Desk-Net and GDPR

GDPR Compliance

We have taken great effort to being ready for the General Data Protection Regulation (GDPR) and have implemented the necessary measures to continuously improve GDPR related aspects of how we as a company and how the Desk-Net application works.
 
As a matter of fact we have been subjected to the extremely strict German data protection regulations before GDPR for years. Countless lawyers and data protection officers on our customers‘ side have reviewed and approved both our contractual documents and how we operate. In case of ambiguity or when a necessary improvement to these aspects had been identified we have made sure to meet the client’s requirements by implementing the necessary changes.
 

Desk-Net as Your Data Processor

The GDPR distinguishes between the Controller and the Processor of personal data in a customer - client relationship like we at Desk-Net have with our customers.
 
You as our customer are the Controller and remain the owner of your data whereas we function as your Processor.
 

What We Use Your Data for

The data you provide us with is being entered and used primarily inside the Desk-Net application by the users in your organisation. We also use personal data to provide support and communications services which are related to your use of the Desk-Net application.
 
For development and related testing purposes we anonymize data so that it no longer counts as personal data.
 
We do not sell any of our customers' data and do not use it in any way unrelated to the task of providing our customers with the Desk-Net application.
 

Main Subcontractors

We have outsourced three main areas of our operations to two partner companies which are currently outside of the European Economic Area (EEA).
 
  • Hosting of the Desk-Net application
  • Maintenance and operations
  • Continuous development of the application

Hosting

We host at Amazon Web Services (AWS) which is the worldwide leader in hosting for Software-as-a-service solutions like Desk-Net.
 
While our contractual partner is Amazon Web Services, Inc. in the US we host exclusively on servers which are located in the EU (currently only in Ireland).
 
AWS guarantees the compliance with GDPR for these services. AWS‘ data security and protection measures have been certified numerous times.
 
As of July 1st, 2018 we will no longer be using Amazon Web Services, Inc., but AWS Europe (Luxembourg, EU).

Software Development

The software code of the Desk-Net application is implemented by a dedicated team in the Belorussian development center of our outsourcing partner Intetics.
 
For this development only anonymized database copies are used when needed so that these tasks are not subject to GDPR.
 
The entire development center is certified according to ISO27001.

Maintenance and Operations

In day-to-day operations the application is managed by a dedicated team at our partner Intetics. Via our contractual partner Intetics GmbH (Germany, EU) these tasks are performed by Intetics‘ Belorussian development center.
 
While the production system and its data resides only on servers inside the EU a strictly limited and small number of members of that team has access to that system.
 
In order to comply with GDPR this setup is secured via EU Standard Contractual Clauses (SCC). They ensure that the team complies with European data protection standards, i.e. the GDPR. This setup has been checked numerous times by experts on the customers' side. However, as quite a few customers have a corporate policy of not allowing any data outside of the EU we are in the process of setting up a dedicated maintenance and operations team inside the EU. Once this setup process is completed in late 2018 only members of this team inside the EU will have access to the production system.
 
This team already works according to ISO27001 guidelines and is en route to being certified by the end of 2018.
 

Related Documents

Desk-Net GmbH

The GDPR requires us to create and update a range of documents both for our relationship with you, the customer, as well as with our subcontractors.
 
Please find below a list of documents for your review. Some of them are contracts that need to be signed (or that have been signed with our subcontractors) whereas others are internal documents which we are not legally obliged to make publicly available - but we are doing it anyway, even if anonymized or restricted in parts.
 

GDPR requires us to have compliant contracts with our sub-contractors. As we know that certain data protection officers like to check these contracts please find below a range of contractual and related documents and links.

Intetics

Amazon Web Services (AWS)