Last week we hosted a webinar covering everything a SaaS company needs to know about complying with GDPR. To be a bit more precise, we covered everything we could during a webinar running a little more than an hour. The GDPR is a complex and vast set of regulation that impacts much of how modern SaaS companies operate. Covering it all in a short webinar was tough.
That said, we’ve distilled the most salient notes in the blog post below. Don’t hesitate to skip ahead and watch the actual recording or grab the transcript and slides, all of which you’ll find in our resources section.
And if you still have questions, please join us in our GDPR Slack community, where 300 of us are discussing how to comply with GDPR.
But first: Why should you listen to us?
Aptible has had the opportunity to help hundreds of SaaS companies build robust data protection programs that pass compliance audits, and we’ve worked with many of them to ensure they comply with GDPR.
Our team is made up of software developers, attorneys, and privacy experts who’ve achieved CIPP/E certification (that’s Certified Information Privacy Professional/Europe). In many ways, there’s a lot that’s “TBD” with GDPR, but we’ve done everything we can to ensure we’re ready to help SaaS companies comply.
What is the GDPR?
GDPR stands for the General Data Protection Regulation. It is a federal law that regulates the personal data and privacy of European Union (EU) citizens.
GDPR consists of 99 Articles and 173 Recitals. The Articles are more prescriptive and the Recitals tend to provide more context to an issue and include examples.
The overarching goals of the GDPR are to:
Give control back to EU citizens and residents over their personal data, promote human rights such as the right to privacy
Simplify and harmonize the regulatory environment for international business by unifying regulation within the EU
Address the export of personal data outside the EU
GDPR applies to all member states in the European Union. Member states (or countries) cannot have laws that are less protective than GDPR. They can implement laws that are more protective. GDPR sets the baseline for privacy and data protection.
Is GDPR new?
The foundation of viewing data protection as a component of human rights goes back at least 70 years, to just after WWII. GDPR is very similar to the EU’s 1995 Data Protection Directive, so there is a recent history of guidance to rely on that helps inform our understanding of GDPR. The regulatory environment will continue to evolve as the EU replaces the ePrivacy Directive with an EU Regulation, binding in all member states.
Which companies are “in scope” for GDPR?
Under Articles 2 and 3, GDPR separates scope along two dimensions:
Material Scope - Article 2 states that GDPR applies to the processing of personal data, or individually identifiable data, broadly construed. Not just product or customer data, but also your HR processes, marketing/sales, etc.
Territorial Scope - Article 3 states that GDPR applies to any organization established in the EU, targeting the EU markets, or profiling/monitoring EU data subjects.
But in the broadest terms, if the “go to market” for your business has anything to do with processing personal data for natural people located in Europe, you should be thinking about GDPR. Of course, there are exceptions and nuances, so it’s always best to consult with your own lawyer to determine applicability.
Practical Takeaways for SaaS Companies
During the webinar, we focused on four key areas of a SaaS business that GDPR impacts. We flagged key issues that SaaS companies will need to address in order to ensure compliance with GDPR. The key takeaways are summarized below.
Marketing and Sales
Most US-based growth teams have never had a specific regulatory security/privacy regime to deal with, so GDPR is a game-changer. If you know you have EU customers (B2B or B2C) in your pipeline, GDPR and the ePrivacy Directive make direct marketing harder. Some of the fundamental tactics of modern growth marketing, like email capture, email marketing, analytics, and paid advertising are complicated by the need to obtain consent before you use an EU data subjects’ email or track them.
What this means is that you need to maintain a source of truth containing information about what you can and can’t do with your users’ data. For each user, have you obtained consent to send them marketing emails? How about consent to track them? When did you obtain this consent?
For most companies, this will likely take the form of a master suppression list, at least to start. But down the road, we suspect that tracking this information will be better accomplished with a fully customizable CRM-like software, or perhaps an integration with an existing CRM like Salesforce.
Marketing and sales teams are notorious for using scores of tools, enabling data flows between systems and vendors without so much as a second thought. But this mode of operation needs to stop, or at least slow down just a bit. Complying with GDPR means that every vendor who you work with–from chat apps such as Intercom and Drift to analytics tools such as Mixpanel–need to be vetted for GDPR compliance. In many cases, this will mean signing some sort of data protection agreement with the vendor. Without such an agreement, sending data across to a vendor may constitute a reportable breach!
(Side note: a formal vendor management process would help here, which is something that our product Gridiron can help you to implement. Get in touch if you’d like to know more.)
Product Design and Engineering
Engineering teams are generally used to thinking about customer data as potentially sensitive, which is a good start. However, under GDPR it’s up to engineering to ensure that you either provide the capability to respond to data subject requests (in other words, requests like “remove my data from your systems”) or the tools to allow your customers to handle these requests.
Whether you need to handle the requests yourself or provide the tools to your customers breaks down along the lines of data controller vs. data processor, an important distinction in GDPR. The distinction is decided based on how the company uses data:
Data controllers decide on what data should be collected and what to do with it
Data processors just provide tools to help data controllers make use of the data they collect
Many SaaS companies like Slack and GitHub are arguing they are purely processors. This makes sense, given that the requirements placed on processors are substantially less onerous than those placed on controllers.
Realistically, however, most SaaS companies are going to be both a processor and a controller, especially if they are B2B. B2B SaaS companies give their customers tools to process data (thus they are processors); they also collect and use data about their customers (thus they are also a controller). Accordingly, we expect to see pushback from the EU on large SaaS companies who argue that they are data processors, only.
Data Protection by Design and Default
Regardless of whether you are a data controller or data processor, engineering teams need to think broadly about how they will protect their customers’ data, in order to maintain GDPR compliance. There’s significant surface area to protect, and the best engineering teams will implement processes to allow them to consistently enhance security.
The tl;dr on data protection is to take control of the data your organization collects and uses, wherever it goes. Personal data can leak in unexpected ways, such as into logs (which can be sent to logging providers like Papertrail), events (which can be sent to monitoring tools such as New Relic), or errors (which can be sent to error tracking tools such as Sentry).
Some of the keys to compliance here are:
Being able to provide design specs and other requirements documentation that show that security and data protection were taken into account
Ensuring that all vendors are vetted for data protection capabilities and, in nearly all cases, data protection agreements are signed
(Here again, our product Gridiron can help, with both ensuring you are implementing appropriate security controls and, of course, maintaining a vendor management program. Get in touch to learn more.)
Support and Customer Success
GDPR and the ePrivacy Directive restrict how support and success (upsell, expansion, retention, etc.) teams interact with customers. You can’t just send a user an NPS survey, for example. You still have to collect their consent–something that you may want to ask for at some point during onboarding or perhaps after they enter their credit card number.
You can of course email customers for anything that is critical to the functioning of your software (in other words, for the fulfilment of your contract with that customer). Billing emails, password resets, support requests and the like are all probably strictly necessary for you to fulfill your contract with them.
But as soon as emails trend towards marketing, such as a re-engagement, a cross-sell, or upsell, these will be treated as marketing and will be subjected to the same standards of consent. This probably goes for onboarding emails too, though the line is fuzzy. In any case, it’s important to let your customer know what to expect ahead of time and provide opt-out opportunities, both up front and within every email.
This also applies to product research emails, such as surveys or NPS scores. Sending these emails benefits you more than the customer, and so it is essentially treated as marketing and subject to the same constraints.
Hiring and Human Resources
Certainly HR teams already worry about keeping certain employee data private, such as salary or performance reviews. Under GDPR, it’s important to protect all personal data about EU employees, prospects, and recruits. The entire vendor stack: your applicant tracking system and your productivity tools, must be vetted for GDPR compliance, meaning putting in place a data protection agreement. (Here again, a real vendor management process would help.)
Pre hire, some EU jurisdictions make it illegal to even request a background check. Make sure you’re clear on what you can and cannot ask from applicants before asking.
Post hire it’s critical to have an employment (or consulting) agreement in place, because that agreement allows you to process the employee’s personal data.
Any company that is subject to GDPR should be aware of the potential employee embarrassment that could arise from BYOD policies. If there’s a breach of any kind, there’s serious potential consequences for failing to respond appropriately. Responding appropriately means that all employee devices that have contained work-related data will be confiscated and reviewed, potentially disclosing embarrassing personal information.
Caution: Workforce Monitoring
Any workforce monitoring that happens can trigger serious consequences under GDPR. If you have super admin privileges, reading someone’s email “because you can” or flipping on web monitoring (intentionally or not) is looked upon particularly unfavorably.
Get the Webinar
There’s much more to learn by watching the webinar, so grab it in our resources section.
If you still have questions, please join us in our open GDPR Slack community.
Every quarter, we host a webinar to share everything that’s new with Enclave and Gridiron.
In case you missed it, you can watch a recording of our October webinar below. You can also grab the transcript and the slide deck in our resources section. And, we provide a full recap of the event in this post.
October 2017 Quarterly Product Update Webinar
Achieving ISO 27001 Certification
In September, we earned our ISO 27001 certification, covering both Enclave and Gridiron.
ISO 27001 is a cross-industry, international standard of security. It prescribes security controls for use across an organization, not just technical safeguards. Becoming ISO 27001 helps communicate your commitment to security to customers and auditors.
Aptible’s ISO 27001 certification is great news for our customers. You can use our certificate to show that your cloud infrastructure meets international standards of security.
As an aside: we used Gridiron to help us achieve our ISO 27001 certification. Don’t hesitate to let us know if you’d like to discuss attaining your own cert. We built Gridiron to make the process of meeting organization-wide security and compliance requirements straightforward.
Enclave: Easier to Audit (and Easier to Use)
This past quarter we released an array of features to make Enclave easier to audit. Of course, we also launched features that make it easier to use Enclave.
Sneak Preview: Managed HIDS
In the coming weeks, you’ll hear more about Enclave Managed Host-level Intrusion Detection System (Managed HIDS). This is an exciting upgrade to the security of your hosts.
With Managed HIDS, the Aptible Security Team collects, monitors, investigates, and responds to security events–such as sudo logins, file integrity changes, rootkit detection–within your infrastructure. Aptible manages the entire process on your behalf, and notifies you of the results.
Managed HIDS provides an additional level of security for your infrastructure, automatically enabled for all Stacks.
Aptible will also offer a weekly digest of Managed HIDS activity. The Enclave Intrusion Detection Report will be available for an additional subscription. It’ll be prepared automatically, so you can provide customers and auditors evidence that your Stack is monitored for host-level intrusions.
Other Audit-Ready Enclave Features
We added SSH Session Logging so you can capture SSH session activity. This is important: auditors and customers will want to ensure access to your prod data is audited. In particular, this is often a requirement for HITRUST.
Activity Reports enables you to review every operation within your Stack, attributed to individual users. Your auditors will want confirmation that you are monitoring for suspicious activity.
Making Enclave Easier to Use
Part of making Enclave the best place to deploy regulated and sensitive projects is ensuring that it we are making it as easy as possible to use and deploy to Enclave.
This quarter, we released the following improvements:
Gridiron: Enhancing your Information Security Management System
Gridiron is the easiest and fastest way to create and manage your information security management system (ISMS).
This quarter, we focused on:
Helping you to achieve certifications (such as ISO 27001, SOC 2) and pass customer audits with new reporting
Managing and auditing internal compliance obligations, including your agreements with customers and vendors
Updating the Gridiron Risk Model
Improved Audit and Certification Prep with Gridiron Reports
We launched a collection of reports designed to meet audit requirements. By using Gridiron, these reports will be automatically prepared so you can share with your auditors (and use for internal audits), shortcutting the audit process.
Training History shows all security and compliance training activity. Asset Inventory contains all details about assets covered in your ISMS. Business Continuity allows you to implement and execute on business continuity plans faster. And, the Audit Log Report shows details about all audit logs captured for each part of your ISMS.
Other Gridiron Enhancements
Customer and Vendor Management - meet audit (such as ISO 27001) requirements by creating an index of all legal and regulatory requirements you’re bound to by agreements with customers and vendors.
ISMS Asset Management - track all information security assets, such as networks, devices, and third-party systems.
Gridiron Risk Model - perform deep risk analysis across all aspects of your internal ISMS
There’s much more about all the changes to Enclave and Gridiron in the webinar recording.
Register for January 2018 Aptible Product Update Webinar
We’ll host our next product update webinar January 25, 2018 at 11 a.m. PT (2 p.m. ET).
All registrants will receive a webinar recap and recording shortly after the conclusion of the webinar.
Once each quarter, the Aptible product team hosts a brief update webinar to share what’s new with Enclave and Gridiron. Yesterday, we hosted our July update webinar, highlighting all the new features released for Enclave this quarter and demoing how to setup your security management program with Gridiron.
In case you missed it, you can watch a recording of our July webinar below. You can grab the transcript and the slide deck in our resources section. And, we provide a full recap of the event in this blog post.
July 2017 Quarterly Product Update Webinar
New Open Source Project: Supercronic - Cron for containers
We opened the webinar with a quick overview of Supercronic. Supercronic is our new open source job runner that fixes the problems that occur when using traditional Cron implementations in containerized environments.
We’re excited about Supercronic because, while it’s a drop-in replacement for traditional
cron, it leaves environment variables alone, passes job output to
stderr, and logs job failures and timeouts, which makes it a perfect fit for containers. You can read more about Supercronic or check it out on Github.
New for Enclave
Enclave is a container orchestration platform for developers working in regulated industries. We are working towards making Enclave the best place to deploy regulated and otherwise sensitive projects. To that end, over the last quarter we implemented a number of important new features that make it easier to deploy and manage apps and databases on Enclave.
(As a sidenote, you can always follow along with new feature development by checking out the Aptible Changelog.)
Arguably, the implementation of Container Recovery represents the most significant change to Enclave this quarter. We’ve previously covered Container Recovery extensively in our Changelog as well as in our docs, but given the magnitude of the change it bears a quick review here.
In sum: Container Recovery automatically restarts your application and database containers when they exit. When an app or database container exits, we’ll restart it in a pristine state. The best part? You don’t need to do anything to take advantage of Container Recovery. It’s enabled for all your apps and databases automatically.
Database Self-Service Scaling
In our April webinar, we indicated that self-service scaling of databases was coming soon. It’s now here.
With some exceptions, you can now resize databases at any time, with minimal downtime. This allows you the flexibility to scale your disk and RAM footprint as your workload and requirements change.
You can scale your databases via the CLI, or toggle the size from within the Enclave dashboard:
You can read more about Self-Service Database scaling in our Changelog.
This quarter, we also launched three features to make it easier to deploy apps on Enclave.
You can now deploy directly from Docker images, no
git required. This will allow you to reuse existing Docker images and take full control over your build process. Read more about Direct Docker Image Deploy in our Changelog.
Along with this change, Procfiles are now optional. This enables you to reuse the same codebase across Enclave and other container orchestration platforms like Kubernetes and Docker Swarm.
Finally, you can now synchronize deploys with config changes. This allows you to deploy at the same time you update your config, so there will be no intermediate step where you’re running the old code with the new config or vice versa.
Other Enclave Changes
There are a number of additional improvements we made to Enclave this quarter. Check out the webinar recording above for more, including:
New and upcoming Endpoint configurations for both apps and databases
Updates to the scriptability of our CLI
Launch of an .exe for our Windows CLI
Gridiron Implementation - Setting up your security and compliance management process
Gridiron is easiest way for developers to build and run world-class data security programs. It turns information security requirements into repeatable processes while managing all the documentation required to demonstrate that you’re complying with stringent compliance protocols such as HIPAA, ISO 27001, and SOC 2.
After completing the review of this quarter’s updates to Enclave, we showed how a company could get started with Gridiron quickly. At a high level, Gridiron implementation can be broken down into four steps:
Aptible-guided implementation process with hands-on support and training
Determine your baseline controls
Generate reporting and documentation
During your hands-on guided implementation with the Aptible team, we’ll train you on how to setup and manage a security program.
By the end of the implementation, you’ll use Gridiron to determine a set of baseline security controls and prepare your first set of security documentation (such as your Risk Assessment, Policies and Procedures and Workforce Training).
Your deliverables, such as your risk assessment report, your policies, and your training materials, will automatically change along with your organization. Gridiron updates your docs as your organization evolves.
In the webinar demo, we go into much more detail on using Gridiron to track and measure risks and vulnerabilities, train your team on security and compliance, and respond to incidents as they arise.
Register for October 2017 Aptible Product Update Webinar
Our next product update webinar will be hosted on October 25, 2017 at 11am Pacific / 2pm Eastern.
All registrants will receive a webinar recap and the recording shortly after the conclusion of the webinar.
Over the last quarter, we released a number of new features and updates for the Enclave deployment platform. We also began helping customers deployed on AWS to manage their organization’s security and compliance using Gridiron.
Yesterday, on a brief webinar, our team reviewed the updates to the Enclave platform and showed how Gridiron helps software developers build and maintain strong security management programs.
In case you missed it, you can download the slide deck and get the transcript in our resources section, or watch the full event below. We also provide a quick recap in this blog post.
New for Enclave
We intend for Enclave to be the best platform for developers to deploy regulated and sensitive software products. This quarter, we focused on improving Enclave in three ways: security and compliance, database self-service, and general usability improvements.
Security and Compliance
We launched new ways to secure apps and meet compliance goals while improving the security of Enclave itself.
We’ve previously detailed these improvements on our blog. Here’s the list:
We launched a few small improvements that should make developers’ lives easier when deploying with Enclave:
We now protect against runaway SSH sessions when your session gets disconnected
Memory management restarts apps in pristine containers when they exceed memory limits
Enclave Log Drains now integrate with Sumo Logic and Logentries as an alternative to rolling your own ELK stacks
Gridiron is our suite of tools that helps developers build and maintain strong security management programs. Gridiron makes the administrative side of protecting data easy and helps to prepare you for regulatory audits as well as customer security reviews.
In the webinar, we gave a short talk-through of how Gridiron approaches security management. This starts with the Gridiron Data Model: an API that integrates data from your business, our experience working with hundreds of customers in securing sensitive data, and industry-wide security standards provided through NIST Guidance, vulnerability and attack databases and shared intel.
Gridiron ingests data about your business through a series of straightforward and relevant questions that are easy to answer but have important implications for your internal security program.
Gridiron uses that data to create deliverables that help you show security and compliance as well as improve your business operations.
Getting started with Gridiron
If you’d like to improve your organization’s security and compliance and simplify the process for working through customer security reviews and regulatory audits, please get in touch. For a limited time we’re offering early access pricing for customers who have deployed on AWS.
Register Now for July 2017 Aptible Product Update Webinar
Our next product update webinar will be hosted on July 25, 2017 at 11am Pacific / 2pm Eastern.
Please register now.
All registrants will receive a webinar recap and the recording shortly after the conclusion of the webinar.