Is DoliCloud compatible with GDPR ?

dolibarr_adaptable

We must distinguish 2 questions. Is DoliCloud compliant with GDPR in the sense of compliance, by the company offering the service, compliance rules with respect to your information as a customer, and independently, does the application you use via DoliCloud allow you, as a data collector, to be compliant.

 

 

 

 

 

Respect of the GDPR, with respect to your customer information


The recommendations of the GDPR has been implemented by DoliCloud:


Information collected and used :


* Your customer information (email, password of your customer account, and possibly business name, first and last name of contact, address, postal code, country and VAT number) are stored after entering your registration. This information allows us to bill the service, if you chose the paid offer.

* If you have subscribed to the paid offer, we also store the following information: Your SEPA mandate if you have chosen the SEPA payment, the last 4 digits of your card if you have opted for card payment. The full details of your credit card, required for payment by card, are not stored by us, but at our payment provider Stripe (the world leader in online payment). We are not aware of it, each sample passes through a request that we send to this provider. When you fill in your bank details, they are sent directly to Stripe and are therefore not stored on our servers.

* You have the option to request the deletion of your account and the above information at any time.

* The GDPR referral contact for the DoliCloud service is: Laurent Destailleur, contact+dpo@dolicloud.com


Data Storage and Backups :


* The storage of collected data (see 'Information collected and used') is done in a database. The password is not stored, but to enable the validation of your connection to your space bind, we store the encrypted borrowing of this password, generated by the Bcrypt non-reversible encryption algorithm.

* Customer instances are hosted on an OVH datacenter in Europe (France).

* Once you have subscribed to the paid offer, a backup is made daily and stored on independent storage disks hosted by OVH (on a different datacenter than the production, in Europe) and a second backup is hosted by Scaleway in Europe (France). Only the last 30 days are kept.


Subcontractor :


* DoliCloud relies on the following subcontractors and service:
** The host of computer servers, which is OVH (production + backup level 1) + Scaleway (backup level 2). These servers are hosted in Europe (France). No DoliCloud customer information is communicated to this subcontractor who only provides the hardware and network layer, the installation and operation being carried out by us directly.
** The online payment service Stripe, which is used, to ensure regular payment of the subscription. We do not provide your credit card details because they are sent When you fill your bank details, they are sent directly to Stripe when entering the number to make the payment (we still recover the last 4 digits, which allows us to be able to identify / analyze payment problems).
** The supervision service DataDog. This is used for supervision. Only statistical information (counting indicators) and IP address used for registration are transmitted to this subcontractor.
** The IP validation service IPQualityScore. This is used to validate that your IP address used for registration is not recorded as an IP address used for illegal actions such as SPAM or hacking attempts. Only the IP address / User agent pair used during registration is sent to this service.



Software Protection :


* DoliCloud runs on Linux Ubuntu systems and software. They benefit from regular security updates when the operating system editor (Ubuntu Canonical) publishes them. the system used to deploy and administer the service is based on the Open Source software Sell-Your-Saas.

* The client area and client instances are accessible in HTTPS (HTTP encrypted) or HTTP (as desired) mode for accounts created before June 1, 2018, and must be in HTTPS (encrypted HTTP) for accounts created after June 1, 2018.

* The client area and Client instances are protected by various state-of-the-art devices in terms of computer security: FireWall, Banner Tools, System detection of use of SPAM and DOS Protection (provided by OVH), anti-injection software protection, anti-XSS on software used for the customer area and provided to users. Testing of these software components is done automatically via the PHP-Unit and Travis-CI, Qodana, PHPStan tools.


Data theft :


* In case of suspicion of a theft of the data we have collected (see first point 'Information collected and use'), DoliCloud customers will be informed by email, at email corresponding to their customer account

 

 

 

I use a solution on DoliCloud, am I in good standing with the GDPR?


By using management software, you store information and become a "data collector". As such, if you are in Europe, or if you store information on European entities, you must respect the rules of the GDPR.

It's not the software that makes you respect or not the GDPR but the use you make of it and the documentation of your processes that you have made. Some software you use, you need to:

* Describe the information you store with the software, how it's collected, and what you do with it.

* Allow people involved in storing personal data to request the deletion of their data if you no longer need it.

* If you supply the data that you collect / store to subcontractors, inform them about the nature of this data and to whom it is communicated.

* Define and publish a GDPR referral contact.

* Communicate in the case of knowledge of data theft or unwanted intrusion into your software.

* To help fill out your GDPR Registry , here is some information about the software you are using:

* The operating system that hosts the instance of your software is of the Linux Ubuntu type. It benefits from regular security updates when the publisher of the operating system (Ubuntu Canonical) publishes them.

* The data is stored in a MariaDb database, the software proposed on DoliCloud does not store the information of type "Password" (thus preventing any direct theft) but only a hash made by a double non-reversible encryption algorithm which is by default the MD5 + SHA1 couple.

* The instance of your software is accessible in HTTPS (HTTP encrypted) or HTTP (as desired) mode for accounts created before June 1, 2018, and must be in HTTPS (Encrypted HTTP) for accounts created after June 1, 2018.

* The instance of your software is protected by various state-of-the-art devices in terms of computer security: FireWall, Banner Tools, Security Detection System use of SPAM and DOS Protection (provided by OVH), anti-injection software protection, anti-XSS. Testing of these software components is done automatically via the PHP-Unit, Travis-CI, Qodana, PHPStan tools.

* Since you have subscribed to the paid offer, a backup of your instance is performed daily and stored on independent storage disks hosted by OVH in Europe (France). Only the last 30 days are kept.

 

 

 

 

FAQ written by DoliCloud support team.