You’ll have no doubt heard of the General Data Protection Regulation, effective May 25, 2018. GDPR is the European Union’s new privacy law which essentially harmonises and updates the current regime applicable to those processing personal data identifying individuals in the EU. It applies no matter where your business is located and operates alongside the EU-US Privacy Shield.
If you use our various Online Services including the Muhimbi PDF Converter for SharePoint Online and the Muhimbi PDF Converter Services Online, we are your trusted data processor of the data contained in your documents and your user logs. We provide the service in a way that meets the requirements on us as your data processor under the GDPR. That helps and complements you on your own journey to achieving and sustaining compliance with GDPR.
How are we doing this? In a number of different ways…
GDPR requires that personal data should be processed in a manner that ensures appropriate security and confidentiality of the personal data. We use Microsoft Azure to host our application – Azure is renowned for the high level of security it employs and is certified to ISO27001 standard. To the extent that your business is in the EU but your documents are processed on Microsoft servers in the USA, Microsoft maintains a EU-US Privacy Shield certification.
Please note that Muhimbi Enterprise Subscribers can control the location of their servers.
Rapid Deletion. Minimal retention.
We further minimise risks associated with unauthorised access as well as excessive retention periods, by deleting the copies of your documents from our servers immediately after processing. Several safeguards are in place to ensure that delete operations succeed.
The only exception is if you specifically request prolonged storage using the Long Running Operation pattern, in which case we can retain copies for up to 1 day before they are automatically deleted.
Privacy by Design.
Data security is baked into our engineering principles. We address it from the outset of any development project and build it into our architecture from the ground up – not as an afterthought.
We process for you, not for us.
We process your documents solely to provide you with our service. Nothing else. Unlike some other services we do not keep a copy of your documents for our own analytics purposes, or to query them using machine learning or AI tools. This gives you confidence that, in our role as data processor, we act on your instructions and not for our own business purposes.
As data controller of the personal data in your user logs and documents, you are obliged under GDPR to have in place contract terms which meet some specific minimum requirements. We’ve got this covered in our terms of service. We’re also applying these new terms to our on-premise software customers on the basis that we occasionally process data for them during support calls.
On the supply side we are also obliged as your processor to have terms with data protection assurances in place with our sub-processors – we’ll have this in place by the time GDPR comes into force.
One big part of GDPR is governance. Not only must you do the right thing by the individuals whose data you are processing – you must be able to demonstrate records of all the processing that you undertake. We make this easier by making available log information in respect of each Muhimbi user in your organisation. Of course, having a stable set of PDF files is in and of itself a boon to effective record keeping.
The GDPR sets out stringent new requirements which would apply in the unlikely event that the security of your personal data was compromised. We have in place processes and policies to ensure that we meet our reporting requirements under GDPR and mitigate the effects of any such event as far as we can.
Please find below a number of relevant resources for Muhimbi as well as some of our key sub-processors.
- Muhimbi Term of Service
- Muhimbi Data Processing Terms
- How we deal with your documents
- Microsoft and GDPR
- MailChimp and GDPR
- SagePay and GDPR
- Zendesk and EU Data Protection
Please contact us at firstname.lastname@example.org if you’d like to talk about our work on GDPR and other privacy related matters.