This site is not optimized for Internet Explorer 9 and lower. Please choose another browser or upgrade your existing browser in order get the best experience of this website.

GraphGrid Data Protection

Last Updated May 4, 2018

At GraphGrid, customer trust is our top priority. We deliver services to hundreds of active customers, including enterprises, educational institutions, and government agencies in over 190 countries. Our customers include financial services providers, healthcare providers, and governmental agencies, who trust us with some of their most sensitive information.

We know customers care deeply about privacy and data security. That’s why GraphGrid gives customers ownership and control over their customer content by design through simple, but powerful tools that allow customers to determine where their customer content will be stored, secure their customer content in transit or at rest, and manage access to GraphGrid services and resources for their users. We also implement responsible and sophisticated technical and physical controls designed to prevent unauthorized access to or disclosure of customer content.

Maintaining customer trust is an ongoing commitment, we strive to inform customers of the privacy and data security policies, practices and technologies we’ve put in place. These commitments include:

Ownership and Control of customer content:

·       Access: Customers manage access to their customer content and GraphGrid services and resources. We provide an advanced set of access, encryption, and logging features to help you do this effectively. We do not access or use customer content for any purpose without the customer’s consent.

·       Storage: Customers choose the region(s) in which their customer content will be stored. We will not move or replicate customer content outside of the customer’s chosen region(s) without the customer’s consent.

·       Security: Customers choose how their customer content is secured. We offer our customers strong encryption for customer content in transit or at rest, and we provide customers with the option to manage their own encryption keys.

·       Disclosure of customer content: We do not disclose customer content unless we’re required to do so to comply with the law or a valid and binding order of a governmental or regulatory body. Unless prohibited from doing so or there is clear indication of illegal conduct in connection with the use of GraphGrid products or services, GraphGrid notifies customers before disclosing customer content so they can seek protection from disclosure.

·       Security Assurance: We have developed a security assurance program using global privacy and data protection best practices in order to helping customers establish, operate and leverage our security control environment. These security protections and control processes are independently validated by multiple third-party independent assessments.

 

How does GraphGrid define customer content?

GraphGrid classifies customer data into two categories: customer content and account information.

We define customer content as software (including machine images), data, text, audio, video or images that a customer or any end user transfers to us for processing, storage or hosting by GraphGrid services in connection with that customer’s account and any computational results that a customer or any end user derives from the foregoing through their use of GraphGrid services. For example, customer content includes graph data that a customer or any end user stores in GraphGrid Graph Database Service (GDS). Customer Content does not include account information, which we describe below. The terms of the GraphGrid Customer Agreement or other agreement with us governing the use of GraphGrid services apply to your customer content.

We define account information as information about a customer that a customer provides to us in connection with the creation or administration of a customer account. For example, account information includes names, usernames, phone numbers, email addresses and billing information associated with a customer account. The information practices described in the GraphGrid Privacy Notice apply to account information.

How does GraphGrid define customer content?

Customers maintain ownership of their customer content and select which GraphGrid services process, store and host their customer content. We do not access or use customer content for any purpose without the customer’s consent. We never use customer content or derive information from it for marketing or advertising.

Who controls customer content?

Customers control their customer content. With GraphGrid, customers:

• Determine where their customer content will be stored, including the type of storage and geographic region of that storage.

• Choose the secured state of their customer content. We offer customers strong encryption for customer content in transit or at rest, and we provide customers with the option to manage their own encryption keys.

• Manage access to their customer content and GraphGrid services and resources through users, groups, permissions and credentials that customers control.

Who controls customer content?

We know that customers care how account information is used, and we appreciate customers’ trust that we will do so carefully and sensibly. The GraphGrid Privacy Notice describes how we collect and use account information.

What happens when GraphGrid receives a legal request for customer content?

We are vigilant about our customers’ privacy. We do not disclose customer content unless we’re required to do so to comply with the law or a valid and binding order of a governmental or regulatory body. Governmental and regulatory bodies need to follow the applicable legal process to obtain valid and binding orders, and we review all orders and object to overbroad or otherwise inappropriate ones. Unless prohibited from doing so or there is clear indication of illegal conduct in connection with the use of GraphGrid products or services, GraphGrid notifies customers before disclosing customer content so they can seek protection from disclosure. It’s also important to point out that our customers can encrypt their customer content, and we provide customers with the option to manage their own encryption keys.

Where will customer content be stored?

Customers choose the region(s) in which their customer content will be stored, allowing them to deploy GraphGrid services in the location(s) of their choice, in accordance with their specific geographic requirements. GraphGrid datacenters are built in clusters in various regions around the globe.

For example, a GraphGrid customer in Australia can choose to deploy its GraphGrid services exclusively in the Asia Pacific (Sydney) region and store its content onshore in Australia. If the customer makes this choice, its customer content will be located in Australia. Customers can replicate and back up their customer content in more than one region, and we will not move or replicate customer content outside of the customer’s chosen region(s) without the customer’s consent.

*All GraphGrid services may not be available in all regions.

What is the customer’s role in securing their content?

When evaluating the security of a cloud solution, it is important for customers to understand and distinguish between:

Security measures that GraphGrid implements and operates – “security of the platform”

and

Security measures that customers implement and operate, related to the security of their customer content and applications that make use of GraphGrid services – “security in the platform”

 

For a complete list of all the security measures built into our core GraphGrid cloud infrastructure, platforms and services, please read our Overview of Security Processes Whitepaper.

Now that the EU-U.S. Safe Harbor program has been ruled invalid, can customers still use GraphGrid and comply with EU law?

Security of our customers’ data is our number one priority, and GraphGrid has already obtained approval from EU data protection authorities, known as the Article 29 Working Party, of the GraphGrid Data Processing Addendum and Model Clauses to enable transfer of data outside Europe, including to the U.S. With our EU-approved Data Processing Addendum and Model Clauses, GraphGrid customers can continue to run their global operations using GraphGrid in full compliance with EU law. The GraphGrid Data Processing Addendum is available to all GraphGrid customers that are processing personal data whether they are established in Europe or a global company operating in the European Economic Area. For additional information, please visit the GraphGrid EU Data Protection FAQ.

What steps does GraphGrid take to protect customer privacy?

GraphGrid’s alignment with ISO 27018 has been validated by an independent third party assessor. ISO 27018 is the first International code of practice that focuses on protection of personal data in the cloud. It is based on ISO information security standard 27002 and provides implementation guidance on ISO 27002 controls applicable to Personally Identifiable Information (PII) processed by public cloud service providers. This demonstrates to customers that GraphGrid has a system of controls in place that specifically address the privacy protection of their content. For more information, please visit the GraphGrid ISO 27018 FAQ.

We have developed a security assurance program using additional global privacy and data protection best practices in order to help customers establish, operate and leverage our security control environment. These security protections and control processes are independently validated by multiple third-party independent assessments.

EU-US Privacy Shield

The European Commission and the US Government agreed on a new framework called the EU-US Privacy Shield, and on July 12, 2017 the European Commission formally adopted it. The EU-US Privacy Shield replaces Safe Harbor. GraphGrid welcomes this framework for transatlantic data flow.

To learn more about this topic in the context of GraphGrid, visit our EU-US Privacy Shield page.