GDPR strengthens and unifies data protection for all individuals within the European Union (EU). It gives EU citizens and residents back control over their personal data. The General Data Protection Regulation is regarded as the toughest privacy and security law in the world and although it is a European law, it even imposes obligations onto organizations anywhere, so long as they target or collect data related to people in the European Union.
Personal data shall be processed lawfully, fairly and transparently in relation to the data subject.
The controller shall be responsible for, and be able to demonstrate, GDPR compliance.
The controller shall implement appropriate technical and organizational measures to ensure and to be able to demonstrate that processing is performed in accordance with this Regulation. Those measures shall be reviewed and updated where necessary.
- Technical measures for GDPR compliance Technical measures are the measures and controls provided to systems and any technological aspect of an organization, such as devices, networks and hardware. It is crucial to protect these for the security of personal data and is the best line of defence against a data breach. Here are some technical measures that Mailfence implements:
- The emails sent are sent with SSL/TLS encryption. SSL/TLS is a cryptographic protocol designed to secure the transmission of data.
- Users can encrypt their emails with OpenPGP, the most widely used email encryption standard used by several encrypted email providers.
Firewalls, malware scans, antivirus protection, anti-spam, anti-abuse, IP reputation, rate limiters, anti-DDoS, continuous patching and updating of used software and many other technical security measures protect the personal data processed by Mailfence against cyberattacks. More information on how we secure the data can be found here:
Information Security Policy
Mailfence’s Information Security Policy includes authority and access control policies, data classification, policies regarding the treatment of our data and operations, security awareness and behaviour training, encryption policies, data backup policies, clear definitions of responsibilities, rights, and duties of personnel and continuous hardening of our systems with reference to security benchmarks.Business continuity plan
Mailfence has policies and measures in place to back up corporate data (including personal data) and ensure that it can be recovered and maintained in the event of an incident. These measures include the continuous backup of data and storage in different locations from our offices and our main data centre, as well as the current setting up of a Disaster Recovery Plan.Risk assessments
Mailfence does regular risk assessments for the assessment and treatment of information security risks within Mailfence, and in order to define the acceptable level of risk as set by Mailfence leadership.Other Policies and Procedures
Mailfence has policies and procedures that help our organization and employees know what to do when certain situations arise. These policies include clean desk policy, bring your own device, remote working policy, data breach procedures or Data Subject Rights (DSR) procedures, etc.Awareness and training
Developing a culture of security and data protection awareness ensures employees are aware of the legal requirements and what is expected of them. Security and data protection is not something that is done only by implementing technical solutions. The human factor is extremely important. Regular and ongoing training and awareness-raising activities are done at Mailfence. In order to give back, we share some of our expertise in this domain with our users and the outside world by publishing our Email Privacy and Security course.Reviews & Audits
Having policies and procedures is not enough for GDPR email compliance. You have to make sure they are effective. That’s why Mailfence works together with security specialists and bug bounty hunters that continuously test and scan our application. This helps us to evaluate the effectiveness of our work and correct what isn’t working.Third parties
In order for your organization to comply with GDPR, we provide a Data Processing Agreement. You need to ensure that any other third parties such as your email provider, subcontractors, cloud services, etc. that handles your customer's data are compliant. To satisfy this obligation, you need to have a Data Processing Agreement with all the services that process data, in order to establish the rights and obligations of each party under the GDPR.