GDPR and Cegid Iziago

GDPR, or the General Data Protection Regulation, is the latest European reference text for protecting individuals’ privacy when processing their personal data (EU Regulation No 2016/679).

The Regulation defines the rights of individuals and the obligations that organizations must comply with when handling their data (processing is referred to in its widest sense: manual or automatic, and any form of use including storage).

“Personal data” is considered to be any information about an individual which allows them to be identified. It can be their name, phone number, a photo, email address, etc.

Two people are responsible for these tasks at Exalog:

• The Information Technology Director (ITD)
• The Data Protection Officer (DPO), appointed to ensure that processing at the company is compliant and secure

If you would like to contact either of these people, please use the form available in our contact section.

Exalog implements technical and organizational measures to ensure the security of any data saved by its customers using its software. These include:

• Hosting in high-security data centers certified to ISO 27001 and 22301
• Protecting our systems against hacking and monitoring security updates
• Secure access procedures to our software packages (two-factor authentication)
• Regular backups archived in encrypted form

Exalog’s software (servers and databases) are hosted in two high-security data centers located close to Paris (Courbevoie and Aubervilliers), belonging to a well-known hosting company.

Both of these data centers are ISO 27001 (information systems security), ISAE 3402 (appraisal of third party organizations’ services) and ISO 22301 (business continuity management) certified.

The computer bays where the servers holding our software are installed (processing servers, database servers and banking communications servers) are private and for Exalog alone. Only the Exalog Operations team looks after their management and maintenance. Exalog has exclusive ownership of the servers and network equipment.

Online data are kept for the duration stated in the contract signed by the customer.

In the event the contract is terminated, Exalog shall delete the customer’s data from the database of the shared online software within three months of the date when the contract ends.

Nevertheless, Exalog keeps archives of the shared database backups (data from all its customers), made before this deletion, for up to five years. These archives are encrypted and stored on servers under the same security conditions as those used for hosting the software.

The customer can ask for archives to be recovered; price on application.

Data is kept as follows:

• A database backup is made every hour
• Backup files are kept on secure backup servers, under the same hosting conditions as those of the production site; these files are compressed and encrypted
• Data retention period:
  • Hourly backups are kept for one week before being deleted
  • One backup per week is kept for a maximum period of 1825 days (5 years); each weekly backup is deleted after this period

The Customer Service teams have access to customers’ details (surname, name, company, email address, telephone) in order to process their requests for assistance.

The sales, marketing and communications teams have access to customers’ details (surname, name, company, email address, telephone), which may be used in sending newsletters or targeted promotional information. The data collected is stored in our secure Customer Relationship Management (CRM) software.

The Operations department (linked to the data-processing division) can also access customers’ data for troubleshooting purposes. In this case, the data is anonymised.

Exalog does not transfer any data from its software packages outside of the European Union or anywhere else in the world.