Data residency

Introduction

Data residency refers to the actual physical location where data is held or stored for an organisation. For example data could be submitted by a user in Australia to a cloud application, but the servers that hold and process the data are in Europe, so the data residency in this case refers to the European location.

Data residency is particularly important to ensure that local laws and regulations are upheld in the country/region where the data resides. It is therefore important that customers using cloud applications are aware of their data’s physical location so that local laws are upheld. Knowing where a cloud provider’s data centres are will help to ensure that organisational data residency policies respect local laws.

The Kianda platform is a SaaS (Software as a Service) cloud-based solution, and allows for integration to multiple third-party IT systems / siloed data sources, for example SharePoint Online Environment and Active Directory, SAP, SQL Server, O365, Oracle and so on. The platform is hosted and secured in Microsoft Azure. This allows Kianda to specify the region where customer data will be stored and processed. The datacenter region for Kianda is North Europe, and therefore the location for data storage and processing is Ireland, see https://azure.microsoft.com/en-us/global-infrastructure/data-residency/#select-geography. This means that data residency for Kianda, is Europe, and therefore European laws like General Data Protection Regulations (GDPR) must be upheld.

Kianda Security and GDPR

Kianda Technologies confirm that the data for Kianda Platform (including backup and test data) are stored within the EU. For optimal performance our platform is deployed to Microsoft Azure Ireland with geo replication to Azure Netherlands.

The Kianda platform is also available to be deployed and hosted on private cloud or on premises in client’s preferred geographical location. This setup will include its own backup policy and system. Our platform allows for data, including backup and test data, to be stored wherever it is most desirable for the Client for example SharePoint tenant.

Users’ IP addresses are stored in system logs for security and data protection purposes. We comply with our obligations under Data Protection Legislation by providing an adequate level of protection to any Personal Data.

In addition, the data is encrypted at rest and in transit. Data records are also masked from a GDPR point of view. We employ Microsoft security products to mask automatically, classify personal data which is scheduled on a weekly basis.

Personal data such as IP addresses is retained for a period of 12 months.

ISO27001:2013 Certification

In terms of security and quality, all Kianda services and solutions are ISO27001:2013 Certified, and as part of that are audited by an external party every 6 months. Details may be accessed here: https://www.kianda.com/information-security.

Kianda employs the highest levels of security as demonstrated by our ISO certifications, and includes extensive dashboard and reporting/audit trail functionality.

Kianda Technologies comply with all applicable laws and regulations regarding the protection of personal data. We provide separate production and test environments. Responsibility for maintaining test data is with data controllers, and in that regard, we treat both test and production environments as managed by the customer.

On termination of contract, as per our customer service level agreement we will destroy or otherwise dispose of any customer data in our possession unless we receive, no later than ten days after the effective date of the termination of this agreement, a written request for the delivery to the customer of the then most recent back-up of the customer data. We shall use reasonable commercial endeavours to deliver the back-up to the customer within 30 days of our receipt of such a written request, provided that the customer has, at that time, paid all fees and charges outstanding at and resulting from termination (whether or not due at the date of termination).

The Customer (data controller) shall own all right, title and interest in and to all of the Customer Data and shall have sole responsibility for the legality, reliability, integrity, accuracy and quality of all such Customer Data.

If we, as data processor, receive any request by any person to access all data, we shall within five (5) business days provide the Data Controller with the full details of that request.

Kianda would be pleased to participate in a Data Protection Impact Assessment (DPIA) at the client’s request. Furthermore, we confirm that our solution conforms with the principles of Data Privacy by Design and Default.