General Data Protection Regulation

Compliance with GDPR

Because data is our business, we take our data responsibilities seriously – including compliance with all data security and privacy regulations, such as the General Data Protection Regulation (GDPR). In accordance with GDPR, you have “the right to be forgotten” in terms of asking us to delete all information about you that currently resides in our business systems.

If you want erwin to delete your information, please email us at privacy@erwin.com.

 

erwin as a Data Processor (Saas and Hosting Services)

erwin, Inc. (“erwin”), as a software-as-a-service (SaaS) and hosting services provider, acts only as a data processor and with respect to the personal data processed pursuant to the contract between the customer as a data controller and the service provider (erwin) as the processor. The data controller retains the overall responsibility for the data that is placed into any of the SaaS or hosted platforms. erwin, in its role of data processor will ensure it carries out its responsibilities, to ensure the data remains secure with technical and operational controls in place.

What personal data might we store and for how long?

erwin limits the amount of personal data it stores, in its role of processor, to just data that is needed for a user to be able to access and use the service/system being provided, as part of the contract. This often just means a username and corporate email address, to allow a user record to be created within a SaaS or hosting system. Once this is no longer needed, the user can be removed or anonymised, meaning that no personal information will remain, and the record will be changed to a non-identifiable number/string. From a privacy perspective, any other personal data stored within the service content itself is at control of the customer (the controller of service data), with erwin acting as the data processor. This means that throughout the time that a customer subscribes to the SaaS or hosting services with erwin, the customer retains ownership of and control over service content within its platforms.

What is a subprocessor?

To offer these services for SaaS and hosting, erwin uses certain subprocessors and subcontractors. A subprocessor is a third-party data processor, used by erwin, who potentially has access to process data placed within the service, by the customer. erwin engages different types of subprocessors to perform various functions as explained in the table below. erwin refers to third parties that do not have access to process data in the service, but who are otherwise used to provide the system/services as “subcontractors” and not subprocessors.

Due Diligence

erwin undertakes a due diligence process by which it evaluates the security, privacy and confidentiality practices of proposed subprocessors that potentially may have access to process data within the service. This is done annually, as part of erwin’s ISO27001 activities.

Safeguards

erwin requires its subprocessors to satisfy obligations as those equivalently required for erwin (as a data processor) as set forth in erwin’s Data Processing Agreement (DPA), including but not limited to the requirements to:

  • Process personal data in accordance with data controller’s (i.e., subscriber’s) documented instructions, where this is feasible;
  • When subprocessing, use only personnel who are reliable and subject to a contractually binding agreement to observe data privacy and security
  • Provide regular training in data protection and security, to personnel granted access to personal data;
  • Implement and maintain appropriate technical and organizational measures. erwin will perform due diligence checks on the subprocessor where feasible;
  • Promptly inform erwin about any security breach;
  • Cooperate with erwin to deal with requests from data subjects, controllers or data protection authorities.
  • Comply with all data protection laws in respect of the services applicable to processors
  • Regularly monitor its compliance with the respective technical and organizational measures and will verify this monitoring upon erwin’s request.

Infrastructure Subprocessors

erwin makes use of a few subprocessors to supply the infrastructure used to host service data submitted to the SaaS and hosting services offered. Currently, the erwin production SaaS systems consist of multi-tenant systems, hosted in data centers in the United States and London and single-tenant systems (SaaS and hosting), hosted in any of the MS Azure or AWS data center locations, selected by the end user.

Subscriber accounts are established in one of these regions based on where the subscriber company chooses the base data location to be; the subscriber’s service data subsequently remains in that region unless agreed between subscriber and erwin but may be shifted among data centers within a region to ensure resiliency and availability of the services. The following table describes the subprocessors engaged in the storage and delivery of SaaS and hosting services.

Entity Name Entity Type Entity Country
Amazon Web Services, Inc. Cloud Service Provider and associated services United States
Microsoft Azure Cloud Service Provider and associated services United States

Service-Specific Subcontractors

erwin works with certain third parties to provide specific functionality within the services. These providers are the subcontractors set forth below. To provide the relevant functionality, these subcontractors do not directly access data that the customer places into the service, but they may have access to surrounding personal data to be able to deliver their function.

Entity Name Purpose Applicable Services Entity Country
Zendesk erwin uses Zendesk for its SaaS support and ticketing system. erwin customers create accounts directly in the system, with an email address and username.

Zendesk has access to subscribers’ and end users’ information as needed to allow us to communicate back and forth on bug tickets, enhancement requests and answer any other questions raised. The only information Zendesk has access to for this purpose is end-user name and email address.

Support United States

Where is the data stored?

Any personal data that we store within the systems that offer SaaS or hosting/BYOL services does not leave the region of which, the core, chosen data center is hosted in. We may back up systems within another availability zone, but these will still be within the same geographical region. We host on Azure and AWS, and they both guarantee, that data will not leave the regions that we specify.

See section 2.8 on the terms of service: https://erwin.com/terms-of-service/.

We offer both multi-tenant SaaS web platforms in the United States and the United Kingdom, that have a defined data location, along with a single-tenant option, for both SaaS web and hosting/BYOL platforms, that allows the customer to choose the core data center location.

The personal data stored within the systems that offer these services is retained as part of the contract with the data controller purchasing the service from erwin. The personal data will be kept for the duration of the service contract/subscription, unless removed by the data controller beforehand. There may be an extension requested by the data controller, of up to 30 days after the end of a service contract/subscription, where the data can be restored, to aid in data export activities. After the 30-day extension, the data will be permanently removed from the system.

Technical measures for data security

erwin undertakes to implement the following general security principles:

  • Ways of ensuring the continuous confidentiality, integrity, availability and resilience of processing systems and services;
  • Ways of restoring the availability of personal data and access to it within appropriate timeframes in the event of a physical or technical incident;
  • A procedure to test, analyze and regularly evaluate the effectiveness of technical and organizational measures to ensure processing security.

Some of the technical security measures that erwin undertakes as part of its SaaS/Hosting/BYOL services are:

  • Encryption in transit (TLS 1.2 and security certificates)
  • Encryption at rest (DB encryption is use via AWS RDS, or as part of SQL server licensing)
  • Role-based access control (available on both SaaS web-based and hosting/BYOL environments)
  • Multi-factor authentication (used at both at environment administration level and via SAML2 at application level)
  • Regular backups (daily encrypted full backups of all systems)
  • Vulnerability scanning (performed annually as part of the service, quarterly can be purchased at additional cost)
  • Intrusion detection/prevention system (Included in multi-tenant subscription cost, provided at additional cost for single-tenant, private platforms)
  • Firewall (on all systems)
  • Anti-virus (on all systems)
  • Business Continuity Plan (tested annually)

More information can be found at https://help.myerwin.io/security_response.

ISO27001 Standard

erwin SaaS and hosting/BYOL environments and processes are annually audited to the ISO27001 standard, by an independent third party. erwin also performs continual due diligence activities on its infrastructure suppliers, AWS and MS Azure, including the physical and environmental security of hardware and data centers, so its customers can take advantage of the rich array of certifications they possess.