theft or loss of computer devices containing personal data;
  3. The deliberate alteration of personal data;
  4. The inability to access the data due to accidental causes or external attacks, viruses, malware, etc;
  5. The loss or destruction of personal data due to accident, adverse event, fire, or other calamity;
  6. Unauthorized disclosure of personal data.
  7. Suspicion of unauthorized access into one's PC
  8. Abnormal behavior of one's PC or computing device
Procedural operations

Upon receiving the report, the Team preliminarily assesses whether the report may have the contours and characteristics of a personal data breach processed by Hubenture S.r.l.

The Team in case the preliminary investigation yields negative results can close the procedure.  

In case the event possesses the characteristics of a Data Breach, it should proceed as follows:

  1. Involve the Function Manager by initiating an analysis aimed at gathering information concerning the incident, for this purpose using the "Data Breach Event Sheet," containing all the information necessary for analysis.
  2. Involve the data protection officer
  3. The Team, having analyzed the event, produces a report on the consequences of the Breach highlighting within the document the corrective and/or ameliorative actions that will be taken.
  4. The Team should note the event within the Violation Log, ex art. 33 GDPR.

Conclusions

Hubenture S.r.l., a company of the Dilaxia Group, through the implementation of its extensive technical and organizational measures, wants to guarantee its software licensees a high standard of information security and protection of personal data processed through its digital applications.

This document expresses the level of compliance and competitiveness of Hubenture S.r.l. and its SaaS products in compliance with the principles of accountability, privacy by design and by default set forth in European Regulation 2016/679 and Legislative Decree No. 196/2003, as amended.

More than 2500 customers have already chosen UTOPIA

comer-industries-logo

© 2024 UTOPIA - [email protected] - Hubenture S.r.l. - Via C. Bonazzi 2, Castel Maggiore (BO) - Tel. 0510391000 - PIVA/CF IT04217371204

Join the UTOPIA Community as well!

What does it mean to be part of the Community?

Live streams with our expert
New features previewed
Dedicated group and software training
Survey on future developments

Book a tailor-made demo or speak directly with our sales team.

contact us
100.000
Authorised persons
150.000
operations managed
120.000
Assets secured
6.000
Privacy policy generated