Blog

Integration and API news for developers

Cyclr’s GDPR Measures

22nd May 2018

As is the case for all companies, we are taking GDPR seriously and are endeavouring to adapt to the new legislation as best we can. Inevitably we will make further amends to our policies as time passes and we all have a better understanding of our obligations.

However during the last months we have made substantial changes in order to support our own obligations under GDPR as well as those of our clients. This article details Cyclr’s actions taken as at May 2018, and our stance on GDPR. We will refresh this page as and when variations are required.

Cyclr as Data Controller

Cyclr is a Data Controller when it comes to handling the personal information of our Direct Clients and any Client Prospects. Cyclr is strictly a Business to Business enterprise and does not actively target individual consumers.

Direct Clients are companies with a direct paid subscription to the Cyclr application. Client Prospects are those companies that we are actively targeting as prospective clients and companies/individuals who have provided us with their contact information.

We have recently refreshed all of our Client Prospect records, re-verified subscribers with appropriate GDPR approvals and deleted any non-essential and/or expired personal data that we hold. We will regularly review, and delete, non-essential information.

We take the right to be forgotten seriously and use any Direct Client or prospect information solely for the purposes of dealing with existing Direct Clients and prospecting for new business. We do not use personal information for any other purposes. Should you wish your record in Cyclr’s systems to be deleted then please email us – dpo@cyclr.com

In additions, for full transparency, we have disclosed the various applications that we use to store Direct Client and prospect information here.

You can also see our privacy policy here.

Cyclr as Data Processor

Cyclr acts as a Data Processor when it comes to providing services to, and enacting the instructions of, our Direct Clients. Direct Clients are companies with a direct paid subscription to the Cyclr application, who in turn provide integration functionality to their own End Users (an individual, company or entity that is a client of our Direct Client).

Our obligations to Direct Clients are either covered by our online terms and conditions or an independent Enterprise Agreement depending upon the subscription and service level the Direct Client has with Cyclr. We endeavour to regularly review and update our terms and conditions and contracts and communicate any such amends in a timely fashion. Both Enterprise Agreements and our online terms and conditions are in the final stages of being updated for GDPR and will be available in the next couple of weeks.

Functional Overview

The Cyclr platform enables our Direct Clients to offer integration and connectivity functionality between two or more applications to their End Users. Cyclr processes data at the instruction of our Direct Clients who in turn are acting on the instruction of their End Users.

By enabling an integration the Direct Client is instructing Cyclr to enable the transfer of data from one application to another. Inherently Direct Clients are enabling integrations at the behest of their own End Users and it is critical that Direct Clients ensure that their End User is aware of that they are making the instruction and have given permission. Direct Clients are responsible for this part of the process.

When an integration is activated by an End User, in almost all instances, it is standard for the End User to provide an explicit and unique Authorisation Key for any application to which data is transferred from, or to which data is transmitted to, in order for any data transfer to take place. This is the authorisation of the data transfer. The integration workflows can also be stopped at any time.

Except in circumstances where an error arises and Cyclr is asked by the Direct Client to explicitly resolve any issues, Cyclr does not proactively analyse or access any data transferred across the Cyclr application.

Geography

At the simplest level we offer our Direct Clients the option to host their Cyclr Application in the EU (London) or the US (North Virginia) such that when data is transferred it remains within the requested geographic location whilst in the Cyclr environment. We are in the process of engaging with clients to migrate them from one hosting centre to another at their behest should this be a requirement.

The application and databases are currently hosted with Amazon Web Services. Amazon Web Services assert full compliance with GDPR, please see link here – https://aws.amazon.com/blogs/security/all-aws-services-gdpr-ready/  

Data Transit and Storage Security

We always encourage the use of https:// or SSL where possible when customers are connecting to Cyclr or third party APIs such that data is encrypted on the way in to and out of the Cyclr application.

Whilst in the Cyclr application environment all data is encrypted.   

Account access credentials, Authorisation tokens and API keys are all encrypted using AES (an encryption algorithm).

Data Management in Cyclr

As a conduit of data consolidation and movement on behalf of our Direct Clients and their End Users, we have worked hard to include new features that put the parties in full control of their data.

In the recent months, we have enhanced our platform with new options including:

Data Retention Settings

We provide complete control over how long data transactions are stored in Cyclr. Cyclr enables each individual workflow to have different data retention periods in hours, minutes or days in order to keep Direct Clients in compliance with your data policy.

We also allow for a separate retention period for transactions with errors, enabling the completion of any support tasks with the full picture.

Whilst Direct Clients have the ability to set their company’s data retention period,  End Users can also have separate control over their retention duration. This can be set within their account inside your console, giving your users even more control of their data.

As a backstop we purge all data that is greater than 180 days old and hasn’t already been deleted under the instruction of a Direct Client or an End User.

You can access this in the following menu:

Settings > Data Retention 

OAuth Client Credential Settings

Direct Clients have the ability to revoke Access Tokens if necessary. This can be used to prevent and control misuse of their platform.

You can access this in the following menu:

Settings > OAuth Client Credentials 

Notification Settings

Direct Clients and End Users can set what notifications they receive via email. These can be turned on and off within the management console.

You can access this in the following menu:

For Users: Settings > Integration Settings > Enable User Notification Users

For Console Admins: Settings > Console Administrators > Receive Notification Emails

Assigning a Data Protection Contact

To prove a single point of contact for any data related queries and enquiries we have a dedicated point of contact for data protection. If you have any data related questions please direct them to dpo@cyclr.com

 

Summary

Thank you for reading this far. We at Cyclr understand the importance of data, the importance of privacy and the right to be forgotten. We will endeavour to adapt rapidly to legislation as it changes and to work proactively with our Direct Clients, Client Prospects and our Direct Clients’ End Users in order to respond to requests.

Should you have any further questions then please contact us at dpo@cyclr.com