Overview
The General Data Protection Regulation (GDPR) is legislation enforced to strengthen and unify data protection across the European Union (EU). The GDPR applies to any organization in the EU or based outside of the EU that processes personal data of EU citizens or other nation citizens based out of EU. Please refer to this Druva white paper which describes how businesses can comply with GDPR.
inSync provides features to meet many obligations required by the GDPR regulation.
Data Security and Protection
📝 Note
Relevant GDPR Articles:
Article 5: Principles relating to the processing of personal data
Article 25: Data protection by design and by default
Article 32: Security of processing
The following inSync features enable data security and protection.
Secure by Design
inSync is built with the primary goal of data security. Druva’s approach to storing enterprise data, utilizing advanced data-scrambling and envelope-based encryption model guarantees that the user data is secured.
inSync has also completed SOC-2 Type II, HIPAA audits, and is FedRAMP ATO (Authorized to Operate), which emphasizes Druva's commitment to meeting and exceeding the highest security standards. For more information, see the Druva Security whitepaper.
Secure data using encryption
By default, inSync backs up the user data to inSync Cloud and restores the user data from inSync Cloud over a secured TLS v1.2 channel. However, inSync can be configured to encrypt data on the user devices, that provides a powerful, multi-layered protection of critical data that resides on your organization’s devices. For more information, see Data Loss Prevention.
Prevent unauthorized access to user information
Based on the user role, administrators can configure a Geofencing policy that restricts access to inSync from outside the corporate network. This helps administrators control, monitor, and protect the data from unauthorized access from outside the organization. For more information, see Configure Geofencing Policy in your organization.
Prevent loss of data
To prevent loss of data, organizations can back up data on the user devices frequently using the profile associated with a user. For more information, see Configure the backup schedule.
Data preservation can be achieved by defining the retention period of the backup data, which helps ensure data availability and robust data recovery in case of loss of data or the user device. For more information, see Configure the backup retention policy.
Data Viewing and Monitoring
📝 Note
Relevant GDPR Articles
Article 33: Notification of a personal data breach to the supervisory authority
Article 34:Communication of a personal data breach to the data subject
Article 35:Data protection impact assessment
The following features help the data compliance authority to view the data retained by your organization and comply with the reporting requirements in case of a data breach.
Data Data Governance and Sensitive Data Governance
You can utilize the Sensitive Data Governance1 capability that provides visibility into retention of sensitive and personal data and lets you proactively track, monitor, and get notified for data compliance risks in your organization.
Data Governance enables you to analyze and identify usage trends, globally search and filter files and folders across all devices, and set up real-time alerts to handle IT issues proactively.
Administrators can utilize the Federated Search capability to quickly find end-user files and emails that are backed up by Administrators can download the search results for offline review or ingest the files and emails into a third-party tool for further analysis.
Using the Legal Hold APIs, you can integrate inSync with eDiscovery solutions to mine and access the data of custodians and access their data by using WebDAV protocol. For more information, see eDiscovery Software Integration.
You can also utilize the######{{legalhold}}APIand Direct Download Utility capabilities to bulk download files of required users for further processing.
Data Breach Detection and Reporting
GDPR mandates businesses to maintain tamper-proof records of activities and be able to furnish it to the supervisory authority on request. inSync can be configured to record activities of administrators and users using the Audit trails.
inSync provides an extensive set of Events API that can be integrated with any third party SIEM tool. The alerts and events exported via the Event API help monitor inSync events, detect malicious activity through IP address logging, and take corrective actions on reported alerts and failures. For more information, see Events API to export inSync events.
inSync also provides the Unusual Data Activity3 report that lists the devices and Cloud App accounts that are detected for anomalous behavior. A device or a Cloud App account is flagged and listed in this report if trends such as a large number of files deleted are added, unwarranted modification or suspicious encryption of files are observed on the configured device or a Cloud App account. For more information, see Unusual Data Activity Report.
1Sensitive Data Governance is available with inSync Elite Plus subscription.
2inSync Data Governance and all the features described in this section are available with inSync Elite and Elite Plus subscription.
3Unusual Data Activity is available with inSync Elite Plus subscription.
Data Privacy and Disposition
📝 Note
Relevant GDPR Articles
Article 5- Principlesrelating to processing of personal data
Article 15- Right of access by the data subject
Article 17 - Right to erasure (‘right to be forgotten’)
Article 18- Right to restriction of processing
Article 20 - Right to data portability
Search and Manage Snapshots
Administrators can remove or delete the snapshots created by inSync after a successful backup, that contain the user personal data. The snapshot can be identified by looking into specific snapshot and downloading the files or folders before deleting the snapshot. For detailed instructions, see Delete Snapshots.
Search and Delete personal user data from inSync
Administrators can utilize the Federated Search capability to quickly find end-user files that contain personal data and delete the files in the user dataset to address Right to be Forgotten requirements.
Delete users from inSync
Administrators can delete the user data by deleting the user from inSync. All the user data backed up by inSync or shared with the other is deleted. For more information, see Delete Users in inSync.
Address subject access requests
inSync users can request administrators to view or access the data that is stored in inSync. Administrators or user themselves can access the required data or the entire data backed up by inSync to their devices.
Administrator triggered restore or download of user data
Administrators can trigger an on-demand data recovery or download of the data on the user devices. Based on the request, administrators can choose to do either do a single file recovery or download the entire snapshot on one or multiple devices. inSync users can view the data on their devices and take necessary action.
For more information, see Restore data to a device using administrator console
User-triggered restore of data
inSync users can access or download the desired data stored in inSync using the inSync Client or inSync Web. Administrators can choose to either do a single file recovery or download the entire snapshot on multiple devices.
For more information, see Restore data using inSync Web or Restore data using inSync Client.
Address “Right to Data Portability”
inSync users can request administrators export a copy of their data. User data can be transferred onto an individual’s electronic portable device. Administrators are requested to contact Druva Support for assistance with such requests.
Protect user data in different regions
Administrators can configure inSync to protect data of users to available storage locations based on the geographical location of the user.
When creating a user in inSync, an administrator can map a storage region to the user. All the user data is backed up to this storage location. For more information, see Change storage assigned to a user.
To configure multiple storage regions in your account, contact Support.