GDPR (General Data Protection Regulation) will be applicable to all organizations controlling and processing the data of EU citizens(from within or outside Europe) from May 25, 2018. This is bound to bring some significant changes in the way data is currently being held/processed by organizations.
Current digital age can be defined by the broader use of technology. It has also changed the definition of user personal data. GDPR aims to achieve the standardization in data protection laws for EU data subjects. It will provide users more access over processing of their personal data.
LambdaTest is committed to make sure that the controlling/processing of personal data of users by us, is in accordance with the guidelines defined by GDPR and the UK’s Data Protection Bill/insert relevant country DP law. Our preparation for GDPR compliance has been summarized in this statement. It includes the implementation measures, change in current procedures and policies that we're taking/have taken to become GDPR compliant.
How We are Preparing for the GDPR
LambdaTest already have a very robust data security and backup system in place, however to become GDPR compliant before May 25, we are introducing few more features in our system to ensure transparent user data processing.
Our preparation includes:
- Data Retention Period: We have updated our data retention policy to make sure that we meet the ‘data minimization’ and ‘storage limitation’ principles and that user personal data is processed at our end in accordance with GDPR guidelines.
No Test Data is stored at our end.
Only Test Case Results, screenshots, and videos taken by users, and issue data entered by users, are stored for user convenience and product analytics purpose. These records are stored only for 9 months at maximum, after which, these are deleted permanently from our databases.
- User Data Portability: We are working on the Data Download feature for Test Logs, Issue Tracker and User Profile modules. User will be able to port their test and account information.
- User Data Deletion: We have dedicated erasure procedures in place to meet the new ‘Right to Erasure’ obligation in GDPR. User can request Data Deletion for all their Test Logs, Issue Tracker and User Profile modules. We are also working on feature that will allow users to delete their test and account information. Post this deletion, requested information will be permanently deleted from all of our databases.
- Information Audit: We have established an organization-wide workflow for frequent information audit to identify and assess what user personal data is controlled by us, how it is processed, and which organizational entities are involved in each step.
- Policies & Procedures: We are revising our data protection policies and procedures to meet the requirements and standards of the GDPR and any relevant data protection laws, including:
- Data Breaches: Our Business Continuity Plan and Disaster Management documents are being updated to meet the GDPR clause that mentions that in case of any data breach corresponding regulatory Authority must be notified as soon as possible within 72 hours. We have procedures in place to identify and asses risks in such cases. A reporting mechanism has also been introduced within the organization to tackle such events with utmost priority.
- Legal Basis for Processing: We are reviewing all processing activities to identify the legal basis for processing and ensuring that each basis is appropriate for the activity it relates to. Where applicable, we also maintain records of our processing activities, ensuring that our obligations under Article 30 of the GDPR and Schedule 1 of the Data Protection Bill are met.
- Direct Marketing: We have revised the processes involved in direct notification and product update e-mails, including clear opt-in procedures for all notification subscriptions; a clear notice and method for opting out. We are also providing unsubscribe features on all subsequent marketing materials.
- Obtaining Consent: We have revised our consent obtaining procedures for personal data, ensuring that individuals understand what data they are providing, why and how we process it, and giving clear, defined ways to consent to us processing their information. We have developed strict processes for recording consent, ensuring that we can evidence an affirmative opt-in, along with time and date records; and an easy access way to withdraw consent at any time.
Data Subject Rights
In addition to the policies and procedures mentioned above that ensure individuals can enforce their data protection rights, we provide easy to access information via our website, of an individual’s right to access any personal information that LambdaTest processes about them and to request information about:
- What personal data we hold about them.
- The purposes of the processing.
- The categories of personal data concerned.
- The recipients to whom the personal data has/will be disclosed.
- How long we intend to store your personal data for.
- If we did not collect the data directly from them, information about the source.
- The right to have incomplete or inaccurate data about them corrected or completed and the process for requesting this.
- The right to request erasure of personal data (where applicable) or to restrict processing in accordance with data protection laws, as well as to object to any direct marketing from us and to be informed about any automated decision-making that we use.
- The right to lodge a complaint or seek judicial remedy and who to contact in such instances.
Information Security & Technical and Organizational Measures
LambdaTest takes the privacy and security of individuals and their personal information very seriously and take every reasonable measure and precaution to protect and secure the personal data that we process. We have robust information security policies and procedures in place to protect personal information from unauthorized access, alteration, disclosure or destruction and have several layers of security measures, including:
- SSL(Secure Sockets Layer): In our application we have implemented HTTPS by default, and use VNC protocols for secure data transfer. This data is also encrypted to ensure that data is not compromised in-transit.
- Access Controls: We have implemented strict 24x7 security protections at our on-premise development centers. Only authorized individuals have access to building and LambdaTest office premises. Our application data is hosted on industry leading hosts like Amazon Web Services, who have been thoroughly tested by multiple third party auditors for security. All our employees sign confidentiality agreements which extends to user agreements between LambdaTest and Clients. Also, we have strict user role based access to all our customer data therefore, only most important employees have access to only relevant data.
- Password Policy: All user access is password protected. In addition user sign-ups are verified through a two-step verification workflow.
- Encryption: All data saved in our application like login credentials, secure access keys, usage logs, test history, and billing details, are stored in an encrypted format.
- Data Backup: We use AWS services like AWS S3 to store and take backups of our data. All data stored on AWS instances are stored using advanced AES256 encryption standards. Any data that is not critically required gets deleted through standard DELETE requests on S3 buckets. However we have implemented versioning and rollback steps to prevent accidental deletion of data. Therefore, even delete requests do not immediately delete all data. For that we have implemented provisions to scrub all data including the historical backup data on client requests via support or via delete feature.
GDPR and Employee Training
LambdaTest understands that continuous employee awareness and understanding is backbone to the continued compliance of the GDPR and have involved our employees in our preparation plans. We have implemented an employee training program specific to the which will be provided to all employees prior to May 25th, 2018, and forms part of our induction and annual training program.
If you have any questions about our preparation for the GDPR, please connect with us at firstname.lastname@example.org.