GDPR is about the collection, protection and handling of any personal data collected by companies or organizations. In a nutshell, any data collected about somebody that is already identified or is identifiable as a natural person is called personal data by GDPR definitions. This document specifies how Veloxity is eligible for GDPR and how it is compliant.
Veloxity as a behavioral marketing platform for mobile app users connects to mobile apps and collects user behavior as data. However, Veloxity does not collect any identity of a natural person. An identified natural person is one that is clearly known, named, identified in true sense of being recognized and singled out, which Veloxity does not do. No information collected by Veloxity contains direct identifiers, such as name and surname, official identity or citizenship number, e-mail address, phone number, DNA, social media ids (including but not limited to Facebook Id, Twitter id, Linkedin id, etc). However, Veloxity creates a unique Veloxity Id for a single device (not a person but a mobile device) and collects location information and IP addresses of these devices of the users that accept the data collection in the form of an explicit consent. Although these two information is not enough alone to identify a natural person, GDPR accepts them as identifiable information, just because they can be used with other potential information or identifiers to clearly identify a natural person. Although none of the information, or combination of information and identifiers used in Veloxity data can identify a natural person, 3rd party servers and identity holders can potentially use that data to merge with theirs and identify real users.
Veloxity does not sell or give away the exact location or IP addresses of users to any parties, including the partners or the app owners who hosts Veloxity data collection SDK in their apps. However, it has them stored in its data centers. This fact that storing location and IP addresses, makes the Veloxity user data pseudonymized according to GDPR Recital 28. Although GDPR does not give detailed explanation on how the pseudonymized data can be deanonymized to identify a natural person, it mentions that in case it does, it does fall under GDPR. This is a grey area. Although Veloxity could not certainly know that its pseudonymized data can be deanonymized by any third parties, it preferred to stay on the safe side, and accepted that the part of the data that is pseudonymed in Veloxity servers falls under GDPR. That is Veloxity adapts and obeys all the rules and suggestions introduced by this new regulation called GDPR.
Following the data definition of GDPR, Veloxity declares that it stores two types of information:
Anonymized data. Type of information which contains aggregated user data, and it is impossible to reverse it to identify a natural person. This type of data is out of GDPR scope.
Pseudonymized data: Type of information which contains user data, and cannot be converted to identified user data, unless supported by additional identifiers and/or information (as introduced by GDPR Recital 28)
According to our declaration and our auditable data, Veloxity do not hold any direct identities that would make the company or its partners directly know a real natural person.
Veloxity therefore declares that it holds pseudonymized personal data which is subject to GDPR and it is fully compliant as suggested in the regulation.
Questions / Answers to claim GDPR Compliancy
Where are your data and applications stored?
All of them are stored in Veloxity Cloud. The Veloxity cloud servers are in Montreal, Canada.
Is that data ever moved out of the EEA?
Veloxity Data collection occurs in mobile apps, with the consent of the mobile app user. The data is then directly transferred to the servers in Canada, without stopping in any other intermediate location, and no matter where the mobiles are located, inside or outside of the EEA. The GDPR Rec. 56-57 Art. 25 accepts Canada as an Adequate Jurisdiction for data protection, where the data can be sent without requiring any further authorization from the EU-Commission.
Do you ever transfer data between data centers outside of the EU?
No, Veloxity does not have any data centers in the EU, so no data transfer exists as such. Besides, there is not any personal data transfer either, including pseudonymized data, out of the data servers in Canada. By the time data is created in the mobile devices and sent to Veloxity data center in Canada, it remains there without further transfers.
Do you always inform me when my data is being transferred?
We did not change the location of our servers so far. In case we do in the future, we shall inform and ask for confirmation. To reach the data in our servers your IP addresses needs to be recognized by our servers, and you shall be able to connect to new servers without any issue. The connection to potential new servers will require you knowing that we have a new data center that you shall connect, the new IPs and therefore the location of the servers.
Do you have a Data Protection Officer?
Yes, we do. Mr. Bora Eristurk act as our data protection officer, whose mail address is firstname.lastname@example.org
What data controls and risk management processes do you have in place?
Our cloud infrastructure has its own / dedicated firewall and load balancers. All traffic coming from outside, passes through firewall and load balancer. Only common and necessary ports are enabled on these modules.
In case of a specific port is needed to be enabled for a particular system, this enabling is done only for specific IP addresses.
All Internal traffic between servers are through a dedicated switch and VLAN. Only necessary servers have outbound traffic access. The servers managing data warehouse are not available through direct internet access.
The connections by Veloxity team is through VPN access and only required staff-admin has VPN allowance. Any data access is logged with all the personnel credentials and all the actions taken on the data in our secure servers, which are continuously backed up. Access logs are preserved forever.
We do also obey on Binding Corporate Rules in any access to the data from any other location.
How do you manage the version release process on your platform to ensure adequate level of data protection?
Data-versioning: All collected data from the devices are archived back to 50 days by timestamp and device. In case of a rollback or verification is needed, we are able to scan the archive for a particular device or dataset.
Data versioning matches totally with our data collecting SDK SW versions, and all data collected is marked with the SDK version. Therefore we are capable of matching the data version with the consent of the user for that particular SDK version. In case of a very unlikely event of a new data permission is required from the user, the consent or no-consent of the user can be recorded with the new data without affecting previous consents or no-consents.
Software-versioning: Veloxity Software infrastructure has a strong versioning policy. Since most of the components are running as docker container, this versioning policy is mandatory.
All development and feature additions are carried out on Veloxity Test & pre-prod infrastructure. This infrastructure is physically separated from the production environment.
Deployments & releases are managed by a continuous integration system (Jenkins). Additionally, Veloxity has its own and private docker registry and maven repository.
The releases of SDK are always tested on Veloxity's test applications, these applications are distributed to a test audience, after all functionality and data-consistency are verified, the SDK version is released to public usage.
Who can access my data, under what circumstances and what can they see? Is this access tracked?
Only the app hosting app owner and Veloxity’s admin personnel can access the data.
As Veloxity only collects and stores anonymized and pseudonymized data, every person who accesses the data can only see non user related anonym data and pseudonym (unified by a random device id) user data. So neither your personnel or Veloxity admins will be able to recognize the identity unless some additional third party identity data is matched. Veloxity admin has no such capability but you, as an app owner, might have data that you can match with Veloxity device id, and identify the unique user.
As mentioned in question # 6, all data accesses are logged, with the credentials and actions taken during the access and stored for an unlimited period of time. These accesses can be provided when requested.
Can I audit your security and technical measures on the protection of data?
Sure, you can do audits on our SDK and servers. In case there has to be an exposure of our private SW codes, and/or there is a risk of exposure for the other companies’ data during the audit, the auditor has to be from a third party certified audit company or organization.
Do you have in place a security breach notification process?
The dedicated firewall and load balancer have their own alert & warning configurations. In case of an unexpected traffic load or invalid access attempts the system fires notifications to sys admins by e-mail, and the attempts are blocked.
Additionally we have an IDS module. All malicious attacks are blocked on this system.
All actions, queries, configuration changes made by Veloxity Team are logged on the system by date and user.
Do you currently adhere to Binding Corporate Rules?
Yes, we do. Besides we haven’t filed an application yet. We are also planning for an application as soon as DPAs streamline their processes. So far, GDPR recommends an application, but not mandatory. However, adhering BCR is strongly suggested.
Do you have measures in place to become GDPR compliant in time for May 2018?
Veloxity is already GDPR compliant. Below are the compliancy terms:
Veloxity does not collect identities (such as names, email addresses, credit card info, etc): GDPR does not prohibit the collection of such direct identities. But it strongly suggests keeping direct identities and other personal data in separate environments, like in different data centers. One of Veloxity advantages is to keep only the personal data in its own data centers, helping app owners who also collects direct identities to be GDPR compliant.
Encryption of the Client data: All data transfer and data storages are encrypted, preventing unwanted parties to reach personal data. We follow particular rules to ensure data privacy of our clients such as : pseudonymisation, encryption, and confidentiality.
User consent: Veloxity started to collect user consent for the data, and for user access since 2014, day 1 of our first user encounter, long before GDPR concept. Our consent documents clearly state what kind of data will be collected, and what is the purpose of the data, and if we can target the user after processing such data.
Opt out and data cleaning: GDPR requires from the data holder to obey customers request such as an opt out and cleaning of the past data. Veloxity SDK, in order to facilitate such requests, provides a function to the app to shut down the service. App owner, provides this functionality in the Settings menu of its app, where the user can easily ask for an opt out and data cleaning. Data is cleaned immediately after the user withdraws the consent.
Data Breach Notification Service: We do protect our data with the latest security technologies. However, in case of any unlikely breach, we do have an immediate data breach notification service, that allows all parties take immediate preventive actions. Our data breach plan includes specific information such as the nature of the personal data breach, the number and the categories of data subjects concerned, the consequences of this data breach and our actions to fix it.
Anonymization/ Pseudonymization / Data Minimization: We believe the best way of protecting personal data, is either not to collect it, or if you have to, make it very difficult to be identified. Veloxity, in its own business line, do not need to identify a single person with full identity, that is we are not interested in single person’s credentials. Therefore, we do not collect unnecessary data that would help to identify the person, we keep it in our minimal requirements. Anonymization, which is the process of hiding personal data with an irreversible process is our main strategy wherever applies. And in case we need to keep data for a unique person, we do prefer pseudonymized identities such as a unique number that would allow us to unify the person without knowing the identity.
Third party hosting services: Veloxity do not use third party services that would be able to see any data. No platform is shared within a cloud environment, all is dedicated to Veloxity. This makes it impossible for any legal or not allowed parties to reach out the data collected by Veloxity.
Internal trainings: As much as Veloxity takes all the responsibility of the data it collects; the enforcement is as strong as the knowledge level of its admins. No Veloxity personnel can become an admin before an appropriate GDPR training. We host workshops to make the responsibilities and rules clear for our admins.
Is it possible to delete the personal data when it needs to be deleted (Kullanicinin datasinin silinmesi gerektiginde, sizin tarafinizda da silmek mumkun mu?)
Yes. This is one of the main requirements of GDPR that we do comply totally. GDPR suggests that the personal data shall be removed upon the request of the user. Veloxity does not recognize the user identities. Therefore it cannot identify the users’ data in the servers even the user who wants to delete it applies providing his/her identity. Besides Veloxity creates its own unique identity, and any request coming from that identity can easily be recognized. This unique identity is encrypted in the append cannot be known by the user. But the user, with a single Opt out button can transfer that info to Veloxity for the data to be cleaned. That is we totally clean the personal data without knowing who wants to clean it.
The app owner might also keep that Veloity unique id in its own data center, from which can initiate a data cleaning request.
Do we get to see which data is preserved and what is the entire set of segments/profiling? (Hangi datalarin saklandigini, ne tur profillemelerin yapldigini tumuyle gorebiliyor muyuz?)
Yes totally. Personal data is kept in Veloxity in the form of user segments. All segment information appears in the Engage/Who/Segments session of Blinnk web interface (www.blinnk.com), and fully available to the app owner. An account in Blinnk is mandatory for app owners as the licensing and integration of the SDK is done inside it.