Cookie anyone?

We use cookies to personalise content and ads, to provide social media features and to analyse our traffic. You consent to our cookies if you continue to use our website. learn more

gdpr icon

Data Privacy in IceWarp

Long before the EU’s regulation on the protection of user’s data and privacy became applicable on May 25, 2018, IceWarp was already working to set everything up, both technically and legislatively, for this global cornerstone of digital security. And we were successful. IceWarp is fully GDPR compliant. We’ll show you how to prepare your company as well.
check icon
In short: IceWarp is GDPR compliant already. You don’t have to do much at the moment to meet basic demands of the regulation. But we suggest you to see our recommendations below.

Purpose of GDPR

General Data Protection Regulation (GDPR) is the largest and the most comprehensive EU regulation of personal data storage and processing in history. Adopted on 14 April 2016, it came into force after a two-year transition period. The new regulation provides users with stronger rights to access and control their personal data and places obligations on organisations making them more accountable for data protection.
The goals of GDPR are promising - to grant more control over personal data to every EU citizen and to simplify the regulatory environment of international business. But what is personal data anyway? According to EU officials: “Personal data is any information relating to an individual, It can be anything from a name, a photo, an email address, bank details, your posts on social networking websites, your medical information, or your computer’s IP address.” *
* The GDPR provides for most legal obligations, but in addition member states can make provisions for how it applies in their country through their national data protection laws.
GDPR is not all about digital security, though. The new law enforcement is affecting mostly company’s inner processes - a way of storing data, managing levels of clearance and updating data policies. In short, that means sleepless nights for company’s lawyer and a lot of paperwork for the rest. Otherwise, penalties will be severe.

Technical Measures

On the brighter side, if you’re using the latest version of IceWarp Server, you’re all set to be GDPR compliant already. We regularly conduct vulnerability and penetration testing of IceWarp Server and all related tools and client applications. We also make sure that we update to the latest patches of all critical components of the system including openssl, certificates etc. Therefore, similarly to any other IT system, it is necessary that you keep updating to the latest version of IceWarp Server in order to stay protected against recent security threats.
In terms of IT infrastructure, make sure that you follow the general best practices of IT security, including remote access security, firewall security, password complexity enforcements, and malware protection. IceWarp team can help you with review of your current setup.
However, you may also need to do few configuration changes of IceWarp Server in order to fulfill some of the GDPR requirements. For example, to access all data and search through them, you can simply set up a global archivist account. The account comes handy when your customers or former employees require you to provide GDPR audit of their personal data.
There are also some other simple steps, you may want to take to be even more in the line with GDPR regulations:
  • Data loss protection. Be sure you’re using SmartAttach and Archive functions.
  • Grant only a mandatory access to a server. According to a level of clearance, lower the number of people with wide access to a server.
  • Enable 2-factor authentication. For server administrators, simply use IceWarp Autheticator, which works smoothly for almost any IT admin, or set second authentication method like i.e. SMS.
  • S/MIME keys. Start digitally signing and encrypting your messages using S/ MIME, but be aware of a significant increase of computing power needed.
  • Levels of clearance. Do a permission audit, deny an access to nonessential personnel, set different passwords to the most secure directories.
  • Use user accounts only. We don’t recommend to run IW under the root account, use dedicated user’s accounts instead.
  • Data searching. Set authorized individual(s), who have permission to seek through Email Archive and Full-text search.
  • Erasing in person. Make sure that erasing is done by the person who owns the data.
  • Use system logs. Enable system maintenance logs on your server, this allows you to track every action on a server, along with user authentication and activity.

Data Subject Requests

Firstly, let us assure you - IceWarp On-premise and Cloud are fully GDPR compliant at the moment. Things gets more complicated when it comes to fulfilling the user requests for data access. The data controller needs to search for the user's data, categorize them and create a GDPR report. That’s when the built-in full-text search can be useful. With its full-text search capabilities and advanced filtering options, you will be able to process data subject access requests from various sources of your server in just a few clicks.
You can search personal data contained in e-mails, messages and any files hosted in IceWarp Cloud. You are also able to archive and delete any personal data contained in these e-mails, messages and hosted files.
This will aid you to exercise of rights of data subjects:
tool icon
Right of access
tool icon
Right to rectification
tool icon
Right to erasure
tool icon
Right to restriction of data processing
tool icon
Right to data portability
tool icon
Right to object
check icon
Audit That Out
Need further help with a preparation for GDPR? Let us know on gdpr@icewarp. com. We will gladly help with a transition.
check icon
Contact Person
Any GDPR related questions can be addressed to IceWarp ́s Data Protection Officer at dpo@icewarp.com

Cloud Services and Privacy

Regardless if you choose to store your data in Germany, or in the U.S., IceWarp complies with European GDPR. This is because GDPR is applicable to personal information of any end user or business contact of any European citizen, so it’s easier to implement it across all our clusters. In fact, IceWarp has been working on enabling data discovery and compliance for other businesses, easily locate personal data in all internally used systems using full-text search, securely archive it or delete it. To address the privacy needs of US organizations working with sensitive patient health information, we can help to achieve compliance with the national standard HIPAA.
IceWarp Cloud multi-tier applications are using separate virtual machines (VMs) including non-shared storage, so a breach in one site doesn’t affect others. There are individual firewalls that work as a protective shell for your data. Smart cloud automation developed by IceWarp ensures the highest level of information security, as opposed to vulnerabilities that exist in commonly available virtualization platforms. Connections are secured and limited to authorized staff who are issued personal tokens and connect through a virtual private network (L2TP/IPSec) and SSH gateway. Only necessary ports are open for most of the services, further reducing the risk. There’s also high physical access security in all our data centers, protecting the clusters from damage, infiltration, theft, fire, etc. In addition, the proactive monitoring of all services and the network traffic would reveal any malicious activity and allow our security team to react.
Any data and apps in the cloud are physically stored on a server located at a data center or server farm. Location of that data center is the most important factor when considering cloud providers. Do they disclose this information at all? Can they guarantee to keep your data under one jurisdiction, such as to prevent the transfer of personal information?
With IceWarp Cloud you can select from the list of several data centers where your data will reside. Not only the distance and local connectivity to the nearest data center will make the service more responsive, but also ensures that the data remains protected by privacy laws valid in your country. We guarantee your data won’t be moved abroad. You can learn more about our certified data centers at this link: www.icewarp.com/cloud-order/datacenters.
gdpr icon

ISO/IEC 27701 Certification

Here at IceWarp we adhere to strict data protection legislation. To address the operational challenges of processing an increasing amount of personal data, we have introduced an internal Personal Information Security Management System with processes that are certified by the recognized international standard ISO/IEC 27001. This is one of the most used ISO standards in the world with many organizations (regardless if they are data processors or controllers) already certified to it. This means that organizations with established ISO 27001 certification can rely on IceWarp as a supplier who is independently audited and interoperable within the same standards. For businesses that haven’t sought the certification yet, it’s a key prerequisite in achieving GDRP compliance of our services. In short, privacy (wether GDPR or through another regulation) depends on established information security standards.