DocBoss and the GDPR

On this page, we explain how we process personal data as a processor under the European General Data Protection Regulation (GDPR), i.e., when we process personal data on behalf of someone else (our clients).

Also see our Privacy Notice, where we describe the processing of personal data we do as a controller, i.e. when we decide the purposes and means for such processing. Please note that these terms, controller and processor, correspond specifically to the GDPR.

If you have any questions, please reach out to privacy@docboss.com.

Our company details:
Gnaros Inc., dba. DocBoss
375, 440 10816 Macleod Trail SE, Calgary AB Canada T2J 5N8

Our privacy and data protection efforts

Gnaros Inc. was founded in 2009, is privately held and headquartered in Canada. We provide the software (and do business as) “DocBoss” – a web-based SaaS project document control system. DocBoss enables process equipment suppliers to manage and deliver custom engineering documentation to their customers, who typically are manufacturers, distributors and fabricators providing products such as pumps, valves, instrumentation, pressure vessels and similar.

In 2018, the General Data Protection Regulation (GDPR) came into force across the EU and the EEA countries (Iceland, Norway, Liechtenstein), collectively referred to as the “EEA” (European Economic Area). The GDPR is a European regulation where the intention is to standardize and strengthen data protection rules to safeguard privacy – and fundamental human rights.

With customers globally, we are conscious about staying on top of relevant regulatory changes. As the GDPR is often seen as the “gold standard”, we use GDPR compliance as the benchmark for our general privacy and data protection work. And, although challenging, we try to keep up to speed on the
fast-changing regulatory landscape, including important changes such as the Schrems II ruling and new standard contractual clauses (SCCs) from the European Commission.

For this year’s (2022) privacy and data protection internal audit, and to truly demonstrate that we take this seriously, we invested in help from a renowned EEA-based GDPR advisor to review our efforts to date, update certain documentation and prepare us for the upcoming months. The summary below is part of the output from this project. If you have any questions about our privacy and data protection work, please contact us at privacy@docboss.com.

Our role as a processor

First, we only act as a processor if we have entered into an agreement with a client and if we process personal data on their behalf. This could, for example, be the names and email addresses of people added to the DocBoss software, both as employees and contacts with whom you want to share documentation. Please see below for other examples.

As a processor under the GDPR, we’re subject to several requirements, for example:

• Obligations under Article 28, include signing data processing terms, assisting the controller, allowing for audits/inspections, and more. And importantly, we only process personal data on the controller’s documented instructions.
• Ensuring that persons acting under our authority and who have access to personal data, won’t process such data except on instructions from the controller, as per Articles 29 and 32(4), and are subject to confidentiality.
• Maintain a record of all categories of processing carried out on behalf of a controller, as per Article 30(2).
• Cooperate with supervisory authorities based in the EEA, as per Article 31.
• Implement technical and organizational measures to ensure a level of security appropriate to the risk, as per Article 32.
• Notify the controller without undue delay after becoming aware of a personal data breach, as per Article 33.

We work with all of our clients to agree on relevant data processing terms as applicable and otherwise fulfil
our duties as a processor.

Signing a data processing agreement (DPA)

We’re happy to sign a DPA, but please note that since we’re a small team, we have limited resources to do legal reviews of custom DPAs. We, therefore, ask that we use the standardized and pre-approved model data protection clauses adopted by the European Commission on 4 June 2021: the standard
contractual clauses (SCCs) for the relationship between controllers and processors based on Article 28(7) GDPR.

To streamline this process, we have added relevant details for a DPA, below. Please contact us at privacy@docboss.com to get a copy signed.

Personal data and categories of data subjects

We classify personal data as per the GDPR Article 4(1), that is: any information relating to an identified or identifiable natural person (‘data subject’) who can be identified, directly or indirectly, rather than the US “PII” (Personal Identifiable Information), to ensure we cover all relevant data. We do not process any special category personal data as defined in the GDPR Article 9(1).

We typically process personal data about two categories of data subjects:

1. DocBoss Users, who are employees of our clients with DocBoss user accounts.
2. DocBoss Contacts, who are individuals added to DocBoss by our clients.

We also process the personal data of our clients as a controller, typically related to our client relationships. Read more about this in our Privacy notice.

Purposes and nature of the processing

The purposes for processing personal data on behalf of the controller, are to 1) allow access to and use of DocBoss, including creating User accounts and sharing documentation with external parties, 2) offer User support, and 3) enable us to provide a secure and stable service.

The nature of the processing involved includes:

• Store and process personal data (on behalf of the controller) on cloud infrastructure.
• Provide software functionality for the controller, including creating and administrating customer documentation and the ability to share this with other parties. Functionality also includes review, submittal and approval processes of documentation, work organization, reporting and
  collaboration.

Details on the personal data we process (on your behalf)

To give you an idea of what personal data we process as a processor, we have listed the most common use cases below. (We discuss and agree on this for every client engagement.)

Login details and activity

To be able to use our software (DocBoss), Users must log in via our client portal at system.docboss.com (or a variety of this URL), and for this, we process email addresses, passwords and technical data.

Data/content in DocBoss, including contact management and emails

This includes any data/content created in DocBoss by Users, which is considered personal data, for example:

• Coversheets which contain the names of Contacts.
• Contact management, where Users can add names, contact information etc. of Contacts (typically our clients’ contacts/customers).
• Emails sent by Users, including download links.

Client support

When our clients send us support tickets which include the personal data of Users and/or Contacts, this data is processed by us as a processor.

Technical data

Some technical data is created through the use of our software, like logging. Technical data can also include IP addresses and User ID.

Technical and organizational measures

As a software company, we know how crucial exceptional security is and we have a high focus on data protection in general – not only for personal data.

Data minimization and deletion

A key focus for us is data minimization, which is also one of the fundamental principles in the GDPR. And not only as a processor – generally in our business, we try to limit the amount of personal data we process. First, it decreases the risk in case of a data breach, but it also makes it easier to fulfil our duties after the termination of a data processing agreement – namely returning or deleting all personal data we have processed on your behalf.

Confidentiality, Integrity, and Availability

Physical access to data systems is managed by our sub-processor, while internal access is restricted to specific IPs protected via MFA (multi-factor authentication) through a VPN (Virtual private network). From there, server access has secondary MFA, and is restricted only to key personnel, with local and centralized logging of system access and actions. All data is encrypted to TLS 1.2 in motion and is encrypted at rest. System logs record entries, edits and deletions of data. System snapshots are stored on an hourly basis with 7 9s availability, in addition to daily backups which are stored for 2 weeks.

Emergency restore procedures are tested every 6m. Our impact analysis policy sets our RPO (Recovery Point Objective) to 1 hr with our RTO (Recovery Time Objective) to 1 day.

Regular Review

Our data protection policy calls for annual internal privacy audits and annual external penetration testing with internal pen tests at the 6m mark. All incidents are logged in our incident response system as either major or minor events. All major events require an incident review process to be completed prior to archiving. They are reviewed annually per our incident response policy.

International transfers of personal data and sub-processors

Since we’re based in Canada, your personal data is transferred outside of the EEA (the EU member states plus the EEA countries Iceland, Norway and Liechtenstein). However, the European Commission has granted an “adequacy decision” to Canada (commercial organizations only), meaning they believe Canada to have an adequate level of data protection. You can read more about this on the European Commission’s website here.

Our sub-processors include Amazon Web Services Canada, Inc., with data storage locations in the EU for EU clients, and in the USA for non-EU clients, and Elasticsearch AS currently hosted in the USA (moving to EU by Dec 2022).

We use AWS for hosting cloud infrastructure and provisioning of services, and Elasticsearch AS for centralized logs.

We hope that the above provides you with satisfactory information about our role as a processor under the GDPR. If you still have any questions about this, please reach out to privacy@docboss.com.