Contact Us

Call Us

+1 800-78-erwin
(800-783-7946)

Click here for a list of erwin’s global offices.

Technical Support
Submit a Ticket

+1 813-773-4170

Chat

Get live sales support.

Email

Send us comments or
ask general questions.

info@erwin.com

Data Processor Policy

Compliance with GDPR

DEFINITIONS

  • A “Customer” is a reference to past, current or prospective customers.
  • A “Data Processor” is a reference to a person or organization who deals with personal data as instructed by a controller for specific purposes and services offered to the controller that involve personal data processing
  • A “Data subject” is a reference to any individual who may be a customer, client, prospective customer or client, or anyone who works for erwin under a contract of employment. This also includes anyone who can be identified, directly or indirectly, by reference to an identifier defined under “Personal Data” in the ‘Definitions’ section of this policy.
  • “Due Diligence” – an investigation, audit, or review performed to confirm the facts of a matter under consideration.
  • “Personal Information” is defined as any information (including opinions and intentions) relating to an identified or identifiable natural person. It can reference, but is not limited to, the following identifiers: a name, an identification number, location data, an online identifier.
  • “Processing” of personal data may include “collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction and any may be by automated or manual means.”
  • “Service Data” means a subset of Confidential Information comprised of electronic data, communications or other materials submitted to and stored within a Service by the Customer, Agents and End-Users in connection with the Customers use of such Service, which may include, without limitation, Personal Data (but shall not include the Personal Data of Customer Agents in the context of Account Information).
  • A “Subprocessor” is a reference to any person or entity (including any third party and any erwin Affiliate or Subcontractor) contracted with erwin, or with any erwin Affiliate, to perform Services involving the Processing of Subject Personal Data on behalf of erwin.

erwin as a Data Processor

erwin, Inc. (“erwin”), acts only as a Data Processor in the following situations:

  • as a Software-as-a-Service (SaaS) provider
  • as a BYOL Hosting services provider
  • as a provider of product technical support via its ticketing system
  • as a provider of product licensing

erwin acts in this capacity with respect to the Personal Information processed pursuant to the contract between the customer as a data controller and the service provider (erwin) as the processor.

In providing our services we do not own, control or direct the use of the Service Data stored or processed on our platform and do so only at the direction of our customers. In fact, we are largely unaware of what information is actually being stored on our platform and only access such information as authorized by our customers (Data Controllers) or as required by law.

The Data Controller retains the overall responsibility for the Service Data that is placed into any of the SaaS or BYOL hosting platforms. erwin, in its role of Data Processor will ensure it carries out its responsibilities, to ensure the data remains secure with technical and operational controls being in place.

erwin, Inc. as a Data Processor agrees to:

  • comply with the requirements of the online Subscription Agreement, which shall be controlling unless a mutually agreed to master service agreement is in place between the parties, in the provision of services to the Data Controller;
  • process and use the Service Data only to the extent strictly necessary to perform its obligations or as otherwise provided under the online Subscription Agreement or a mutually agreed master service agreement;
  • only disclose the data to the Data Processor’s employees and personnel that have a need to access the data, while the Data Processor shall ensure that all such employees and personnel are bound by a confidentiality agreement;
  • ensure that appropriate controls are in place to prevent the Data Processor’s access to special categories of data, where relevant, except in circumstances expressly authorised by the Data Controller;
  • promptly inform Data Controller about any security breach that impacts their Service Data or Personal Information;
  • implement, maintain and at all times operate adequate and appropriate technical and organisational measures to;
    • protect the security, confidentiality, integrity and availability of the Service Data
    • protect against unauthorised or unlawful processing of the Service Data and against accidental loss, destruction or the making vulnerable to damage;
    • comply with its obligations under any applicable data protection law, and shall take such steps as are requested by Data Controller to enable the Data Controller to comply with the Data Controller’s obligations under any applicable data protection law;

Customer as a Data Controller agrees:

  • to comply with its obligations as controller under applicable data protection law(s) in respect of its processing of Personal Information and any Processing instructions it issues to erwin
  • that it has provided notice and obtained (or shall obtain) all consents and rights necessary under Applicable Data Protection Law(s) for erwin to process the Personal Information provided within erwin Services.
  • that it will not use the erwin services to process sensitive Personal Information without erwin’s explicit and prior written consent.

What personal data might we store and for how long?

From a privacy perspective, any information stored within the Service Data itself is at the control of the customer (the Data Controller of Service Data), with erwin acting as the Data Processor. Like many SaaS and BYOL hosting companies erwin operates a shared responsibility model in coordination with our customers (Data Controller(s)). It is the responsibility of our customer to ensure certain data types are not put into the erwin services for processing.

erwin limits the amount of personal information it processes, in its role of Data Processor, to just information that is needed for a user to be able to continue to access and use the service/system being provided, or to respond to a technical support request, as part of the contract. This means just a username and corporate email address, to allow a user record to be created and maintained within a SaaS or BYOL hosting system, or to send communication back from a ticket request opened.

Once this information is no longer needed with a SaaS or BYOL hosting environment, the user can be removed or anonymised, meaning that no personal information will remain, and the record will be changed to a non-identifiable number/string. Use of SAML2, allows the Data Controller to retain full control over this information, with log-in information being outsourced to the customers IDP.

Review the user information and Service Data shared with erwin and ensure that you shall not share any unneeded or sensitive (health related, SSN, driver’s license, credit card #, passport #, etc.) Personal Information.

Privacy Inquiries and Individual Requests

We take our data responsibilities seriously, including compliance with data security and privacy regulations, such as the General Data Protection Regulation (GDPR). In accordance with GDPR, you have “the right to be forgotten” in terms of asking us to delete all information about you that currently resides in our systems. Where we do not need to keep information, in order to comply with any of our legal retention requirements going forwards, we will try to comply with these requests.

Where this Personal Information is processed within a SaaS/BYOL Hosting system, or within the technical support ticketing system, it will be for the purposes of system log-in or communication as part of delivering the contract. erwin, as a Data Processor, will forward all inquiries from individual service users directly received, on to the responsible Data Controller (requestors customer admin user), to ensure requests are carried out as part of their responsibilities to their end users. Removal requests will mean that the end user can no longer use these services.

If you want erwin to delete your information, please email us at privacy@erwin.com.

Where is the data stored?

Customer SaaS and BYOL hosting environments are established in one of the AWS/Azure Data center regions, based on where the Customer chooses the base Service Data location to be; the customer Service Data subsequently remains in that region unless agreed between customer and erwin, but may be shifted among data centers within a region to ensure resiliency and availability of the services (if applicable).

Currently, the erwin production systems consist of

  • Multi-tenant SaaS systems
    • hosted in data centers in the United States and London (Data Controller choice as to which will be used)
  • Single-tenant SaaS systems
    • hosted in any of the MS Azure or AWS data center locations, selected by the end user (Data Controller).
  • Single-tenant BYOL Hosting systems
    • hosted in any of the MS Azure or AWS data center locations, selected by the end user (Data Controller).

The Personal Information stored within the systems that offer these services is retained as part of the contract with the Data Controller purchasing the service from erwin. The personal data will be kept for the duration of the service contract/subscription, unless removed by the Data Controller beforehand. There may be an extension requested by the Data Controller, of up to 30 days after the end of a service contract/subscription, where the data can be restored, to aid in data export activities. After the 30-day extension, the data will be permanently removed from the system, but may remain in standard backup cycles for a total of 60 days.

Technical measures for data security

erwin undertakes to implement the following general security principles:

  • Ensuring the continuous confidentiality, integrity, availability and resilience of processing systems and services;
  • Ways of restoring the availability of Personal Information and access to it within appropriate timeframes in the event of a physical or technical incident;
  • A procedure to test, analyze and evaluate the effectiveness of technical and organizational measures to ensure information security.

Some of the technical security measures that erwin undertakes as part of its SaaS and BYOL Hosting services are:

  • Encryption in transit (TLS 1.2 and security certificates)
  • Encryption at rest (Disk encryption as standard, DB encryption available with separate purchase at additional cost)
  • Role-based access control (available on both SaaS web-based and BYOL environments)
  • Multi-factor authentication (used at both at environment administration level and via SAML2 at application level, where supported by product)
  • Regular backups (daily encrypted full backups of all systems)
  • Vulnerability scanning (performed annually as part of the service, quarterly can be purchased at additional cost)
  • Intrusion detection/prevention system (can be purchased at additional cost, only for single-tenant platforms)
  • Firewall (on all systems)
  • Anti-virus (on all systems)
  • Disaster Recovery Plans (tested annually)

Data Transfer

Within the SaaS and BYOL Hosting service environments, erwin will not transfer, access or process any Personal Information outside the EU without the express consent of the Data Controller (Customer). All core Service Data resides within the Data Center region that is chosen by the Data Controller.

Notwithstanding, customers should review erwin’s Subprocessor list below, to ensure they are aware of where all data components are stored/processed for the different elements of the wider service ecosystem that may be in use, within the service being provided.

What is a Subprocessor?

To offer these services for SaaS and BYOL Hosting, erwin uses certain Subprocessors to provide key components of the service and wider ecosystem, as explained in the table below.

Due Diligence

erwin undertakes a due diligence process by which it evaluates the security, privacy and confidentiality practices of approved Subprocessors that potentially may have access to process information within the service, in order to carry our activities on erwins’ behalf. This is done annually, as part of erwin’s ISO27001 and data protection activities.

Safeguards

erwin requires its Subprocessors to satisfy obligations as those equivalently required for erwin (as a Data Processor), with its end customers. These requirements are set forth in a Data Processing Agreement (DPA), including but not limited to the requirements to:

  • process Personal Information only in accordance with Data Controller’s (i.e., customer’s) documented instructions, where this is feasible;
  • when subprocessing, use only personnel who are subject to a contractually binding agreement to observe data privacy and security
  • provide regular training in data protection and security, to personnel granted access to personal data;
  • implement and maintain appropriate technical and organizational measures;
  • any transfer of data from the EEA to any third countries which do not ensure an adequate level of data protection within the meaning of the laws and regulations of these countries shall be undertaken by Subprocessor through the EU Standard Contractual Clauses mechanism (Model Clauses).
  • ensure any Subprocessors used at least match up with the security and standard contractual requirements expected of Data Processors, including the execution of DPAs where required
  • promptly inform erwin about any security breach within their provided services;
  • cooperate with erwin to deal with requests from data subjects, controllers or data protection authorities where needed.

Infrastructure Subprocessors

erwin makes use of a few Subprocessors to supply the infrastructure used to host Service Data submitted to the SaaS and BYOL Hosting services offered. The following table describes the Subprocessors engaged in the storage and delivery of SaaS and BYOL Hosting services.

Entity Name Entity Type Entity Country
Amazon Web Services, Inc. Cloud Service Provider and associated services Headquartered in United States

(This is not the location of Service Data processing activities – Primary processing location is chosen by the customer)

Microsoft Azure Cloud Service Provider and associated services Headquartered in United States

(This is not the location of Service Data processing activities – Primary processing location is chosen by the customer)

Service-Specific Subprocessors

erwin works with certain third parties to provide specific functionality within the wider services ecosystem. These providers are the Subprocessors set forth below. To provide the relevant functionality, these Subprocessors do not directly access Service Data that the Customer places into the service, but they may have access to surrounding Personal Data, which is processed in order to be able to deliver their function.

Entity Name Purpose Applicable Services Entity Country
Zendesk erwin uses Zendesk for its SaaS support and ticketing system. erwin customers and their end users create accounts directly in the system, with an email address and username.

The Zendesk system processes end users’ information as needed, only to allow communication back and forth on bug tickets, enhancement requests and answer any other questions raised with the erwin support team.

The only information Zendesk has access to for this purpose is end-user name and corporate email address.

Technical Product Support United States
Nalpeiron erwin uses Nalpeiron for its SaaS, web-based licensing system of the erwin DM product. (Not for all licensing)

The Nalpeiron system processes end users’ information as needed, only to allow communication back and forth from licensed software to its entitlement service, providing ongoing entitlement to identified users.

The only information Nalpeiron has access to for this purpose is the corporate email addressed entered by End-Users.

erwin Data Modeler Product Licensing United States
LogicMonitor LogicMonitor primarily processes IT systems health, status and performance data from information technology systems used within Hosting (BYOL) and SaaS environments. Hosting (BYOL) Service, for erwin Data Modeler and erwin Data Intelligence United States
Trend Micro Cloud One – Workload Security Trend Micro offers a variety of data security products and services, including anti-virus, anti-malware and other software and cloud products around IDS/IPS.

Data categories may include IP addresses, URL strings and various other unstructured or structured information, which could include personal data.

Hosting (BYOL) Service, for erwin Data Modeler and erwin Data Intelligence United States

Appointing and changing Subprocessors

erwin will notify customers via this policy of the appointment of any new Subprocessor or changes to any existing Subprocessor, that will materially affect the processing of Personal Information involved within erwin activities, where it assumes the role of Data Processor (the delivery of SaaS or BYOL Hosting services and technical support) within its wider ecosystem.

The customer may object to the appointment of or; any change in the sub-processor where it has reasonable grounds for doing so and in such circumstances, erwin shall be entitled to address the objection through one of the following options at its sole discretion:

  • cease to use the relevant Subprocessor
  • take steps suggested by the customer to address the objection
  • cease to provide the particular Services to the Data Controller, which involves the relevant Subprocessor

Breach

A Personal Information breach refers to a protection breach that results in the loss, destruction, alteration, unauthorised disclosure of, or access to, personal data. All Service Data breaches/incidents will be reported in accordance with corporate IT security policies and immediately notified to the appropriate internal stakeholder and escalated to the Executive Leadership Team. Where a breach is likely to have a significant detrimental effect on individuals it will be reported to the responsible Data Controllers within 48 hours of breach confirmation and impacted data identification.

ISO27001 Standard

erwin SaaS and BYOL Hosting environments and processes are annually audited to the ISO27001 standard, by an independent third party. erwin also performs continual due diligence activities on its infrastructure suppliers, AWS and MS Azure, including the physical and environmental security of hardware and data centers, so its customers can take advantage of the rich array of certifications they possess.

 

Version 1.1. Effective from 8 December 2020.
Previous Versions:
Version 1