On May 25, 2018, the General Data Protection Regulation (“GDPR”) became fully applicable in the European Union (EU). The ability to enable end users to control how and when their personal information is used is a cornerstone of Neura. We take privacy seriously and welcome the transparency of GDPR. This GDPR Whitepaper provides an overview of Neura’s GDPR-related efforts.
In relation to the services it provides customers, Neura is a “data processor” under the GDPR and its customers are “data controllers” as Neura is processing personal data on behalf of its customers for the purposes of providing the services.
Neura is a data processor and accordingly all data collection and processing is done on behalf of Neura’s customer who is the controller. Under the GDPR, the controller is the party that, alone or jointly with others, determines the purposes and means of the processing of personal data. According to the GDPR, the controller is the party who must have a legal basis for data processing personal data and therefore is required to acquire adequate consent if and to the extent necessary under the GDPR (and/or other privacy laws to which the controller is subject).
We mapped Neura’s data collection practices, including the data we collect, where we store it, with whom we share it, etc. We identify as a “data processor”.
Amazon Web Services. We host all the personal data with AWS, which announced it is compliant the GDPR. AWS is also registered with the EU-US Privacy Shield (see: https://www.privacyshield.gov/list).
Neura’s staff. Our staff sits in:
We have executed Data Processing Agreements in accordance with Article 28 of the GDPR with all our service providers that have access to personal data subject to the GDPR.
We implemented an internal policy for recognizing and handling requests and claims related to data-subject rights (such as the right of access, right to be forgotten, etc.).
We have implemented various technical and organizational measures that are designed to support the principle of data minimization and specifically ensure only personal data, which are necessary for each specific purpose of the processing, are processed.
Neura keeps an updated document describing Neura’s data-collection and data-processing practices. Neura periodically reviews this document to make sure that it is always fully updated. Neura also maintains a record of the processing activities it carries out on behalf of its customers as controllers.
Gali Sokol Kamerman is Neura’s data protection officer. You can contact her via firstname.lastname@example.org.
Neura’s security management system is certificated by ISO270001. Neura is hosted in Amazon EC2 cloud services platform and all Amazon security groups, security zones and best practices are applied in the servers’ implementations. Our Data Center (managed by Amazon Web Services) is SAS 70 Type II certified, SSAE16 (SOC 2) Compliant, and features proximity security badge access and digital security video surveillance. Our server network can only be accessed via SSL VPN with public key authentication or via Two-factor Authentication over SSL. Additionally, our network can only be accessed via multi-factor authentication, and all access to our web portal is secured over HTTPS using SSL 256-bit encryption.
We are not approaching GDPR compliance as a one-time exercise. Therefore, we are committed to periodically reviewing our roadmap and ensuring ongoing compliance.
If the GDPR applies to your company, we highly recommend conducting internal due diligence to map your specific data collection practices. This includes, among other matters, understanding what specific personal data (including sensitive personal data) of individuals protected by the GDPR your company is collecting (e.g. end-users, customers, employees, etc.), from whom is the data collected, where is it being hosted, for what purposes is it being used, with whom is it being disclosed, and whether the personal data is transferred outside of the European Union or European Economic Area.
Additional information is available on the European Commission’s website here (http://ec.europa.eu/justice/data-protection/reform/index_en.htm).
If you have any additional questions about the GDPR you are invited to contact us at email@example.com.
The data that is collected through the device is as follows:
Neura does not collect or hold any medical or healthcare related data and therefore does not handle any “protected health information” (PHI).
Disclaimer: The information in this document may not be construed as legal advice about the interpretation or application of any law, regulation or regulatory guideline. Customers and prospective customers must seek their own legal counsel to understand the applicability of any law on their processing of personal data.