On 25 May 2018, the EU General Data Protection Regulation (GDPR) that replaces the 1995 EU Data Protection Directive will come into force.

CumulusPro and the General Data Protection Regulation (GDPR)

The GDPR was created to harmonize data privacy laws across Europe, protect the rights that individuals have regarding personal data relating to them regardless of where the data is processed. CumulusPro team is committed to GDPR compliance across our Cloud Services. We are also committed to helping our customers and partners with their GDPR compliance journey by providing robust privacy and security protections built into our services.

Data Protection Commitments
Use of Sub-processors
CumulusPro Sub-processors
Security Management
Access Controls
Your Rights as Data subjects
Data transfers outside EU

Data Processing Agreements

Recently, we have updated all our agreements, terms and privacy policy to reflect the GDPR requirements. We have made these updated agreements and information available to our partners, and customers for their compliance assessment and GDPR readiness when using our Cloud Services.

Processing based on Instructions

Any data that a customer and its users put into our systems will only be processed in accordance with the customer’s instructions, as described in our current as well as our GDPR-updated data processing agreements and Service Specifications.

Personnel Confidentiality Commitments

Our employees are required to sign a confidentiality agreement and have completed multiple mandatory confidentiality briefings of data protection for our customers. The briefing specifically addresses responsibilities and expected behaviour with respect to the protection of all personal information.

Most of the time, CumulusPro manages the majority of data processing activities required to provide the Cloud BPM Platform services. When required, we do engage third-party vendors in supporting our Cloud Services. Each vendor goes through a rigorous selection process to ensure it has the required technical capabilities to deliver the appropriate level of security and privacy.

CumulusPro may engage third party sub-processors to assist us in relation to the Cloud Services. Our third-party sub-processors provide technologies and services in the area of data entry and validation, automated document classification, automated data extraction, Optical Character Recognition (OCR), facial recognition, API connectivity, and communication platform services.

Company Name	Corporate Location(s)	GDPR information
ABBYY	North America, Western Europe, Eastern Europe and in Russia	https://ocrsdk.com/security/
Aluma.io	United Kingdom	https://aluma.io/about-us/privacy-notice
Twilio, Inc	USA	https://www.twilio.com/gdpr
Xtracta	New Zealand	Upon request
Zapier, Inc	USA	https://zapier.com/help

With effect from 25th May 2018, GDPR regulates that the controller and the processor shall implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk.

CumulusPro is committed to a robust implementation of Information Security Management in the delivery of our Cloud Services. Management, employees and contractors of CumulusPro are committed to apply the appropriate confidentiality, integrity and availability of data when delivering CumulusPro Services to the Customers.

From software design, development to delivery, CumulusPro Services security policies are aligned with the ISO/IEC-27001-ISMS scope and Information security policy of ISO/IEC-27001 Standard for Security Policy. Visit ISO/IEC 27001 Information security for more information on ISMS.

User creation procedure

User account creation follows a strict procedure where a system administrator creates new user accounts with the users’ email address from the CumulusPro cloud Admin Panel. Upon the email validation, and clear consent given by the new user would this user account be activated. In the meantime, user access rights and roles are assigned by the system administrator.

User passwords are NOT provided by the system administrator. Upon receiving an email invite that contains a URL link to a set password page would the users create their own passwords. This is to ensure that registered email addresses are verified, and passwords are only known to the users and clear consent is given. For added security, the user may be requested to register for a 2FA authentication with Google authenticator app.

As a rule of thumb, CumulusPro employees do not have access to customers business data. Personnel with DevOps roles only have access to the hosted servers and Application Services to manage the running of the services, administration of the operating environment, modification of user accounts and business processes. Through the implemented MS Azure Application Level encryption, all images and data stored in Azure BLOB storage are encrypted. Therefore even if DevOps are logged in, customer business content is only managed through the application security framework, which means they need to be granted privilege and access rights to the content.

Service logging and monitoring rights

There are a few levels of monitoring and logging for CumulusPro Services.

DevOps	CumulusPro Application services and MS Azure Services that are responsible to deliver CumulusPro Services customers are closely monitored by CumulusPro DevOps 24x7. In the event of services that has gone offline, the service will automatically trigger a notification to CumulusPro Devops by email and/or SMS.
Process Monitoring	Only available to process owners or user accounts with sufficient rights. Process Monitor allows the identification and resolution of process bottlenecks by the managing of tasks in active processes.
User Activities	All user activities are logged in active customer workflow processes, only users granted with access rights can view these detailed logs for each transaction. Logged information reviews process activities like field modifications, date time stamp of an action, user response to a decision and so on.

At any time CumulusPro or our sub-processors are in possession or processing your personal data, we recognise your rights as a data subject in the following requests:

Right of access	Your right to request for the details of personal information that we have of you.
Right of rectification	Your right to amend data that is inaccurate or incomplete.
Right to be forgotten	Your right to request that your data are removed from our records in accordance to Article 17 GDPR.
Right to restriction of processing	Your right to restrict the processing if applicable Article 18 GDPR.
Right of portability	Your right to have the data we hold about you transferred to another organisation. (Article 20 GDPR)
Right to object	Your right to object to certain types of processing such as direct marketing. (Article 21 GDPR)
Right to object to automated processing, including profiling	Your right not to be subject to the legal effects of automated processing or profiling. (Article 22 GDPR)

To protect your personal data, CumulusPro will only accept the following forms of identifications when you request for information: a copy of your driving licence, passport, birth certificate and a utility bill not older than three months. Minimally, we will require one piece of photographic ID listed above and a supporting document. If you cannot be positively identified from your submitted identification proof, we will seek further information before we can proceed with your request.

Request can be made via gdpr@cumuluspro or leave us a message here.

The GDPR provides for several mechanisms to facilitate transfers of personal data outside of the EU. These mechanisms are aimed at confirming an adequate level of protection or ensuring the implementation of appropriate safeguards when personal data is transferred to a third country. Except for the sole purpose of transferring data to our sub-processors, your data does not leave our Azure data centres in their entire lifespan till the end of the retention period when they are automatically purged.

What it means to you

What are your responsibilities as CumulusPro customer or partner?

CumulusPro customers or partners will typically act as the data controller for any personal data they provide to CumulusPro in connection with their use of CumulusPro Cloud Services. The data controller determines the purposes and means of processing personal data, while the data processor processes data on behalf of the data controller. CumulusPro is a data processor and processes personal data on behalf of the data controller when the controller is using our Cloud Services.

Data controllers are responsible for implementing appropriate technical and organisational measures to ensure and demonstrate that any data processing is performed in compliance with the GDPR. Controllers’ obligations relate to principles such as lawfulness, fairness and transparency, purpose limitation, data minimisation, and accuracy, as well as fulfilling data subjects’ rights with respect to their data.

We advise that you should also seek independent legal advice relating to your status and obligations under the GDPR, as only a lawyer can provide you with legal advice specific to your requirements. Please bear in mind that nothing on this website is intended to provide you with, or should be used as a substitute for legal advice.