Ruijie Cloud & GDPR
Ruijie Cloud is committed to enhancing our internal abilities and readiness as to compliance with General Data Protection Regulation (hereinafter referred to as “GDPR”). We understand that GDPR mandates enterprises to comply with a set of principles and implement a set of measures so as to ensure a significant level of data privacy and data security, and we have achieved a significant level of compliance with the Regulation, through our continuous and ever-lasting devotion to data privacy and data security compliance.
GDPR with Ruijie Cloud : A Shared Responsibility
Under GDPR, compliance is a shared responsibility between Data Controllers and Data Processors. While we are committed to helping our customers along their journey to GDPR readiness and compliance, it is key to reach a shared understanding as to roles and responsibilities we and our customers shall undertake under GDPR.
Data Controller – Is a legal or natural person, an agency, a public authority, or any other body who, alone or when joined with others, determines the purposes of any personal data and the means of processing it.
Data Processor – Is a legal or a natural person, agency, public authority, or any other body who processes personal data on behalf of a data controller.
Notably, when providing network Operations & Maintenance (‘O&M’) solutions and services to our customers, Ruijie Cloud acts primarily as a Data Processor with respect to personal data of our customers’ network users, normally collected by our customers’ networks. We process such personal data on behalf of our customers to the extent necessary to provide network O&M services to our customers.
What Data is Collected and Why?
We collect and process personal data of our customers’ network users, and our customers’ network administrators, including:
For network users, we collect and process:
· device IP address, device MAC address, device manufacture, device traffic usage, device online/offline time
For network administrators, we collect and process:
· general personal data (including e-mail, company name, country/region, password (encrypted) of account) when the network administrators of our customers register an account with us;
· network identification information (including system account number, IP address, e-mail address and password, passphrase, and passphrase-protected key related to the foregoing);
· personal browsing history (referring to user operation records stored in logs, including website browsing history, and click history);
· frequently used personal device information (including hardware serial number, device MAC address, device IP, device operating system, device manufacturer, device traffic usage, device online/offline time, software list, and unique device identification code)
when the administrators choose to answer our Users Profile questionnaires, we will also collect the user profile relating to the administrators’ type of business, job responsibility, business size and industry.
For more details regarding how we process and retain personal data, please refer to our privacy policy.
Product Features that support our Customers as Data Controllers in fulfilling GDPR-compliance
Our products are fundamentally designed with privacy and security in mind, introducing particular solutions and tools for the GDPR compliance, including:
· responding to data subject requests
The GDPR provides rights to residents in the European Union (“EU”) that allow them to control their personal data. To exercise their rights, the GDPR allows EU residents to send a request to the data controller. To help our customers as data controllers respond to data subject requests and facilitate the exercise of data subject rights, we are thus equipped with a set of supportive features as follows.
· Right of Access and “to be Forgotten”
The customers could locate/search for the data subjects and its related personal data stored in the Cloud by entering into key words, including Mac, SN, SSID, in the Search box. For the right of access, the customers could then enable accessibility to the data subjects, by providing a copy of the personal data undergoing processing. For the “Right to be Forgotten”, we normally would store the network users’ data in the Cloud for a period of 15 days, and the data would be automatically deleted upon completion of 15 days. For the network users’ requests to delete prior to automatic deletion, the customers could contact us at service_rj@ruijienetworks.com and we would provide such technical support to help fulfill data subject requests.
· Restriction of processing
In Ruijie Cloud, data can be identified, hidden, and removed upon a verified request to restrict processing. If the customers receive such data subject requests, we could specifically provide such technical support to assist our customers in addressing such GDPR related obligations.
In addition, Ruijie Cloud provides logging to track these actions so our customers can better document them. Our customers could visually track the data erasure, modification and configure event on the“operation log”.
· Consent tools
Portal page functionality allows Ruijie Cloud customers to provide notice to, and obtain any necessary consents from, users of their networks for the collection, processing, and storage of network user data.
· Data hosting visibility
When creating a new account, Ruijie Cloud customers have the option to select the region where their data will be stored. For verification, the product displays the hosting region.
Technical measures we take to enhance data security
With regard to our cloud infrastructure, Ruijie Cloud takes comprehensive security measures to secure any data in the cloud, including:
· Securing the data in our GDC and RDCs, including with threat-prevention measures, firewalling and penetration testing
· Strictly limiting access to our cloud infrastructure to a small number of designated Ruijie Cloud engineers and monitoring and tracking their activities while working in the cloud infrastructure
· Protecting data storage in the Ruijie Cloud through encryption.
Ruijie Cloud Services are hosted within Google data centers, taking advantage of its security and compliance capabilities at the data-center layer. Ruijie Cloud takes additional measures to secure our cloud-based applications, including:
· Firewalling, to control and protect inbound and outbound traffic
· Threat detection, with continuous monitoring for malicious and unauthorized behavior, including unauthorized system access and brute-force attacks
· DDoS-attack prevention and flow control with industry-leading tools
· Staging all Ruijie Cloud releases and patches with continuous penetration scanning for application vulnerabilities, to prevent any issues prior to actual deployment in production
· Industry-standard OS hardening processes for production server deployment
· Securing access to the underlying computing infrastructure with features like VPC, NAT, TLS encryption, reporting tools and automated password protection
· Strictly limiting access to the cloud infrastructure to a small number of designated Ruijie Networks DevOps engineers
· Monitoring and tracking DevOps-personnel activities in the cloud environments, with a server/application audit trail.
Breach Monitoring and Alerts
We understand that when incident of data breach occurs, we need to notify our customers of such without undue delay.
Ruijie Cloud has implemented data encryption to prevent potential data breaches from happening, and will promptly provide appropriate communications to our customers and affected business partners once the incident occurs.