On May 25, 2018, the General Data Protection Regulation (“GDPR”) became fully applicable in the European Union (EU). The ability to enable end users to control how and when their personal information is used is a cornerstone of Neura. We take privacy seriously and welcome the transparency of GDPR. This GDPR Whitepaper provides an overview of Neura’s GDPR-related efforts.
In relation to the services it provides customers, Neura is a “data processor” under the GDPR and its customers are “data controllers” as Neura is processing personal data on behalf of its customers for the purposes of providing the services.
In order to provide the services, the Neura SDK collects raw sensory data from the user’s mobile device and from devices in the physical environment around the device. The data is collected dynamically to minimize the impact on memory and battery consumption. It is collected in real-time, only when it is needed, based on decisions made by Neura’s machine learning algorithms and our customers instructions.
A detailed list of the device sensors and services Neura accesses to, as well as the data collected through the device, is attached as Exhibit A.
Neura Insights are used to make a product or a service more personalized and contextually aware. Neura shares User Insights with Neura’s customers according to the API services to which the customer has subscribed. Raw data is never shared with Neura’s customers.
Neura may use aggregated data (i.e. non personal data) from several end users to improve its algorithms, measure service usage, publish summaries online or offline, and develop new features.
ROLES AND RESPONSIBILITIES
The GDPR defines two main roles in relation to the processing of personal data (namely, any information related to an identified or identifiable natural person):
1. The “Data Controller” – who determines the means and purposes of processing;
2. The “Data Processor” – who processes data on behalf of the Data Controller.
In relation to the services it provides customers, Neura acts as the “data processor” of our customers, who act as the “data controller”. As such, all Neura’s processing activities are on behalf of our
customers for the purposes of providing our services.
Please note that any obligations under the GDPR that requires direct interaction with data subjects/users (such as acquiring consent or exercising users’ rights) are the responsibility of our
customers as they are the “data controllers” (unless such interaction is directly with our customers regarding their personal data, in which case we will be the “data controllers”).
We retained outside counsel to help us prepare and execute a GDPR compliance plan;
We built an internal taskforce with members of different departments (security, sales, product development, and others) to implement the GDPR compliance plan
We mapped and reviewed Neura’s data collection practices, including the data we collect, where we store it, with whom we share it, etc;
We updated our procedures, agreements and architecture in accordance with our role as “data processors” in relation to our customers;
We created and updated our internal policies and procedures, such as intercompany DPA (for data transfer within our group of companies) and data subject rights handling policy (for how to handle claims related to our customers data subjects).
INTERNATIONAL DATA TRANSFERS
Neura relies on appropriate legal mechanisms for cross-border transfers of personal data originating in the EEA, such as transferring only to “adequate” jurisdictions which were found to provide a sufficient level of data protection (like Israel), and by self-certifying and adhering to the principles of the EU-U.S. and Swiss-U.S. Privacy Shield Frameworks when the transfer is to the U.S.
We only share personal data with vendors and partners who have announced that they comply with the GDPR (like AWS), and we executed Data Processing Agreements with all our service providers that have access to personal data.
PRIVACY BY DESIGN AND DEFAULT
We have implemented various technical and organizational measures that are designed to support the principle of data minimization and specifically ensure only personal data, which are necessary for each specific purpose of the processing, are processed.
DATA PROTECTION OFFICER
Adi Dekel is Neura’s data protection officer. You can contact her via firstname.lastname@example.org.
Neura’s security management system is certificated by ISO270001. Neura is hosted in Amazon EC2 cloud services platform and all Amazon security groups, security zones and best practices are applied in the servers’ implementations.
Our Data Center (managed by Amazon Web Services) is SAS 70 Type II certified, SSAE16 (SOC 2) Compliant, and features proximity security badge access and digital security video surveillance.
Our server network can only be accessed via SSL VPN with public key authentication or via Two-factor Authentication over SSL. Additionally, our network can only be
accessed via multi-factor authentication, and all access to our web portal is secured over HTTPS using SSL 256-bit encryption.
We are not approaching GDPR compliance as a one-time exercise. Therefore, we are committed to periodically reviewing our roadmap and ensuring ongoing compliance.
AS A NEURA CUSTOMER, WHERE SHOULD YOU START YOUR "GDPR JOURNEY"?
If the GDPR applies to your company, we highly recommend conducting internal due diligence to map your specific data collection practices. This includes, among other matters, understanding what data your company is collecting (e.g. end-users, customers, employees, etc.), from whom is the data collected, for what purposes is it being used and how can you utilize Neura’s services to your advantage.
WHERE CAN I LEARN MORE ABOUT GDPR?
Additional information is available on the European Commission’s website here.
I HAVE MORE QUESTIONS. WHO SHOULD I CONTACT?
If you have any additional questions about the GDPR and our privacy commitment, you are invited to
contact us at email@example.com.
The data that is collected through the device is as follows:
Vendor ID (iOS)
Operating system version
Wi-Fi routers in proximity
Bluetooth – connections and devices
GPS and geolocation data (location changes, Visits, Geofencing)
Activity – based on the operating system’s API
Surrounding devices’ data – Mac address, IP address, ID
Device States – Power (on / off), Airplane Mode, Battery Saver/Optimization, Idle Mode, Interactive Mode, charger (connected / disconnected), Headphones (connected / disconnected) (Android), Screen (on / off) (Android)
Application state (foreground / background) (Android)
Engagement Data of the user in the hosted mobile application
Neura does not handle any “Special categories of Personal Data” (such as medical or healthcare related data).
Disclaimer: The information in this document may not be construed as legal advice about the interpretation or application of any law, regulation or regulatory guideline. Customers and prospective customers must seek their own legal counsel to understand the applicability of any law on their processing of personal data.