General Data Protection Regulation (GDPR)
Effective Date: May, 2018
The new regulation requires both the controller and the controller to be able to implement appropriate technical and organizational measures to ensure an adequate level of security in relation to the risks involved in the processing and the nature of the personal data to be protected. In addition, not only appropriate measures must be taken but accredited at any time.
Among the security measures proposed by the new regulation are:
- The pseudonymization and encryption of personal data to prevent or irreversibly prevent the identification of those affected.
- The ability to guarantee the confidentiality, integrity, availability and permanent resilience of treatment systems and services.
- The ability to restore availability and access to personal data quickly in case of a physical or technical incident.
A process of regular verification, evaluation and assessment of the effectiveness of technical and organizational measures to ensure the safety of treatment.
1. Encryption measures
- Server-Side Encryption
Google Cloud Datastore automatically encrypts all data before it is written to disk. No configuration or setup is required and it is not necessary to modify the way the service is accessed. Data is automatically and transparently decrypted when read by an authorized user. With server-side encryption, Google manages cryptographic keys on our behalf using the same hardened key management systems that they use for their own encrypted data, including strict access and audit controls. The data and metadata for each Cloud Datastore object are encrypted under the Advanced Encryption Standard and each encryption key is encrypted with a set of regularly changed master keys. You can find all technical information regarding the encryption level of the data on these public Google pages:
Google regularly updates information regarding the encryption of data stored in its datastore on this page, where more technical information is also available.
- Security in communications
To protect data while traveling over the internet, we use an HTTPS connection. The certificate is issued by the official entity Gandi (https://www.gandi.net/ ).
2. Guarantees of treatment systems and services.
Nextinit is 100% hosted on Google’s infrastructure: Google Cloud Platform and how we can ensure the confidentiality, integrity, availability and permanent resilience of our systems and treatment services because they are the same as Google’s.
The Google security model is a comprehensive process built on the 15 years the company has been protecting the security of its customers in applications such as Gmail, Search and many more. In the Google Cloud Platform, our application, nextinit, and the data it hosts enjoy the benefits of this same security model. For more information on the Google security model, we recommend reading the following document:
- Information Security Equipment
At the core of Google’s security model is Google’s information security team, made up of more than 500 top experts in information security, applications and networks. This team is responsible for maintaining Google’s defense systems, developing security review processes, building security infrastructure, and implementing Google’s security policies. Among his many achievements include the detection of the Heartbleed vulnerability, the creation of a rewards program for reporting on software security issues and the adoption of a policy to use SSL by default on Google.More details
- Physical security of data centers
Google’s data centers follow a layered security model that includes measures such as custom-designed electronic access cards, alarms, vehicle access barriers, surrounding fences, metal detectors, and biometric authentication. The data center floor is protected by an intruder detection system with laser beams. Data centers are monitored 24 hours with high resolution indoor and outdoor cameras that detect and track intruders. If an incident occurs, it is possible to check access logs, activity reports and camera images. In addition, data centers have experienced security guards who have passed rigorous background checks and have received the appropriate training to patrol facilities on a regular basis. Less than 1% of the Googlers will step into one of our data centers during their time in the company. More details
- Security of servers and software stack
Google runs tens of thousands of identical servers that have been designed specifically for the company. We have had the security in mind when it comes to developing everything from the hardware to the network and the stack of custom Linux software. Homogeneity, coupled with the fact that the whole stack is owned by Google, greatly reduces our physical security infrastructure and allows us to react to threats more quickly. More details
- Access to data
Google has controls and practices designed to protect the security of customer information. The application layers and the Google Storage Stack require requests from other components to be authenticated and receive the appropriate authorization. It also controls the access to production environments by the administrative engineers of production applications. A centralized group and function management system is used to define and control engineers’ access to production services through a security protocol that authenticates them with short-lived public key personal certificates. In addition, the issuance of personal certificates is protected by a two-factor authentication. More details
- Deleting data
When removed from Google systems, hard disks containing client information are subjected to a data destruction process before leaving the premises. First, authorized personnel perform logical removal of the contents of the disks according to the process that has been approved by the Google security team. Then another authorized person inspects the disk a second time to confirm that the data has been successfully deleted. The results of these deletion processes are recorded with the serial number of the unit for tracking purposes. Finally, the deleted drive is saved to the inventory for re-use and installation. If the disk can not be erased due to a hardware failure, it is stored in a safe place until it can be destroyed physically. All installations are audited weekly to ensure they comply with the disk erasure policy. More details
- Cloud Platform security features
In all Google products, including Cloud Platform, security is a fundamental part of design and a requirement during development. In addition, Google’s site reliability engineers monitor the operations of the platform systems to ensure high availability and avoid misuse of their resources. The specific security features are detailed in the documentation for each product, but all include certain capabilities that span the entire platform.
- Secure Service and Authenticated Access APIs
All services are managed through a secure global API gateway infrastructure. This API infrastructure can only be accessed through encrypted SSL / TLS channels, and to make any request it is necessary to enter private key-based secrets or a limited-duration authentication token that is generated in a human login. Any access to Google Cloud Platform resources is governed by the same robust authentication infrastructure that other Google services use. This means that it is possible to use Google accounts already created or to set up a regulated Google managed domain. When managing users, we have at our disposal different options: password policy, mandatory two-factor authentication and an innovation in authentication such as the hardware security keys.
We log all platform API requests, such as web requests and access to storage segments and user accounts. Thanks to the Cloud Platform tools, we can read operations and access logs from Compute Engine, App Engine, BigQuery, Cloud SQL, Deployment Manager, Cloud VPN y Cloud Storage.
- Data Encryption
In the services of the cloud platform always encrypts the content of the clients that are stored at rest, without them performing any action. For this purpose, one or more encryption mechanisms are used, with some minor exceptions. For example, new data that is stored on persistent disks is encrypted according to the 256-bit advanced encryption standard, and each encryption key is encrypted in turn with a set of master keys that are periodically rotated. Proximity data (and its clients) uses the same encryption and encryption key policies, cryptographic libraries, and trusted “roots” that are used for many of Google’s production services, such as Gmail, and for Google’s own corporate data. More details
- Secure global network
TAl to be connected to the majority of Internet providers in the world, Google’s global network helps improve the security of data in transit, as it limits jumps over the public network. Thanks to Cloud Interconnect and the managed VPN, you can create encrypted channels between the private IP environment of our facilities and the Google network. In this way, the instances are totally disconnected from the public network, but we can use them from our own private infrastructure.
- Security analysis
Cloud Security Scanner helps App Engine developers identify the most common vulnerabilities in their web applications, in particular cross-site scripting (XSS) and mixed content.
- Compliance and certifications
Cloud Platform and Google’s infrastructure have obtained certifications of various standards and compliance controls, whose numbers are constantly increasing. In addition, they undergo different audits of independent third parties that verify the security, protection and privacy of the data. You can get more information about each of the certifications.
Google is committed to fulfilling its share of responsibility in maintaining the security of the projects they host, but it is a shared responsibility. To achieve this, we offer several functions, which are detailed below.
13. Operating system and application patches
Google is responsible for maintaining the security and patches of operating system hosting environments.
14. User administration and credentials in infrastructure
The Google Cloud Platform allows us to set user permissions on the project so that team members can have access with minimal privileges.
15. User administration and credentials in the application
Nextinit allows you to define several types of users with different permissions. Users will only have access to the nextinits where they have been registered and in no way in the nextinits of other clients.
The 3 types of users of nextinit are the following:
- Basic user with access to the public part.
- User of the innovation group with access to the public part but with additional permissions for the management of ideas, challenges, etc.
- Administration user that besides the previous accesses has access to the administration of his own nextinit for the configuration of the data of his nextinit, the personal data of the users of his nextinit, the ideas and challenges of his nextinit.
There is a fourth user profile, called super user who has access to a management interface of all nextinits and can, if need be, configure or reset certain parameters of any nextinit. This super administrator only belongs to nextinit and is not shared with any client or partner.
16. Maintenance of network firewall rules
Every year, Nextinit assesses the security of the Cloud Platform infrastructure as well as our software with penetration tests (Black box type test). These evaluations are commissioned from independent external companies and the results can be provided to our customers on demand.
In addition, our clients have the possibility to carry out the same tests on their own account, something that has already been done by clients such as Vodafone or BBVA, giving a positive report as a result of these tests.
17. Registration and supervision
Cloud Platform offer tools like Google Cloud Logging and Google Cloud Monitoring to make it easier for us to collect and analyze request logs, as well as monitor the availability of our infrastructure services (for example, virtual machine instances). These tools also help us create custom dashboards and configure alerts for problems.
18. Independent audits of infrastructure, services and operations
Los clientes de Google (nosotros) y los organismos reguladores esperan que se realice una verificación independiente de los controles de seguridad, privacidad y cumplimiento. Para estar a la altura de estas expectativas, Google se somete regularmente a diversas auditorías de terceros independientes. Esto significa que un auditor independiente ha examinado los controles de nuestros centros de datos, nuestra infraestructura y nuestras operaciones. En Google se realizan auditorías anuales de los siguientes estándares:
- SSAE16 / ISAE 3402 type II:
- ISO 27001: one of the independent security standards with greater prestige and international acceptance. Google has obtained ISO 27001 certification for the systems, applications, people, technology, processes and data centers that Google Cloud Platform uses. More details about ISO 27001.
- ISO 27017 (cloud security): international standard of practices related to information security controls. It is based on the ISO / IEC 27002 standard and focuses especially on cloud services. More details about ISO 27017.
- ISO 27018 (cloud privacity): international standard of practices related to the protection of personal identification data in public cloud services. More details about ISO 27018.
- Authorization to operate FedRAMP for Google App Engine.
- PCI DSS v3.1.
Google follows a third-party auditing approach designed to be as comprehensive as possible in order to ensure the appropriate level of information security in terms of confidentiality, integrity and availability. Customers can use these third-party audits to assess whether Google products meet their compliance and data-processing needs.
3. Backup and restoration data
On a daily basis, a global backup of all nextinit data is made as well as a backup for each client (nextinit enterprise). These files encrypted by Google are stored on Google servers to be used afterwards to restore the entire structure or just a particular nextinit.
Our security protocol forces us to test every week that the backups have been performed correctly and each month we verify with a test nextinit that can be restored without loss of information thanks to one of these individual backups.
Second layer page
|Who is responsible for processing your data?|
|Identity||Nextinit S.L. – CIF: B86750197|
|Postal Code||Plaza Santa Maria Soledad Torres Acosta 2, 5C. 28004 Madrid – Spain.|
|Telephone number||+34 91 535 96 12|
|Data Protection Officer:|
For what purpose do we treat your personal data?
At Nextinit we treat the information provided by interested parties in order to enable them to be authenticated in order to access the platform (web application or mobile applications). We also use this information to send notifications (via email or push notifications in the case of mobile apps) related to the platform. These notifications are NOT of a commercial nature, but are directly related to the use of the platform (new ideas published, new investments, new challenges, notice of contents of interest for a better use of the platform, etc …).
NO commercial profiles are produced based on this information.
How long will we keep your data?
The personal data provided will be kept as long as it is not requested to be deleted by the interested party or until the user ceases to use it because the user or his company no longer uses the platform and the information is cleaned within Nextinit. These cleanings are not automated or planned by default.
In the case of Nextinit we are in the following case:
Legitimation by consent of the interested party:
- When the legitimation for the main purpose does not find accommodation in any of the above legal bases, the consent of the interested party must be requested for the processing of his personal data, and this will be stated in this section.
- In the event that the principal purpose is legitimized by any of the legal bases mentioned above, but any specific purpose requires the consent of the affected, both legitimations will be recorded.
- In the latter case, the interested party should be informed that the main purpose is not subject to the consent of the data that are not necessary for said main purpose, since otherwise the consent would not be considered as “granted freely”.
|Example: What is the legitimation for the treatment of your data?
The legal basis for the processing of your data is the authentication in the platform Nextinit, the correct operation of this platform and its use according to the terms and conditions that are available in this address:
In case of accepting the terms and conditions, the platform will not be accessible.
Example: To which recipients will your data be communicated?
The data will be communicated to other companies that Nextinit S.L. whose services we use in the platform for its correct operation (storage, sending of emails, etc.). These companies outside the EU are hosted by “Privacy Shield”. Below we list these companies and detail the use they make with this data.
Google. Nextinit contracts its virtual infrastructure according to a model of “cloud computing” through Google. As such, Google does not have access to this information and can not make use of it. The personal data of users of Nextinit (email, name, surname and photo) are stored on Google servers hosted in Frankfurt, Germany. Google is hosted on “Privacy Shield”:
Mailchimp. In some cases, emails will be sent to users before opening the nextinit platform with training announcements. So emails and user names are loaded for each of these submissions and are deleted when they are no longer useful (a few weeks after the release of nextinit). Mailchimp can not in any way make use of this information. Mailchimp is hosted on “Privacy Shield”:
Mailgun. Nextinit uses Mailgun’s mail delivery services. User data are not stored as such within Mailgun but may appear in the service logs for tracking delivered, pending or failed emails. Mailgun can not in any way make use of this information. Mailgun is hosted on “Privacy Shield”:
The personal data stored in Nextinit are NOT communicated to outside companies other than those mentioned above. In case you have to store one of these data to make use of another external service, we will notify each user via email of this change.
In case of nextinit integration with third parties, such as Workplace by Facebook, Microsoft Yammer or Salesforce Chatter, there is a flow of information regarding the personal data of the employees between these systems and nextinit. It is totally out of our responsibility and our control the use that is made within these services and we invite each user to contact his company to have more information regarding the use that is made with said data once stored in these business services.
What are your rights when you give us your data?
- Any person has the right to obtain confirmation as to whether we are dealing with personal data concerning Nextinit, whether or not they are concerned.
- Interested parties have the right to access their personal data, as well as to request the rectification of inaccurate data or, where appropriate, request their deletion when, among other reasons, the data are no longer necessary for the purposes that were collected.
- In certain circumstances and for reasons related to their particular situation, those interested may oppose to oppose the processing of their data. Nextinit will cease to treat the data, except for compelling legitimate reasons, or the exercise or defense of possible claims.
- There is no portability of personal data due to the fact that we only store name, surname, email and a photo of the user.
The limitation of use or elimination of the personal data (in particular the email) will mean a cessation of use of the platform since nextinit needs the email as unique identifier of each user.
In case you want to use these rights, the person will have to send an email with your specific request to email@example.com.
How did we get your data?
The personal data that we treat in Nextinit can come from several sources that are the following:
- They have been delivered by the company that has contracted Nextinit services for its employees, partners, etc.
- They have been delivered by the user when he has registered in Nextinit.
- They have been delivered by Third Party Service via a social login (Google+, LinkedIn, Facebook, Slack or similar services) under the prior approval of the user.
The data categories that are treated are:
- Identification data (Name and surname)
- Electronic address
- User Photography
No protected data is processed.