Guidelines for configuring your secure file exchange environment (including your SendSecure Cloud service and your own corporate environment) to help gain compliance with PII regulations such as GDPR.
If your organization is involved in the processing of Personally Identifiable Information (PII), you may need to configure your secure file exchange environment (including your SendSecure Cloud account, local clients and other involved communication/infrastructure systems) to comply with PII regulations such as the European Union's General Data Protection Regulation (GDPR).
The following list of recommendations intends to be a basic set of guidelines to help your SendSecure Cloud account administrators and corporate IT administrators to take the appropriate actions in their respective fields in the context of PII regulation compliance process.
Identify your PII data
First of all, you should clearly identify the different types of PII data that your organization is processing, as well as the people within your organization who are intended to process this data, and finally, the context in which the PII data is processed.
This analysis should help you take careful decisions and implement the most appropriate corporate rules in order to meet your PII processing requirements while providing a proper file exchange environment to all users of your organization.
Simplify the maintenance of your user accounts
In corporate environments with numerous employees using multiple and separate services, it is sometimes hard to efficiently synchronize the maintenance of user accounts and credentials over all the corresponding platforms (and among them, the XMedius cloud platform).
In a context of PII processing, this topic becomes critical and should be carefully addressed: you need to ensure at all times that the PII data is accessed only by the intended users, according to the security rules you have defined.
- Centralize the management of your user accounts by enabling an automated synchronization from your Active Directory using the dedicated AD Sync tool – see: Synchronizing Users from Active Directory.
- Centralize the enforcement of your corporate password policy by activating the Single Sign-On functionality in your XMedius cloud enterprise account – see: Enabling User Single Sign-On (SSO) using AD FS.
Create dedicated Security Profiles and regroup PII users
- As many Security Profiles as required to properly address each type of PII data in terms of retention/deletion, protection/encryption and privacy/consent (these topics are further developed in the following sections), and
- As many Groups as required to allow you to categorize users and easily give them access to different Security Profiles according to the type of data they are intended to process.
Enable SafeBox participant consent
Your PII regulation compliance rules may require to receive the consent of participants before they submit personal information to SendSecure. Be aware that such information includes the messages and documents transmitted through the SafeBox, but also any required participant data such as a name, an email address and in some cases a phone number.
SendSecure offers this option among the parameters that can be set in Security Profiles.
As such, according to your PII processing rules, you may need to ensure that your dedicated PII Security Profiles have the Require Participant Consent option enabled. As a result, participants will be required to accept a statement of consent before posting messages and documents to SafeBoxes created with such a Security Profile.
Protect your data (in transit and at rest)
For security reasons, the data that you process should be protected at all times – at rest and in transit.
- Encrypt Messages: to enforce the encryption (in transit and at rest) of the text messages posted to the SafeBoxes – in addition to the encryption of files. Note that SendSecure considers encrypted messages as confidential and will permanently mask them in the Audit Records generated at the end of the transaction.
- Double Encryption: to use a mechanism through which a client key is additionally required from participants to decrypt the SafeBox content.
Plan and setup your data retention/deletion
Two types of data should be considered here: the contents of the SafeBoxes (i.e. messages and attached files) and the metadata elements usable for audit purposes. While you can control the SafeBox content retention/deletion through the configuration of your Security Profiles, the way the metadata elements are retained cannot be changed (see the details below).
At this step, you should review the data retention/deletion rules you may have established to meet your PII processing requirements, in order to setup your Security Profiles for appropriate SafeBox Life Cycle (multiple settings).
Remember that defining multiple Security Profiles – each one dedicated to each type of processed PII data – may offer you more flexibility, if the retention rules are different for each of the PII data types that your organization may process.
For each Security Profile, you mainly have to define the period during which a SafeBox will remain open for contribution (Auto Close options), and the period during which the SafeBox content will be retained after the SafeBox is closed (Content Retention options). Their sum will basically represent the maximum period during which some content may be stored in the SafeBox. Also, be aware that enabling the Auto Extend on Reply option may have an effect on the overall retention period of SafeBoxes.
- System/administrative audit logs and SendSecure service logs are retained for 90 days in a live form, plus are included in backups, which gives XMedius 1 year of security logs.
- SafeBox Audit Records are systematically generated when SafeBoxes are closed (contribution ended) and remain always available to whom it may concern beyond SafeBox content deletion.
Keep your systems up to date
XMedius constantly maintains up to date the systems hosting the XMedius Cloud platform and services as per its policies, by always applying the latest security fixes and improvements produced by the software industry and by its own development team.
- By applying OS security updates as soon as they are released.
- By maintaining any of your SendSecure client software and tools up to date – note that you can subscribe to receive email notifications when XMedius Cloud services and client tools are updated (go to https://support.xmedius.com/hc/en-us/sections/207217288-Change-History and use the Follow option at the top right of the page).