The safety and security of your data is our top priority. In addition to our own rigorous safeguards, Zadara adheres to all applicable published standards, including the ones listed here.
Zadara is committed to GDPR compliance across our storage services. Zadara is also committed to helping our customers to be compliant when enforcement begins May 25, 2018.
The General Data Protection Regulation (GDPR) is a new European privacy law, due to become enforceable on May 25, 2018, that protects European Union (EU) citizens’ right to privacy. It introduces robust requirements that will raise standards for data protection, security, and compliance. The GDPR will replace the existing EU Data Protection Directive, and is intended to harmonize data protection laws throughout the EU.
Personally Identifiable Information (PII) is any data that can be used to identify a specific individual. Phone number, email address, passport/ID number, and even digital images are all included. GDPR grant people greater control over their PII, while imposing strict obligations on organizations that collect, handle, or analyze personal data. It also imposes heavy fines for non-compliance and data breaches.
Zadara customers, that use the Zadara storage service to store personal data, typically act as the data controller for any PII they keep. The data controller determines the purposes and means of the personal data. Zadara keeps and protects the data on behalf of its customers. In GDPR terminology, when the data controller is using the Zadara storage services Zadara is a data processor that processes personal data on behalf of the data controller.
Data controllers are responsible to implement the needed technical and organizational measures to ensure that personal data is kept and processed in compliance with the GDPR requirements.
The data controller needs to make sure the data subjects are well-informed about the use of their data and trust that it will be processed securely and only for purposes of which they are aware. The data controller is also responsible to notify the data subject in any incident of a security breach.
For the specific controls, Zadara customers should seek legal advice relating to GDPR obligations, as these must be tailored to any specific situation.
A GDPR data processor is a person or organization who deals with personal data as instructed by a controller for specific purposes and services offered to the controller. Zadara is a data processor for the storage services provided to its customers.
Since the processing services Zadara provides are storage services, Zadara’s main responsibility is to be the guardian of any data stored on its systems.
Zadara manages the application-to-storage mapping, and ensures that any application can access storage it uses as defined by the customer. Zadara ensures that strict rules are in place for data access and keeps track of security access.
To avoid data theft, Zadara supports data encryption at-rest and in-flight using user-managed keys. Zadara never uses the customer data, not even for development or test purposes.
Zadara will notify customers without undue delay if we are aware of a breach of our security standards of the storage services, to help the data controller to report data breaches without undue delay.
GDPR compliance is a shared responsibility. Zadara storage services offers a wide set of controls to help customers keep GDPR compliance. For Zadara that already has a high standard of data protection practices on its cloud storage, GDPR is a chance to enhance the practices, and to tighten things up further.
Zadara conducts ongoing security testing of its clouds and storage services. Zadara maintains security certifications such as ISO 27001, SOC 2 Type 2, and HIPAA. These certifications and audit reports can be used for customers risk assessments and help them determine that the proper security measures are in place.
Zadara trains all employees on data privacy, to have them aware of PII sensitivity, and the company commitment to be GDPR compliant.
Since Zadara does not have visibility into customers’ data and can’t identify PII, it treats everything stored on its systems as high risk and most sensitive. The controls taken to protect the data include:
Download a signed copy of our Data Processing Addendum (DPA).
The Health Insurance Portability and Accountability Act (HIPAA) sets the standard for sensitive patient data protection. Companies that deal with protected health information (PHI) must have physical, network, and process security measures in place and follow them to ensure HIPAA Compliance. Covered entities (anyone providing treatment, payment, and operations in healthcare) and business associates (anyone who has access to patient information and provides support in treatment, payment, or operations) must meet HIPAA Compliance.
Zadara is considered a HIPAA Business Associate as of the above definition. There is no HIPAA certification for a service provider such as Zadara. Zadara is a HIPAA compliant hosting provider, as it has the needed administrative, physical, technical and privacy safeguards in place, according to the U.S. Department of Health and Human Services:
The full report is available upon request. Request full HIPAA report.
ISO 27001 (formally known as ISO/IEC 27001:2005) is a specification for an information security management. It is a framework of policies and procedures that includes all legal, physical and technical controls involved in an organization’s information risk management processes.
As a formal specification ISO 27001 mandates specific requirements. Organizations that claim to have adopted ISO 27001 can therefore be formally audited and certified compliant with the standard.
ISO 27001 was developed to “provide a model for establishing, implementing, operating, monitoring, reviewing, maintaining and improving an information security management system.”
ISO 27001 is the de-facto international standard for Information Security Management. ISO 27001 contains 12 main sections:
Zadara services are certified to be compliant with the ISO27001 standard. To be accredited the certification, Zadara had to prove that our storage services meet the specified security standards to an external auditor. ISO 27001 certification demonstrates Zadara’s clear commitment to Information Security Management and ensures that there are adequate processes in place to lessen the risk of data breach.
Service Organization Controls (SOC) are a set of standards designed to measure the ability of a given service organization to control its information in its service environments (e.g., the clouds it manages). SOC 2 compliance concerns internal controls of an advanced IT service organization. A company achieves SOC 2 compliance by having sufficient policies and strategies in place to protect client data.
While many businesses understand the benefits of moving basic functions such as data storage to the cloud, some companies are still hesitant because of security concerns. SOC 2 compliance provides businesses with the confidence and peace of mind that their data is secured and highly available.
Our customers and regulators expect independent verification of security and availability controls. Service Organization Control (SOC) Reports are independent third-party examination reports that demonstrate how Zadara Storage achieves standard compliance. Zadara Storage undergoes independent third party audits on a regular basis to provide this assurance. This means that an independent auditor has examined the controls present in our services, products and operations.
The auditor documents the controls Zadara Storage has put in place in a SOC 2 report. The report evaluates the effectiveness of a service provider system based on the AICPA Trust Service Principles and Criteria. For more details on the SOC 2 trust services criteria, visit: AICPA.
The full report is available upon request. Request full SOC 2 Report.