GDPR related FAQ
As of 25 May 2018, new security measures on personal data processing and its free circulation came into force in Europe.
Below, Exalog, a Cegid Company, Cegid Allmybanks software editor, answers the various questions you may have on this subject.
This is how Exalog, a Cegid Company, processes the data saved by its customers in its software packages.
What is GDPR?
GDPR, or General Data Protection Regulation, is the latest European reference text for protecting individuals’ privacy when processing their personal data (EU regulation No. 2016/679).
The regulation defines the rights of individuals and the obligations that organisations must comply with when handling their data (processing is referred to in its widest sense: either manual or automatic and of any type, including storage).
“Personal data” is considered to be any information about an individual which allows them to be identified. It can be their name, phone number, a photo, email address, and so on.
Who looks after GDPR compliance and personal data security at Exalog?
Two people are responsible for these tasks at Exalog:
- Chief Information Officer (CIO)
- The Data Protection Officer (DPO), appointed to ensure that processing at the company is compliant and secure.
If you would like to contact either of these people, please use the form available here.
What protective measures does Exalog implement?
Exalog implements technical and organisational measures to ensure the security of any data saved by its customers using its software. These include:
- Hosting it in high-security data centres certified by ISO 27001 and 22301
- Protecting our systems against hacking and monitoring security updates
- Secure access procedures to our software packages (two-step authentication)
- Encryption of the following information in databases :
- Account numbers (IBAN) of subscribing customers and their third parties
- Email addresses of users and third parties
- Telephone and fax numbers of users and third parties
- Users’ names
- Bank card numbers
- Regular backups archived in encrypted form
Where are the data and software used by Exalog's customers stored?
Exalog’s software (servers and databases) are hosted in two high-security data centres located close to Paris, France, belonging to a recognised hosting company.
Both of these data centres are ISO 27001 (information systems security), ISAE 3402 (appraisal of third party organisations’ services) and ISO 22301 (business continuity management) certified.
The computer bays where the servers holding our software are installed (processing servers, database servers and banking communications servers) are private and for Exalog alone. Only the Exalog Operations team looks after their management and maintenance. Exalog has exclusive ownership of the servers and network equipment.
How does the software hold data saved by Exalog's customers?
The “personal data” (users’ names, all phone numbers and email addresses, accounts and cards numbers) saved in the databases of our software packages is encrypted.
Online data are kept for the duration stated in the contract signed by the customer.
In the event the contract is terminated, Exalog shall delete the customer’s data from the database of the shared online software within three months of the date when the contract ends.
Nevertheless, Exalog keeps archives of the shared database backups (data from all its customers), made before this deletion, for up to five years. These archives are encrypted and stored on servers under the same security conditions as those used for hosting the software.
The customer can ask for archives to be recovered; price on application.
How is the integrity of data held by the Exalog software guaranteed?
Data is kept as follows:
- A database backup is made every hour
- Backup files are kept on secure backup servers, under the same hosting conditions as those of the production site; these files are compressed and encrypted
- Data storage period:
- Hourly backups are kept for one week before being deleted
- One backup per week is stored for no more than 1,825 days (5 years); every weekly backup is deleted after this time
Who can access customer data and how is it shared?
The Customer Service teams have access to customers’ details (surname, name, company, email address, telephone) in order to process their requests for assistance.
The sales, marketing and communications teams have access to customers’ details (surname, name, company, email address, telephone), which may be used in sending newsletters or targeted promotional information. The data collected is stored in our secure CRM software.
The IT operating team (linked to the Information Systems Division) can also access customers’ data for troubleshooting purposes. In this case, the data is anonymised.
Has any data already been transferred to data centres outside the European Union?
Exalog does not transfer any data from its software packages outside of the European Union or anywhere else in the world.
The same goes for any data collected on this website.
How is the data collected on this website processed?
When you fill in one of our forms, the personal data collected (surname, name, email address, telephone number, company) may be used for information, business or promotional purposes. For every form, you are informed beforehand about how your data will be used.
You can ask for your data to be updated, changed or deleted at any time by clicking here. Your request is processed as soon as possible, within one month at most.
Data collected on this website is saved in our CRM software. Access to the CRM software is restricted to Exalog staff who need a username and password to login. Accessing the CRM is only possible from Exalog premises or via a VPN. Data is stored in data centres which are ISO 27001 (information systems security), ISAE 3402 (appraisal of third party organisations’ services) and ISO 22301 (business continuity management) certified.
Who can access data and how is it shared?
The sales, marketing and communications teams have access to data collected on this website using online forms and may use it to answer requests for information or send newsletters or targeted promotional information. The data collected is stored in our secure CRM software.
Any questions?
If you have any other GDPR-related questions, we are more than happy to answer them.