New Blog --> Crushing False Positives: Supercharging SOC Efficiency with Smarter Threat Intel
New Blog --> Crushing False Positives: Supercharging SOC Efficiency with Smarter Threat Intel
Start Free Trial

GDPR Statement

GDPR Statement

General Data Protection Regulation (GDPR) is a piece of regulation intended to improve data protections within the European Union (EU). The creators of the regulation want to give citizens greater control over their personal data and make it easier to regulate data handling by making regulations consistent across the Union’s 28 member states.

The current directive in the EU defines personal data as “any information relating to an identified or identifiable natural person.” However, this regulation has left open a few issues that the GDPR hopes to resolve. But because the GDPR deals with the protection of personal data, the regulation attempts to clear up some ambiguities regarding what data types fit within the scope.

In clarifying the definition of personal data, this new regulation’s authors have included a wide net to include such data types as online identifiers, location data, IP addresses, pseudonymous data, biometric data, and genetic data.

ChaosSearch has been reviewing its responsibilities and has an internal cross-function team working with appropriate external expertise to ensure compliance now, and will continue this initiative into the future. For more information, here’s a link to the official GDPR portal.

GDPR Requirements

There are a number of important measures implemented to enhance protection of personal data.

  • Right to Erasure: This stipulates that any individual with personal data has the right to request their personal data be erased for several reasons
  • Privacy by Design: The regulation requires organizations to implement processes and technologies that make data protection and minimal use default operating procedures. This includes the requirement to “Pseudonymize” data as quickly as possible, by encryption or other means
  • Privacy Impact Assessments: Organizations may be required to assess the impact to personal data protection involved in a given project
  • Data Protection Impact Assessments: Organizations controlling personal data must also evaluate the risk to the protection of an individual before processing data
  • Data Protection Officers: Organizations that systematically monitor personal data or process high volumes of protected data must appoint a Data Protections Officer
  • Supervisory Authorities: Now that a single set of rules will govern data protection in the EU, member states will be responsible for establishing their own independent supervisory authorities
  • Rapid Data Breach Notification: GDPR rules require organizations to move swiftly to disclose knowledge of a breach. Unlike previous laws, which required notification only if the breach was potentially damaging to data protection, the GDPR stipulates this requirements includes all breach events. The state’s supervisory authority must be notified within 72 hours, and undue delays will be penalized
  • Data Portability: An individual must be able to transfer their data to another data controller, without the organization interfering
  • Retention of Data Processing Files: The organization managing data must retain records on the data it processes, including reasoning for why that data was used

Failure to comply with GDPR regulations can result in warnings, audits, and even fines of up to 20 million euros.

Why GDPR Matters to American Companies

Although the General Data Protection Regulation measures are to be enforced within the EU, the scope extends not only to EU-based organizations but also to international companies that process data within the union, including US-based companies doing business in the EU. This means many companies in the United States doing business with certain European countries must also maintain compliance.

While the GDPR has significant overlap with the previously adopted NIS Directive, the latter involved a more limited scope, which made it less of a concern for companies outside of the EU. The NIS Directive, for instance, dealt only with providers of essential services or digital service providers, while the GDPR involves any organization processing personal data. And the NIS Directive limited breach notification requirements to events posing significant risks to data protections, while the GDPR extends its scope to all breach events.

ChaosSearch and GDPR

Where are we now?

ChaosSearch has been reviewing its responsibilities and has an internal cross-function team working with appropriate external expertise to ensure compliance now, and will continue this initiative into the future.

Awareness

All employees of ChaosSearch are aware of GDPR and ChaosSearch program to remain compliant as a Data Service Provider.

Information Held

All relevant data held by ChaosSearch's SaaS products have been reviewed as being necessary to support the functionality of ChaosSearch's SaaS products.

Third Party Processors

ChaosSearch's SaaS products are implemented on Amazon Web Services. The European Union (EU) data protection authorities known as the Article 29 Working Party has approved the AWS Data Processing Agreement (DPA), assuring customers that it meets the high standards of EU data protection laws.

No other third parties are presently involved in ChaosSearch's service in handling data regulated by GDPR.

Privacy Policy

ChaosSearch's privacy policy has been updated to reflect the requirements of GDPR and is available here.

Data Protection Officer

ChaosSearch has appointed a Data Protection Officer, who can be contacted at dpo@chaossearch.io.

Assistance to the Data Controller

As a Data Processor, ChaosSearch is required to assist Data Controllers to fulfill their responsibilities.

Data Controllers can use ChaosSearch's SaaS product’s administrative capabilities to access, rectify, restrict the processing of, or delete any data that they and their users put into ChaosSearch's products. This functionality will help them fulfill their obligations to respond to requests from data subjects to exercise their rights under the GDPR.

Further, ChaosSearch has defined procedures to manually or otherwise assist any request from a Data Controller to fulfill their responsibilities.

Data Breaches

ChaosSearch has robust procedures in place for handling any event in this category. After review, these meet and exceed the requirements of GDPR.

Data Protection

ChaosSearch is committed to information security best practices. In line with GDPR, ChaosSearch assesses the measures required in its products based on factors like data sensitivity, impact, risk, and available technology.

Security is a core requirement of, and a guiding mantra in the design of any component of ChaosSearch's products, including encryption of data whilst in-flight and at rest, continuous vulnerability and penetration testing of systems and “firewalled” DevOps procedures to ensure security.

Data Location

Customers of ChaosSearch can elect to have their data stored within the EU or other global locations. ChaosSearch assures that the customer’s data will remain in the region selected.

If you have further questions, you may contact Scalable at privacy@chaossearch.io.