DarkBytes GDPR Solution Overview

GDPR Has Arrived

There’s been a lot of noise around General Data Protection Regulation (“GDPR”) since it’s gone in effect on May 25. You’ve probably received a plethora of “Privacy Policy Update” emails. You’ve also probably read articles about how disruptive and scary GDPR is for cloud services operating outside of the European Union (“EU”).

What does it all really mean in the context of cloud-based security products based in the U.S.?

Understanding GDPR

The fundamental concept of GDPR is to give EU citizens the legal right to control their personal data. A more comprehensive set of GDPR articles can be found here. This is a brief overview that’s intended for a buyer in the securty market.

Personal Data

Personal data, or Personally Identifiable Information (“PII”), is defined in NIST SP-800-122 as “any information that can be used to distinguish, trace, or be linked to an individual”. In other words, ask the question “Can I tell who this is?” and if the answer is “yes” then it’s PII.

Data Rights

GDPR gives certain legal rights to EU citizens regarding personal data.
1. Right to Rectification – Identify and change incorrect personal data.
2. Right to Erasure – Delete all personal data.
3. Right to Restriction of Processing – Stop processing personal data if it’s incorrect, not needed, unlawful, or objected to (#5).
4. Right to Data Portability – Export relevant personal data using a machine-readable format (JSON).
5. Right to Object – Stop processing all personal data upon request.

DarkBytes and GDPR

DarkBytes was designed with privacy in mind. As a cyber-security company, we must balance our use-case with the privacy of users. We believe that effective security controls can be built without violating privacy rights. This mindset enables DarkBytes customers to rest easy and get back to focusing on business.

A full copy of our privacy policy can be found here for legal review. Below we provide a high-level summary intended for a typical security buyer.

Personal Data

DarkBytes collects minimal personal data. Specifically, the personal information collected by our platform is limited to username, hostname, IP addresses, and file paths by default.

This information is never sold to third parties. This personal data is only used for identifying the endpoint of the end-user of our user interface or APIs.

This personal data can be anonymized upon request by hashing it with SHA2 before it is stored.

Technology & Processes

DarkBytes implemented both technology and processes to comply with GDPR. We leverage 3 different approaches to provide customers with full control and transparency into personal data.

  1. Data Location – Our architecture enables EU customers to communicate, process, and store all data inside the EU.
  2. Data Control – Our support team has processes and procedures in-place to allow EU citizens to execute their data rights. Simply send an email to support@darkbytes.com.
  3. Anonymize Data – Our customers can choose to anonymize any or all personal data by hashing it before it’s stored.

Conclusion

We believe it’s important for all security vendors to build acceptable solutions to GDPR rather than running away from it. The cyber-security is innovative and quickly evolving and it’s important that the innovation is available to everyone in EU.