General Data Protection Regulation (GDPR)

SECURITY
Effective Date: May, 2018

1. Responsability

In Nextinit we have two different kind of relationships with our clients. 

Maybe you are using the platform because someone in your organization gave you access. In this case, Nextinit is not the data controller of your account but we offer a service to the organization that gave you access. We process the data you share with us on its behalf, so we are the data processors of your account. But do not worry, our realtionship with the data controller is regulated by an agreement and we will treat your data with the same care and diligence as if we were the data controllers. 

On the other hand, maybe you by yourself created an account in Nextinit to see how the platform works and test it. In this case we are the data controllers, so keep reading!

Who is responsible for the processing of your data?

Identity Nextinit S.L. – CIF: B86750197
Postal direction: Plaza Santa Maria Soledad Torres Acosta 2, 5C. 28004 Madrid – Spain.
Phone: +34 91 535 96 12
Email: info@nextinit.com
Delegate of Data Protection:
DPD contact: gdpr@nextinit.com

 

2. For what purpose do we treat your personal data?

In Nextinit we treat the information provided by interested persons in order to provide them with the service offered, through their authentication to access the platform (web application or mobile applications) and enjoy their functionalities. We also use this information to send notifications (via email or push notifications in the case of using the mobile app) related to the platform. Such communications will not be commercial in any case but, directly related to the use of the platform (new ideas published, new investments, new challenges, notice of contents of interest for a better use of the platform, etc …).

NO commercial profiles are elaborated based on this information.

3. What data do we deal with and how have we obtained them?

Nextinit, in order to be able to provide the service offered, deals with the necessary and not excessive data for this purpose, the following categories of personal data being the subject of such treatment:

  • Identifying data (Name and surnames)
  • Contact information (email)
  • User photography (optional)

The personal data that we treat in Nextinit can come from several sources that are the following:

  • They have been provided by the company that has contracted the services of Nextinit for its employees, partners, etc …
  • They have been provided by the user when he has registered with Nextinit.
  • They have been provided by Third Service through a co-registration (social login: Google+, LinkedIn, Facebook, Slack or other similar services) under the prior approval of the user.

 

4. What is the legitimating basis for the treatment?

The data processing of Nextinit users is based on the express consent of the interested party, obtained through the user registry who, in order to authenticate himself on the platform, must “click” on the acceptance chekbox of this privacy policy, which It will imply that the user has been informed and has expressly granted their consent to the processing of their data based on it. The non-acceptance of it, will prevent access to the platform.

5. How long will we keep your data?

The personal data provided will be kept as long as they are necessary for the purpose for which they were collected, as long as the deletion is not requested by the interested party or until it is no longer used because the user or his company no longer uses the platform and the information is cleaned up within Nextinit. These cleanings are not automated or planned by default.

6. To which recipients will your data be communicated?

The data will be communicated to suppliers of Nextinit S.L. whose services are necessary for the correct functioning of the platform (storage, sending email, etc.). In case these companies are located outside the EU, Nextinit guarantees that they are covered by the “Privacy Shield”. The following is the use of data that some of these companies make in the name of Nexinit:

  • Google. Nextinit hires its virtual infrastructure according to a model of “cloud computing” through Google. As such Google does not have access to this information nor can you make use of it. The personal data of Nextinit users (email, name, surname and photo) are stored on Google servers hosted in Frankfurt, Germany. Google is hosted by “Privacy Shield”:

https://www.privacyshield.gov/participant?id=a2zt000000001L5AAI&status=Active.

  • Mailchimp. In some cases, some emails will be sent to the users before the opening of the nextinit platform with training announcements. So the emails and name of the users are loaded for each of these shipments and are deleted when they are no longer useful (a few weeks after the launch of nextinit). Mailchimp can not use this information in any way. Mailchimp is hosted by “Privacy Shield”:

https://www.privacyshield.gov/participant?id=a2zt0000000TO6hAAG&status=Active

  • Mailgun. Nextinit uses Mailgun email services. The data of the users is not stored as such within Mailgun but they can appear in the logs of the service for tracking emails delivered, pending or failed. Mailgun can not in any way make use of this information. Mailgun is hosted on “Privacy Shield”:

https://www.privacyshield.gov/participant?id=a2zt0000000PCbmAAG&status=Active

In case of an integration of Nextinit with third parties, such as Workplace by Facebook, Microsoft Yammer or Salesforce Chatter, there is a flow of information related to employees’ personal data between these systems and nextinit. It is totally out of our responsibility and our control the use that is made within these services and we invite each user to consult the Privacy Policy of each service, or to contact your company to have more information regarding the use that is made with said data once stored in these business services.

7. What are your rights as interested in the treatment of your data?

The regulation on data protection, recognizes the user a series of rights, which Nextinit as responsible, is obliged to satisfy. Right to:

  • To know if your data is being processed or not. –
  • To access the personal data object of the treatment.
  • To request the rectification of the data if they are inaccurate.
  • To request the deletion of the data if they are no longer necessary for the purposes for which they were collected or if you withdraw the consent granted.
  • To request the limitation of the treatment of the data, in some cases, in which case they will only be conserved according to the current regulations.
  • To revoke consent for any treatment for which you have consented, at any time.
  • Taking into account the nature of the data collected by Nextinit, there is no possibility of their portability.

Among the security measures proposed by the new regulation are:

– Pseudonymization and encryption of personal data to impede or avoid irreversibly the identification of those affected.

– The ability to guarantee the confidentiality, integrity, availability and permanent resilience of the treatment systems and services.

– The ability to restore the availability and access to personal data quickly in case of physical or technical incident.

– A process of regular verification, evaluation and assessment of the effectiveness of technical and organizational measures to ensure the safety of treatment.

1. Encryption measures

Server-Side Encryption

Google Cloud Datastore automatically encrypts all data before it is written to disk. No configuration or setup is required and it is not necessary to modify the way in which the service is accessed. Data is decrypted automatically and transparently when read by an authorized user. With server-side encryption, Google manages cryptographic keys on our behalf using the same hardened key management systems they use for their own encrypted data, including strict access and audit controls. The data and metadata of each Cloud Datastore object are encrypted under the Advanced Encryption Standard and each encryption key is encrypted with a set of regularly changed master keys. You can find all the technical information related to the encryption level of the data. in these public pages of Google:

https://cloud.google.com/security/encryption-at-rest/default-encryption/

https://cloud.google.com/security/encryption-at-rest/default-encryption/resources/encryption-whitepaper.pdf

Google regularly updates the information regarding the encryption of the data stored in its datastore on this page, where more technical information is also available

Security in communications

To protect the data while traveling on the internet, we use a connection via HTTPS. The certificate is issued by the official entity Gandi (https://www.gandi.net/).

Guarantees of treatment systems and services.

Nextinit is 100% hosted on Google’s infrastructure: Google Cloud Platform and how we can guarantee the confidentiality, integrity, availability and permanent resilience of our treatment systems and services because they are the same as those of Google.

The Google security model is an integral process built on the 15 years that the company has been protecting the security of its customers in applications such as Gmail, Search and many more. In Google Cloud Platform, our application, nextinit, and the data you are hosting enjoy the advantages of this same security model. For more information about the Google security model, it is recommended to read the following document:

https://cloud.google.com/security/whitepaper

Information security team

At the core of Google’s security model is Google’s information security team, comprised of more than 500 great experts in information security, applications and networks. This team is responsible for maintaining Google’s defense systems, developing security review processes, creating the security infrastructure and implementing Google’s security policies. Among its many achievements include the detection of the Heartbleed vulnerability, the creation of a rewards program for reporting on software security problems and the adoption of a policy to use SSL by default in Google. More details on the security team of Google information

Physical security of data centers

Google’s data centers follow a layered security model that includes measures such as electronic access cards with a customized design, alarms, barriers to vehicle access, surrounding fences, metal detectors and biometric authentication. The ground of the data centers is protected by an intrusion detection system with lasers. The data centers are monitored 24 hours a day with high resolution indoor and outdoor cameras that detect and track potential intruders. If an incident occurs, it is possible to consult the access records, the activity reports and the images of the cameras. In addition, data centers have experienced security guards who have passed rigorous background checks and received adequate training to patrol the facilities on a regular basis. Less than 1% of Googlers will step on one of our data centers during their time at the company.More information on the physical security of data centers

Security of the servers and the software stack

Google runs tens of thousands of identical servers that are designed specifically for the company. We have had the security very present at the time of developing everything, from the hardware to the network and the stack of customized Linux software. The homogeneity, together with the fact that the whole stack is owned by Google, greatly reduces our physical security infrastructure and allows us to react to threats more quickly. More information about the security of the servers and the software stack.

Access to data

Google has controls and practices designed to protect the security of customer information. Application layers and the Google storage stack require that requests from other components be authenticated and authorized. It also controls the access to production environments by the administrative engineers of the production applications. A centralized group and a function management system are used to define and control the access of engineers to production services through a security protocol that authenticates them with personal certificates of short-term public key. In addition, the issuance of personal certificates is protected by a two-factor authentication.

Data deletion

When they are removed from Google systems, hard drives that contain customer information undergo a data destruction process before leaving the premises. First, authorized personnel perform the logical removal of the content of the disks according to the process that has been approved by the Google security team. Then another authorized person inspects the disk a second time to confirm that the data has been successfully deleted. The results of these deletion processes are recorded with the serial number of the unit for tracking purposes. Finally, the deleted unit is saved in the inventory to be used again and installed. If the disk can not be deleted due to a hardware failure, it is stored in a safe place until it can be physically destroyed. All installations are audited weekly to ensure they comply with the disk erase policy.

Cloud Platform security features

In all Google products, including Cloud Platform, security is a fundamental part of the design and a requirement during development. In addition, the Google Site Reliability Engineering teams monitor the operations of the platform’s systems to ensure high availability and avoid the misuse of their resources. The specific security features are detailed in the documentation of each product, but all include certain capabilities that cover the entire platform.

Secure service and authenticated access APIs

All services are managed through a secure global API gateway infrastructure. This API infrastructure can only be accessed through encrypted SSL / TLS channels, and to make any request it is necessary to enter private keys based on keys or an authentication token of limited duration that is generated in a human login. Any access Google Cloud Platform resources are regulated by the same solid authentication infrastructure used by other Google services. This means that it is possible to use Google accounts already created or to set up a regulated Google managed domain. When managing users, we have different options at our disposal: password policy, mandatory two-factor authentication and an innovation in authentication such as hardware security keys.

Registry

We register all platform API requests, such as web requests and access to storage segments and user accounts. Thanks to the Cloud Platform tools, we can read operations and access registers of Compute Engine, App Engine, BigQuery, Cloud SQL, Deployment Manager, Cloud VPN and Cloud Storage.

Data encryption

In the Cloud Platform services, the content of the clients stored at rest is always encrypted, without them having to take any action. For this, one or several encryption mechanisms are used, with some insignificant exceptions. For example, new data that is stored on persistent disks is encrypted according to the advanced 256-bit encryption standard, and each encryption key is encrypted in turn with a set of master keys that rotate periodically. For the nextinit data (and its clients) the same encryption and key management policies, cryptographic libraries and trusted roots are used for many of Google’s production services, such as Gmail, and for their own Google corporate data.More information about encryption options

Secure global network

By being connected to the majority of Internet providers in the world, the global network of Google helps improve the security of data in transit, since it limits the jumps through the public network. Thanks to Cloud Interconnect and managed VPN, you can create encrypted channels between the private IP environment of our facilities and the Google network. In this way, the instances are totally disconnected from the public network, but we can use them from our own private infrastructure.

Security analysis

Cloud Security Scanner helps App Engine developers identify the most common vulnerabilities in their web applications, particularly cross-site scripting (XSS) and mixed content.

 

Compliance and certifications

Cloud Platform and Google’s infrastructure have obtained certifications of various standards and compliance controls, whose number does not stop increasing. In addition, they undergo different independent third party audits that verify the security, protection and privacy of the data. You can get more information about each of the certifications on our compliance page.

Google is committed to fulfilling its share of responsibility when it comes to maintaining the security of the projects it hosts, but it is a shared responsibility. To achieve this, they offer us various functions, which we detail below.

13. Operating system and application patches

Google is responsible for maintaining the security and patches of the hosting operating system environments.

14. Administration of users and credentials in the infrastructure

Google Cloud Platform allows us to define user permissions in the project so that members of the team can have access with minimal privileges.

15. Administration of users and credentials in the application

Nextinit allows you to define several types of users with different permissions. Users will only have access to the nextinits where they have been registered and in no way in the nextinits of other clients.

The 3 types of users of nextinit are the following:

  • Basic user with access to the public part.
  • User of the innovation group with access to the public part but with additional permissions for the management of ideas, challenges, etc.
  • Administration user that in addition to the previous accesses has access to the administration of his own nextinit for the configuration of the data of his nextinit, the personal data of the users of his nextinit, the ideas and challenges of his nextinit.

There is a fourth user profile, called super user who has access to an administration interface of all nextinits and can, if necessary, configure or reset certain parameters of any nextinit. This super administrator only belongs to nextinit and is not shared with any client or partner.

16. Maintenance of network firewall rules

Every year, Nextinit is responsible for evaluating the security of the Cloud Platform infrastructure as well as our penetration test software (Black box type test). These evaluations are entrusted to independent external companies and the results can be provided to our clients on demand.

In addition, our customers have the possibility of performing these same tests on their own, something that has already been done by clients such as Vodafone or BBVA, giving a positive report as a result of these tests.

17. Registration and supervision

Cloud Platform offers tools such as Google Cloud Logging and Google Cloud Monitoring to make it easier for us to collect and analyze the application records, as well as to monitor the availability of our infrastructure services (for example, virtual machine instances). These tools also help us create custom control panels and configure alerts for when problems arise.

18. Independent audits of infrastructure, services and operations

Google customers (us) and regulators expect an independent verification of security, privacy and compliance controls. To live up to these expectations, Google regularly undergoes various independent third-party audits. This means that an independent auditor has examined the controls of our data centers, our infrastructure and our operations. At Google, annual audits of the following standards are carried out:

SSAE16 / ISAE 3402 type II:

  • SOC 2
  • SOC 3 public audit report

ISO 27001: one of the independent security standards with greater prestige and international acceptance. Google has obtained ISO 27001 certification for the systems, applications, people, technology, processes and data centers that Google Cloud Platform uses. Here you will find our ISO 27001 certificate.

ISO 27017 (security in the cloud): international standard of practices related to information security controls. It is based on the ISO / IEC 27002 standard and focuses especially on cloud services. Here you will find our ISO 27017 certificate.

ISO 27018 (privacy in the cloud): international standard of practices related to the protection of personal identification data in public cloud services. Here you will find our ISO 27018 certificate.

Authorization to operate FedRAMP for Google App Engine.

PCI DSS v3.1.

Google follows a third-party audit approach designed to be as comprehensive as possible, in order to ensure the appropriate level of information security in terms of confidentiality, integrity and availability. Customers can use these third-party audits to assess whether Google products meet their compliance and data processing needs.

Backup and restoration of data
On a daily basis, a global backup of all the nextinit data is made as well as a backup for each client (nextinit enterprise). These files encrypted by Google are stored on Google servers to be used afterwards to restore the complete structure or just a nextinit in particular.

Our security protocol forces us to test every week that backups have been made correctly and every month we verify with a test nextinit that can be restored without loss of information thanks to one of these individual backups.