The word GDPR should not be something new to you — thanks to the emails that swamped our inboxes last year around May. These emails were crafted to gain or retain permission for ongoing communication and to notify recipients about the updated privacy policy.

Thankfully our business was born in the GDPR era which resonates with our intrinsic belief that every individual must have absolute control over personal data. In fact, this should be treated as a fundamental right. At Tribe, we advocate data transparency and will always strive to make our customers’ data is secure while remaining compliant with GDPR. In case you’re wondering whether currently Tribe meets the requirements of GDPR or not, the answer is, yes.

Current state of GDPR

General Data Protection Regulation (GDPR) is relatively new, and the most comprehensive data protection law for the residents of EU. It applies to any company that works with the personal data of EU residents; this essentially means every major company needs to adhere to this regulation (owing to the very nature of internet). So, any business that offers products or services in EU, and as a part of the business operation, collects and processes personal information, the law would would be applicable.

The severity and seriousness of any law can be gauged by the imposed fines in case of violations. Well, French data regulator CNIL fined Google for €50 million because of GDPR breach this year in January.

Before we move to our efforts for GDPR compliance, let’s first understand our inherent approach towards security and privacy.

Our commitment to privacy and security

Our product has been built from the ground up with the guiding principles of ‘Privacy by Design’. We are confident of being market leader when it comes implementation of privacy and security in community software platforms. Our team, and external vendors from security and legal services have spent significant time auditing the platform’s security features.  

Our security and privacy framework is based on three key elements:

data security at Tribe

Data and information integrity

We ensure security of customer information by deploying Advanced Encryption Standards both during transit and at rest.

Continuity

We maintain the availability of our services by proactively minimizing security risks through continuous penetration, vulnerability, and risk assessments.

Business efficacy

Ensure superior business value delivery by continuously adopting and implementing top notch industry guidelines for data collection, storage and processing.

Your data, your control

Tribe does not mine, store, or attempt to access any special or sensitive categories of personal data. To be specific, we collects the following data:

  • Name
  • Contact information such as email address and phone number
  • Job title, biography, location, social media links, and picture
  • IP addresses
  • Cookie data (only for service functionality; Tribe does NOT track users across different domains/communities)

Your organization is in control of this data at all times, including how long we store your data and when we delete it. Your company also owns and has full control over users’ contributions to the community including questions, answers, posts, comments, etc.

The Tribe application has the ability to set user permissions to limit access to data export, moderation, and other features.

Gold standards in encryption

Whether data is being transferred or stored, all customer data is secured with the latest encryption algorithms and technologies.

At rest, data is stored in DigitalOcean infrastructure located in New York (NYC1) data centers. Data is also encrypted, which means that the data on a Volume is not readable outside of its storage cluster. Additionally, we utilize LUKS encrypted disk on our volumes. This means that the disk will need to be decrypted by the operating system in order to read any data.

During transit, either externally or internally between Tribe services, data is encrypted using TLS 1.2 with AES 256 bit encryption to ensure data protection at all times. Tribe SSL certificates are issued through Let’s Encrypt, and when Tribe sends data to third-party systems data is encrypted by leveraging the SSL certificates owned by our partners. All our agreements with sub-processors require that data only be transferred pursuant to Privacy Shield Certifications or mutually executed Standard Contractual Clauses.

Robust data infrastructure with regular backups

Our SaaS platform is 100% cloud-based — we do not operate our own physical servers, routers, load balancers, or DNS servers. All of our servers are within our own virtual private cloud (VPC) with network access control lists (ACLs) that prevent unauthorized requests from reaching our internal network.

We use intrusion detection with a robust Security Information and Event Management (SIEM) system to immediately identify and respond to any threats, in coordination with 24/7 pagerduty service.

All production database instances have streaming backups via database replicas in addition to daily full snapshots. These backups are stored in a separate DigitalOcean account which is protected by a multi-factor authentication token.

GDPR compliance initiatives at Tribe

Coming to GDPR, there are three key initiatives that we have undertaken. Given below are the salient points:

Privacy by design

All the processes, business operations including engineering, marketing, sales and customer support have been built by ingraining privacy principles right at the conceptual stage.

Responsibility

We take responsibility for data protection at utmost priority. Our leadership team and all the team members are committed to uphold by the established privacy policy. Apart from that our leaders will continuously review and build frameworks to further strengthen the data protection policies at Tribe.

Rights of access and individual rights

In accordance with GDPR, we are committed to respect various rights for individuals along with the rights of access by the data subject.

This brings us to the exact features we have built under GDPR.

Features built for various GDPR directives

There are several key directives mandated by GDPR for data protection. Because we’re so much in love with data security and privacy, at Tribe, we have made a conscious decision to extend it Globally, not just for the EU region.

Given below are the key features we have built:

Right to be forgotten

Summary: Provide the user with the ability to remove their private data from our services.

The most important aspect of the right to be forgotten is the ability to delete your account. Once you request for us to delete your account, we will remove any personally identifying information you may have provided us from your account (name, email address, encrypted password, title, biography, URL, picture, etc.). The visible name on your account will be changed to “Anonymous” and effectively the account will no longer be identifiable as your account.

Restriction of processing

Summary: To allow the user to control how their personally identifying data is being used.

Any personally identifying data that Tribe stores are for the purpose of being able to contact you about your contributions, provide better feed recommendation, or for voluntarily showing information about you to other users (biography, homepage, location, etc).

Users are able to contribute to the community anonymously. In this case, we create a random hashed identifier for the users so they can modify their contribution. The anonymous contributions are not processed and other users are not able to identify the contributor in any way.

Right to data portability

Summary: You have the right to access/download the data we store about you.

Tribe does not store personally identifying data beyond the information that is available in your public profile. Since this data is plainly available in your profile we do not provide a means for you to export this data.

There are the following exceptions to this:

IP addresses

If you visit a Tribe community the IP address of your computer is stored in our web logs for 7 days before our servers automatically delete them. This data is almost never used by anyone: the only time we look at the IP addresses is if our sites are adversely impacted by the actions of some unknown users.

User’s Interests

To provide better feed recommendation, Tribe stores topics that users are interested in based on their browsing behavior. You can request a full export of this data by sending an email to [email protected] with a link to your profile. Tribe team will send a full export of the data we stored in CSV format in less than 48 hours.

Right to rectification

Summary: You have the right to correct your data.

Tribe allows all users to update their personally identifying information including their name, email, biography, location, homepage, and social media links in their profiles.

Right to be informed

Summary: You have the right to be informed about how we use your data in plain English.

Our privacy policy, as well as other policies, have always been written by humans for human consumption. We abhor legalese and not speaking in direct terms.

Right to access

Summary: You have the right to access the data that we collect about you.

Tribe makes all of the data we collect on your behalf, privately identifying or not, available to you. The only exception to this are the IP addresses we store for 7 days – see above for details.

And then there are cookies

The fact that end users are using our web pages does not mean they automatically consent to all cookies and/or tracking. We have therefore included a default cookie consent form in our platform. This provides the end user with a choice, in compliance with the GDPR stating that all given consent to cookies needs to be done with clear an affirmative action.

The path ahead

GDPR is a comprehensive and solid framework for data protection. Tribe will always remain committed to compliance by tracking and implementing the guideline changes and evolution of the regulation with time. We’ll also continue to adopt industry best practices to always protect our customers.


Leave a Reply

Your email address will not be published. Required fields are marked *