Configuring your SendSecure service for PII regulation compliance

Administrator -

Guidelines for configuring your secure file exchange environment (including your SendSecure Cloud service and your own corporate environment) to help gain compliance with PII regulations such as GDPR.

Purpose

If your organization is involved in the processing of Personally Identifiable Information (PII), you may need to configure your secure file exchange environment (including your SendSecure Cloud account, local clients and other involved communication/infrastructure systems) to comply with PII regulations such as the European Union's General Data Protection Regulation (GDPR).

The following list of recommendations intends to be a basic set of guidelines to help your SendSecure Cloud account administrators and corporate IT administrators to take the appropriate actions in their respective fields in the context of PII regulation compliance process.

Identify your PII data

First of all, you should clearly identify the different types of PII data that your organization is processing, as well as the people within your organization who are intended to process this data, and finally, the context in which the PII data is processed.

This analysis should help you take careful decisions and implement the most appropriate corporate rules in order to meet your PII processing requirements while providing a proper file exchange environment to all users of your organization.

Simplify the maintenance of your user accounts

In corporate environments with numerous employees using multiple and separate services, it is sometimes hard to efficiently synchronize the maintenance of user accounts and credentials over all the corresponding platforms (and among them, the XMedius cloud platform).

In a context of PII processing, this topic becomes critical and should be carefully addressed: you need to ensure at all times that the PII data is accessed only by the intended users, according to the security rules you have defined.

As such, to simplify the maintenance of your SendSecure user accounts and better control their access, it is recommended (as much as possible) to consider the following:

Create dedicated Security Profiles and regroup PII users

Basically in practice, your PII users must be able to create (and contribute to) SafeBoxes whose security properties correspond to the rules you have defined for each type of PII data processed by your company. Therefore, you may need to define in your SendSecure account:
  • As many Security Profiles as required to properly address each type of PII data in terms of retention/deletion, protection/encryption and privacy/consent (these topics are further developed in the following sections), and
  • As many Groups as required to allow you to categorize users and easily give them access to different Security Profiles according to the type of data they are intended to process.

Enable SafeBox participant consent

Your PII regulation compliance rules may require to receive the consent of participants before they submit personal information to SendSecure. Be aware that such information includes the messages and documents transmitted through the SafeBox, but also any required participant data such as a name, an email address and in some cases a phone number.

SendSecure offers this option among the parameters that can be set in Security Profiles.

As such, according to your PII processing rules, you may need to ensure that your dedicated PII Security Profiles have the Require Participant Consent option enabled. As a result, participants will be required to accept a statement of consent before posting messages and documents to SafeBoxes created with such a Security Profile.

Protect your data (in transit and at rest)

For security reasons, the data that you process should be protected at all times – at rest and in transit.

As such, XMedius guarantees that:
  1. All SendSecure files and messages are transferred over secure protocols, and
  2. All transmitted files are always encrypted in transit (uploads/downloads) and at rest (in SafeBoxes), using a unique key per transaction.
On your side, depending on your PII processing requirements, you may need to further increase your data security by enabling – through Security Profiles – the following options:
  • Encrypt Messages: to enforce the encryption (in transit and at rest) of the text messages posted to the SafeBoxes – in addition to the encryption of files. Note that SendSecure considers encrypted messages as confidential and will permanently mask them in the Audit Records generated at the end of the transaction.
  • Double Encryption: to use a mechanism through which a client key is additionally required from participants to decrypt the SafeBox content.
Note: Do not forget that the rules defined for your data protection implies that you also need to configure a proper corporate environment, including for example the additional encryption of local storage destinations that you may have included in your PII data processing flow. Also, if you have a backup mechanism involving these storage destinations, do not forget to include the backup locations in your encryption process.

Plan and setup your data retention/deletion

Two types of data should be considered here: the contents of the SafeBoxes (i.e. messages and attached files) and the metadata elements usable for audit purposes. While you can control the SafeBox content retention/deletion through the configuration of your Security Profiles, the way the metadata elements are retained cannot be changed (see the details below).

SafeBox contents

At this step, you should review the data retention/deletion rules you may have established to meet your PII processing requirements, in order to setup your Security Profiles for appropriate SafeBox Life Cycle (multiple settings).

Remember that defining multiple Security Profiles – each one dedicated to each type of processed PII data – may offer you more flexibility, if the retention rules are different for each of the PII data types that your organization may process.

For each Security Profile, you mainly have to define the period during which a SafeBox will remain open for contribution (Auto Close options), and the period during which the SafeBox content will be retained after the SafeBox is closed (Content Retention options). Their sum will basically represent the maximum period during which some content may be stored in the SafeBox. Also, be aware that enabling the Auto Extend on Reply option may have an effect on the overall retention period of SafeBoxes.

Important: The retention rules you have defined apply to the whole life cycle of the data (i.e. not only the SafeBox life cycle). That said, to properly calculate the retention periods, you must take into account any other system to which the data may have been transmitted after being processed by the SendSecure service. For example, this may include mail boxes, folders or any other application.

Audit data

For audit and troubleshooting purposes, XMedius ensures the tracking of all SafeBox transmission/processing information, administrative configurations/actions and system events:
  • System/administrative audit logs and SendSecure service logs are retained for 90 days in a live form, plus are included in backups, which gives XMedius 1 year of security logs.
  • SafeBox Audit Records are systematically generated when SafeBoxes are closed (contribution ended) and remain always available to whom it may concern beyond SafeBox content deletion.

Keep your systems up to date

XMedius constantly maintains up to date the systems hosting the XMedius Cloud platform and services as per its policies, by always applying the latest security fixes and improvements produced by the software industry and by its own development team.

On your side, it is always recommended to additionally maintain all your user workstations up to date:
  • By applying OS security updates as soon as they are released.
  • By maintaining any of your SendSecure client software and tools up to date – note that you can subscribe to receive email notifications when XMedius Cloud services and client tools are updated (go to https://support.xmedius.com/hc/en-us/sections/207217288-Change-History and use the Follow option at the top right of the page).
Have more questions? Submit a request

Comments

Powered by Zendesk