Data Protection
SECURITY
1. Responsibility
At Nextinit, we have two different kind of relationships with our clients.
Maybe you are using the platform because someone in your organization gave you access. In this case, Nextinit is not the data controller of your account but we offer a service to the organization that gave you access. We process the data you share with us on its behalf, so we are the data processors of your account. But do not worry, our realtionship with the data controller is regulated by an agreement and we will treat your data with the same care and
diligence as if we were the data controllers.
On the other hand, maybe you by yourself created an account in Nextinit to see how the platform works and test it. In this case we are the data controllers, so keep reading!
Who is your data controller? | |
Identity | Nextinit S.L. – CIF: B86750197 |
Postal direction: | Plaza Santa Maria Soledad Torres Acosta 2, 5C. 28004. Madrid – Spain. |
Phone: | +34 91 535 96 12 |
Email: | info@nextinit.com |
DPD contact: | gdpr@nextinit.com |
You can contact us in any way you like.
We reserve the right to modify or adapt this Privacy Policy at any time. We recommend that you review this Privacy Policy, and if you have registered and access your account or profile, you will be informed of any changes.
If you are one of the following groups, please consult the information:
2. Web or email contacts
What data do we collect through the Web?
We may process your IP address, operating system or browser you use, and even so the length of your visit, anonymously.
If you provide us data on the contact form, you will be identified in order to contact you, if necessary.
- Respond to your queries or requests.
- Manage the service requested, answer your questions, or process and answer your request.
- Information by electronic devices, which deal with your request.
- Commercial information or events by electronic devices.
- Perform analysis and improvements on the Website, our products and services and our commercial strategy.
Acceptance and consent by the interested party: In those cases where in order to make a request it is necessary to fill in a form and make a “click” on the send button, it fulfilment will necessarily imply that you have been informed and have expressly given your consent to the content of the clause attached to the form or acceptance of the privacy policy.
All our forms have the symbol * in the mandatory data. If you do not provide these fields, or do not mark the checkbox of acceptance of the privacy policy, there will not be an information sending.
3. Customers
For what purpose do we process your personal data?
- Information by electronic means, which deal with your request.
- Manage the administrative services, communications and logistics performed by the websiteowner.
- Preparation of budgets.
- Invoicing and declaration of taxes.
- Carry out the proper transactions.
- Control and recovery management.
4. Contacts social networks
What for do we use social networks data?
- Answer your questions or requests.
- Manage the service requested.
- Connect with you and create a community of followers.
Acceptance of a contractual relationship in the corresponding social network environment, and in accordance with its privacy policies:
How long will we keep personal data?
We will treat them as long as you let us follow you, being friends or giving them to “I like”, “follow” or similar actions.
Any rectification of your data or restriction of information or publications must be done through the configuration of your profile or user in the social network itself.
5. What data do we deal with and how have we obtained them?
Nextinit, in order to be able to provide the service offered, deals with the necessary and not excessive data for this purpose, the following categories of personal data being the subject of such treatment:
- Identifying data (Name and surnames)
- Contact information (email)
- User photography (optional)
The personal data that we treat in Nextinit can come from several sources that are the following:
- They have been provided by the company that has contracted the services of Nextinit for its employees, partners, etc.
- They have been provided by the user when he has registered with Nextinit.
- They have been provided by Third Service through a co-registration (social login: Google+, LinkedIn, Facebook, Slack or other similar services) under the prior approval of the user.
6. What is the legitimating basis for the treatment?
The data processing of Nextinit users is based on the express consent of the interested party, obtained through the user registry who, in order to authenticate himself on the platform, must “click” on the acceptance chekbox of this privacy policy, which It will imply that the user has been informed and has expressly granted their consent to the processing of their data based on it. The non-acceptance of it, will prevent access to the platform.
7. Do we include personal data of third parties?
No, as a rule we only process data provided by the holders. If you provide us the data from a third person, previously you must have informed him and have requested his consent otherwise you exempt us from any responsibility for non-compliance with this requirement.
8. How long will we keep your personal data?
- Personal data will be kept as long as you remain linked to us..
- Once you disassociate yourself, the personal data processed for each purpose will be kept for the legally established periods, including the period in which a judge or court may require them in accordance with the statute of limitations
for legal actions.. - The processed data will be kept as long as the legal periods referred to above do not expire, if there is a legal obligation to maintain, or if there is no such legal period, until the interested party requests its deletion or revokes the consent granted..
- We will keep all the information and communications relating to your purchase or the provision of our service for the duration of the warranty or services, in order to attend possible claims.
9. What rights do you have?
- To know if we are processing your data or not.
- To access your personal data.
- To request the rectification of your data if they are inaccurate.
- To request the erasure of your data if they are no longer necessary for the purposes for which they were collected or if you withdraw your consent.
- To request the limitation of the treatment of your data, in some cases, in which case we will only keep them in accordance with current legislation.
- To carry your data, which will be provided in a structured format, common use or mechanical reading. If you prefer, we can send them to the new person in charge that you designate to us. It is only valid in certain cases.
- To file a complaint with the AEPD (www.aepd.es) Data Protection Authority or competent control authority, if you believe that we have not dealt with you correctly.
- To revoke your consent for any treatment you have consented, any time.
- If you modify any data, please let us know to keep them updated.
Exercise of rights?
- We have forms for the exercise of your rights, ask us by email or if you prefer, you can use those prepared by the AEPD (www.aepd.es ) Data Protection Authority.
- If someone is representing you, you must attach a copy of his ID or signing it with his electronic signature.
- The forms may be presented in person or been sent by mail to the address of the data controller at the beginning of this text.
How long does it take to reply to the Exercise of Rights?
It depends on the right, but a maximum of one month from your request, and two months if the subject is very complex and we will notify you that we need more time.
10. How long will we keep your personal data?
Personal data will be kept as long as you remain linked to us.
- Once you disassociate yourself, the personal data processed for each purpose will be kept for the legally established periods, including the period in which a judge or court may require them in accordance with the statute of limitations for legal actions.
- The processed data will be kept as long as the legal periods referred to abovedo not expire, if there is a legal obligation to maintain, or if there is no such legal period, until the interested party requests its deletion or revokes the consent granted.
- We will keep all the information and communications relating to your purchase or the provision of our service for the duration of the warranty or services, in order to attend possible claims.
11. To which recipients will your data be communicated?
The data will be communicated to suppliers of Nextinit S.L. whose services are necessary for the correct functioning of the platform (storage, sending email, etc.). In case these companies are located outside the EU, Nextinit guarantees that they are covered by the “US – EU Data Privacy Framework”. The following is the use of data that some of these companies make in the name of Nexinit:
– Google. Nextinit hires its virtual infrastructure according to a model of “cloud computing” through Google. As such Google does not have access to this information nor can you make use of it. The personal data of Nextinit users (email, name, surname and photo) are stored on Google servers hosted in Frankfurt, Germany. Google is
hosted by “Data Privacy Framework”:
https://www.dataprivacyframework.gov/s/participant-search
– Mailchimp. In some cases, some emails will be sent to the users before the opening of the nextinit platform with training announcements. So the emails and name of the users are loaded for each of these shipments and are deleted when they are no longer useful (a few weeks after the launch of nextinit). Mailchimp cannot use this information in any way. Mailchimp is hosted by “Privacy Shield”:
https://www.dataprivacyframework.gov/s/participant-search
– Mailgun. Nextinit uses Mailgun email services. The data of the users is not stored as such within Mailgun but they can appear in the logs of the service for tracking emails delivered, pending or failed. Mailgun can not in any way make use of this information. Mailgun is hosted on “Privacy Shield”:
In case of an integration of Nextinit with third parties, such as Workplace by Facebook, Microsoft Yammer or Salesforce Chatter, there is a flow of information related to employees’ personal data between these systems and nextinit. It is totally out of our responsibility and our control the use that is made within these services and we invite each user to consult the Privacy Policy of each service, or to contact your company to have more information regarding the use that is made with said data once stored in these business services.
12. About Google´s technical measures
Encryption measures
Server-Side Encryption
Google Cloud Datastore automatically encrypts all data before it is written to disk. No configuration or setup is required and it is not necessary to modify the way in which the service is accessed. Data is decrypted automatically and transparently when read by an authorized user. With server-side encryption, Google manages cryptographic keys on our behalf using the same hardened key management systems they use for their own encrypted data, including strict access and audit controls. The data and metadata of each Cloud Datastore object are encrypted under the Advanced Encryption Standard and each encryption key is encrypted with a set of regularly changed master keys. You can find all the technical information related to the encryption level of the data. in these public pages of Google:
Google regularly updates the information regarding the encryption of the data stored in its datastore on this page, where more technical information is also available
Security in communications
To protect the data while traveling on the internet, we use a connection via HTTPS. The certificate is issued by the official entity Gandi (https://www.gandi.net/).
Guarantees of treatment systems and services.
Nextinit is 100% hosted on Google’s infrastructure: Google Cloud Platform and how we can guarantee the confidentiality, integrity, availability and permanent resilience of our treatment systems and services because they are the same as those of Google.
The Google security model is an integral process built on the 15 years that the company has been protecting the security of its customers in applications such as Gmail, Search and many more. In Google Cloud Platform, our application, nextinit, and the data you are hosting enjoy the advantages of this same security model. For more information about the Google security model, it is recommended to read the following document:
https://cloud.google.com/security/whitepaper
Information security team
At the core of Google’s security model is Google’s information security team, comprised of more than 500 great experts in information security, applications and networks. This team is responsible for maintaining Google’s defense systems, developing security review processes, creating the security infrastructure and implementing Google’s security policies. Among its many achievements include the detection of the Heartbleed vulnerability, the creation of a rewards program for reporting on software security problems and the adoption of a policy to use SSL by default in Google. More details on the security team of Google information.
Physical security of data centers
Google’s data centers follow a layered security model that includes measures such as electronic access cards with a customized design, alarms, barriers to vehicle access, surrounding fences, metal detectors and biometric authentication. The ground of the data centers is protected by an intrusion detection system with lasers. The data centers are monitored 24 hours a day with high resolution indoor and outdoor cameras that detect and track potential intruders. If an incident occurs, it is possible to consult the access records, the activity reports and the images of the cameras. In addition, data centers have experienced security guards who have passed rigorous background checks and received adequate training to patrol the facilities on a regular basis. Less than 1% of Googlers will step on one of our data centers during their time at the company.More information on the physical security of data centers
Security of the servers and the software stack
Google runs tens of thousands of identical servers that are designed specifically for the company. We have had the security very present at the time of developing everything, from the hardware to the network and the stack of customized Linux software. The homogeneity, together with the fact that the whole stack is owned by Google, greatly reduces our physical security infrastructure and allows us to react to threats more quickly. More information about the security of the servers and the software stack.
Access to data
Google has controls and practices designed to protect the security of customer information. Application layers and the Google storage stack require that requests from other components be authenticated and authorized. It also controls the access to production environments by the administrative engineers of the production applications. A centralized group and a function management system are used to define and control the access of engineers to production services through a security protocol that authenticates them with personal ertificates of short-term public key. In addition, the issuance of personal certificates is protected by a two-factor authentication.
Data deletion
When they are removed from Google systems, hard drives that contain customer information undergo a data destruction process before leaving the premises. First, authorized personnel perform the logical removal of the content of the disks according to the process that has been approved by the Google security team. Then another authorized person inspects the disk a second time to confirm that the data has been successfully deleted. The results of these deletion processes are recorded with the serial number of the unit for tracking purposes.
Finally, the deleted unit is saved in the inventory to be used again and installed. If the disk can not be deleted due to a hardware failure, it is stored in a safe place until it can be physically destroyed. All installations are audited weekly to ensure they comply with the disk erase policy.
Cloud Platform security features
In all Google products, including Cloud Platform, security is a fundamental part of the design and a requirement during development. In addition, the Google Site Reliability ngineering teams monitor the operations of the platform’s systems to ensure high availability and avoid the misuse of their resources. The specific security features are detailed in the documentation of each product, but all include certain capabilities that cover the entire platform.
Secure service and authenticated access APIs
All services are managed through a secure global API gateway infrastructure. This API infrastructure can only be accessed through encrypted SSL / TLS channels, and to make any request it is necessary to enter private keys based on keys or an authentication token of limited duration that is generated in a human login. Any access Google Cloud Platform resources are regulated by the same solid authentication infrastructure used by other Google services. This means that it is possible to use Google accounts already created or to set up a regulated Google managed domain. When managing users, we have different options at our disposal: password policy, mandatory two-factor authentication and an innovation in authentication such as hardware security keys.
Registry
We register all platform API requests, such as web requests and access to storage segments and user accounts. Thanks to the Cloud Platform tools, we can read operations and access registers of Compute Engine, App Engine, BigQuery, Cloud SQL, Deployment Manager, Cloud VPN and Cloud Storage.
Data encryption
In the Cloud Platform services, the content of the clients stored at rest is always encrypted, without them having to take any action. For this, one or several encryption mechanisms are used, with some insignificant exceptions. For example, new data that is stored on persistent disks is encrypted according to the advanced 256-bit encryption standard, and each encryption key is encrypted in turn with a set of master keys that rotate periodically. For the nextinit data (and its clients) the same encryption and key management policies, cryptographic libraries and trusted roots are used for many of Google’s production services, such as Gmail, and for their own Google corporate data.More information about encryption options Secure global network
By being connected to the majority of Internet providers in the world, the global network of Google helps improve the security of data in transit, since it limits the jumps through the public network. Thanks to Cloud Interconnect and managed VPN, you can create encrypted channels between the private IP environment of our facilities and the Google network. In this way, the instances are totally disconnected from the public network, but we can use them from our own private infrastructure.
Security analysis
Cloud Security Scanner helps App Engine developers identify the most common vulnerabilities in their web applications, particularly cross-site scripting (XSS) and mixed content.
Compliance and certifications
Cloud Platform and Google’s infrastructure have obtained certifications of various standards and compliance controls, whose number does not stop increasing. In addition, they undergo different independent third party audits that verify the security, protection and privacy of the data. You can get more information about each of the certifications on our compliance page. Google is committed to fulfilling its share of responsibility when it comes to maintaining the security of the projects it hosts, but it is a shared responsibility. To achieve this, they offer us various functions, which we detail below.
13. Operating system and application patches
Google is responsible for maintaining the security and patches of the hosting operating system environments.
14. Administration of users and credentials in the infrastructure
Google Cloud Platform allows us to define user permissions in the project so that members of the team can have access with minimal privileges.
15. Administration of users and credentials in the application
Nextinit allows you to define several types of users with different permissions. Users will only have access to the nextinits where they have been registered and in no way in the nextinits of other clients.
The 3 types of users of nextinit are the following:
- Basic user with access to the public part.
- User of the innovation group with access to the public part but with additional permissions for the management of ideas, challenges, etc
- – Administration user that in addition to the previous accesses has access to the administration of his own nextinit for the configuration of the data of his nextinit, the personal data of the users of his nextinit, the ideas and challenges of his nextinit.
There is a fourth user profile, called super user who has access to an administration interface of all nextinits and can, if necessary, configure or reset certain parameters of any nextinit. This super administrator only belongs to nextinit and is not shared with any client or partner.
16. Maintenance of network firewall rules
Every year, Nextinit is responsible for evaluating the security of the Cloud Platform
infrastructure as well as our penetration test software (Black box type test). These evaluations are entrusted to independent external companies and the results can be provided to our clients on demand.
In addition, our customers have the possibility of performing these same tests on their own, something that has already been done by clients such as Vodafone or BBVA, giving a positive report as a result of these tests.
17. Registration and supervision
Cloud Platform offers tools such as Google Cloud Logging and Google Cloud Monitoring to make it easier for us to collect and analyze the application records, as well as to monitor the availability of our infrastructure services (for example, virtual machine instances). These tools also help us create custom control panels and configure alerts for when problems arise.
18. Registration and supervision
Google customers (us) and regulators expect an independent verification of security, privacy and compliance controls. To live up to these expectations, Google regularly undergoes various independent third-party audits. This means that an independent auditor has examined the controls of our data centers, our infrastructure and our operations. At Google, annual audits of the following standards are carried out:
SSAE16 / ISAE 3402 type II:
– SOC 2
– SOC 3 public audit report
ISO 27001: one of the independent security standards with greater prestige and international acceptance. Google has obtained ISO 27001 certification for the systems, applications, people, technology, processes and data centers that Google Cloud Platform uses. Here you will find our ISO 27001 certificate.
ISO 27017 (security in the cloud): international standard of practices related to information security controls. It is based on the ISO / IEC 27002 standard and focuses especially on cloud services. Here you will find our ISO 27017 certificate.
ISO 27018 (privacy in the cloud): international standard of practices related to the protection of personal identification data in public cloud services. Here you will find our ISO 27018 certificate. Authorization to operate FedRAMP for Google App Engine.
PCI DSS v3.1. Google follows a third-party audit approach designed to be as comprehensive as possible, in order to ensure the appropriate level of information security in terms of confidentiality, integrity and availability. Customers can use these third-party audits to assess whether Google products meet their compliance and data processing needs. Backup and restoration of data On a daily basis, a global backup of all the nextinit data is made as well as a backup for each client (nextinit enterprise). These files encrypted by Google are stored on Google servers to be used afterwards to restore the complete structure or just a nextinit in particular.
Our security protocol forces us to test every week that backups have been made correctly and every month we verify with a test nextinit that can be restored without loss of information thanks to one of these individual backups.