Security and Privacy

Security and speed are our priorities

Information on the processing of personal data

pursuant to Article 13 of the GDPR 679/2016

Pursuant to Article 13 of the RGPD 679/2016 “General Data Protection Regulation”, containing provisions on the processing of personal data, we inform you that DEFENX ITALIA SRL, as Data Controller, will use information concerning you and provided by you, qualified as “personal data” by the RGPD 679/2016. The law provides that anyone who processes personal data is required to inform the interested party about which data are processed and about certain elements qualifying the processing, which must in any case take place in a lawful, correct and transparent manner, protecting your confidentiality by guaranteeing the Your rights.

  1. Holder of the treatment

The Holder of the treatment is DEFENX Italia Srl, with registered office in Via Larga 7, Milan 20122.

  1. Data protection officer (RPD / DPO)

The Data Protection Officer can be reached at the following email address: dpogruppo@bv-tech.it.

  1. Purpose of the processing and nature of the data

Your personal data will be processed for the following purpose:

fulfill the execution of the existing contract with you, for the supply and management of the “Memopal” solution, and / or related services requested and, more precisely:

 

  1. User’s email address (required for user identification, registration and login).
  2. User license key (used to identify a specific license, for renewal and support).
  3. Account access password (required to protect access violations)
  4. Name, model and type of device of the user (necessary to identify the devices themselves and the functions available).
  5. Type of operating system installed inside the device at point 3d (necessary to identify the available functions).
  6. IP address (required to protect access violations).
  7. Browser type (if used) (necessary to identify the available functions).
  8. Your files. The Cloud service automatically archives the files selected by the user, making it possible to synchronize between different devices, services and other users. To do this, we store, process and transmit user files and related information.
  9. We also collect administrative information for contract management
  10. We collect information relating to your inquiry if you contact us with questions or complaints.

 

Optional

  1. Name and Surname (necessary to identify the user).
  2. User address (necessary to identify the user).

 

  1. Legal basis of the treatment

The personal data referred to in point 3a, 3i and 3l of the information will be processed lawfully because the following conditions are met:

  • the processing is necessary for the execution of a contract of which the interested party is a party or for the execution of pre-contractual measures adopted at the request of the same (Article 6, paragraph 1 letter b of the GDPR)
  • the processing is necessary to fulfill a legal obligation to which the data controller is subject (Article 6, paragraph 1 letter c),
  • the processing is necessary for the pursuit of the legitimate interest of the Data Controller (Article 6, paragraph 1 letter, f)

The personal and particular data, on the other hand, referred to in points 3k and 3l may be lawfully processed only with your specific, separate, expressed, documented, preventive and completely optional consent (Article 6, paragraph 1 letter a – art .9, paragraph 2 letter a).

The consent you have given may be revoked at any time, without prejudice to the lawfulness of the processing based on the consent given before the revocation (Article 7 paragraph 3 of the GDPR).

  1. Obligation or right to provide data and consequences of any refusal

The provision of data is necessary for the establishment and management of the contractual relationship. We inform you that in their absence, it will be impossible for our Company to fulfill the legal and contractual obligations in place with you, therefore, failure to provide them will in fact make it impossible to establish or continue the contractual relationship, within the limits of which such data are necessary for us to correctly fulfill the obligations related to the management of the contract.

  1. Storage

Personal data will be stored for a period of time not exceeding the achievement of the purposes for which they are processed, in compliance with the conservation limitation principle provided for by the EU Regulation and / or for the time necessary for legal obligations.

Users with a paid subscription (as long as the subscription is valid) remain within the infrastructure indefinitely unless the user requests their deletion. Upon expiry of a paid subscription, or the right of withdrawal, within 10 (ten) working days following the purchase of the Service or the request for deletion of the account, all data is deleted.

Users with a free subscription remain within the infrastructure indefinitely, unless the user performs any operation for at least 3 (three) years, in which case they will be eliminated.

  1. Data recovery in the event of termination or expiration of the Agreement

The user can download the archived data for a period of 15 (fifteen) days from the date of termination or expiration of the Agreement. In the event that 15 days are not sufficient, within this period the customer must request different provisions from Defenx by means of written communication. In case of receipt of a written request from the customer within 15 (fifteen) days from the termination or expiry of the Contract, Defenx can send the data on a physical medium (for example on a hard-disk) by post or courier, to customer expenses.

  1. Data removal

At any time the customer can request the cancellation of their data from the archive by written communication. This request will be satisfied within 7 (seven) working days. In the event that the user does not explicitly request cancellation, Defenx may keep the user’s data up to a maximum of 90 (ninety) days after the expiry of the Contract, exclusively for technical reasons. For the purposes of commercial operations and legal obligations, Defenx will keep the information on the customer’s account within the terms established by current legislation.

 

  1. Resolution

Defenx reserves the right to promptly terminate the Agreement upon written notice in the event that:

the. the customer has violated the current legislation or the rules on the use permitted by the Contract;

  1. the customer has not paid the shares or other contractual sums due to Defenx, or has not remedied other violations of the contractual terms within 10 (ten) days of receiving a written reminder;

iii. Defenx rightly believes that the actions of the customer could bring about legal liability for the customer himself, for other customers or for Defenx.

  1. Security
  2. Digital Certificate
    We comply with all industry standard measures aimed at eliminating the risks of damage and unauthorized access or use of personal information, ensuring that we have implemented adequate technical and organizational policies to apply the security measures established by the GDPR. All data is transmitted using the HTTPS protocol encrypted with the TLS (Transport Layer Security) standard at the highest level of certification. Any connection to a server that has an untrusted certificate is rejected by the client to avoid Man-in-the Middle-Attack (MITM).

The authentication phase begins only after establishing a valid SSL connection, so that when a fake certificate is offered to the client, no username or password is sent from the client to the server.

  1. Autentication
    To be able to install the solution on any computer, you must have a user account with the appropriate privileges. In this way, no one can install the solution on a PC in order to get hold of other people’s data.
  2. Encryption and data
    The data is transferred encrypted from the client to the server, then stored in an encrypted file system and distributed in blocks with the RAID-5 policy.

By inspecting MGFS (Memopal Global File System) it is impossible to know who is the owner of the file being backed up and the name of the original file. If someone were to take a storage unit from the infrastructure, it would still be impossible to access the stored information.

The data structure contains the associations between the files and the owner is also encrypted. These data are not accessible even to service personnel, not even during any maintenance interventions.

 

  1. Data Center e Server Farm
    The Data Center and the Server Farm are in TIER IV standard (maximum level of certification) and certified according to the ISO 27001 The infrastructure provides, among others, complete fault tolerance, the presence of two electrical power distribution paths simultaneously active and the possibility of carrying out hot maintenance interventions.

The physical level security measures of the Data Center include an integrated video surveillance system, perimeter intrusion sensors, armored glass and an armed surveillance station present 7 days in 24h mode.The building is designed to be protected against disastrous events of a seismic nature , energetic and hydrological.

 

  1. Methods of treatment and recipients of dataModalità di trattamento e destinatari dei dati.

The processing of personal data will be carried out using paper and electronic tools by the Company’s staff, authorized to process personal data, following our letter of appointment which imposes on them the duty of confidentiality and security in the processing of personal data and the adoption of measures security suitable to prevent the loss of data, illicit and incorrect use, and unauthorized access, in compliance with the current provisions on the protection of personal data.

  1. Transfer, dissemination and communication of data.

The data being processed will not be transferred to third countries or international organizations, will not be disclosed, and will not be disclosed to third parties except, where necessary, for legal or contractual obligations or to our subcontractors and third party service providers of trust, with which the Data Controller has signed the confidentiality and data processor provided for by the current privacy legislation.

 

  1. Rights of the interested party:

 

As required by EU Regulation 2016/679, the interested party has the right to exercise the rights provided for in Articles 15 and ss. of the GDPR, listed below and precisely:

  • obtain confirmation from the Data Controller whether or not personal data concerning him is being processed and, in this case, obtain access to personal data and the following information (so-called right of access):
  • know the purposes of the processing, the categories of personal data in question, the recipients or categories of recipients to whom the data have been or will be communicated, in particular if recipients of third countries or international organizations, when possible the retention period of the data provided or the criteria used to determine this period, and if the data are not collected from the interested party, obtain all available information on their origin;
  • obtain the rectification of data concerning him (so-called right of rectification);
  • obtain the cancellation of data concerning him (so-called right to be forgotten);
  • obtain the limitations of treatment (so-called right to limitation of treatment);
  • obtain data portability, i.e. receive them from a Data Controller in a structured format, commonly used and readable by an automatic device and transmit them to another data controller without impediments, in the cases provided for by law (so-called right to data portability );
  • oppose the processing at any time (so-called right of opposition);
  • be made aware (with the possibility of objecting) of the existence of an automated decision-making process relating to individuals, including profiling;
  • revoke the consent given at any time;
  • propose a complaint to a Supervisory Authority (Guarantor for the Protection of Personal Data).

 

As required by EU Regulation 2016/679, the interested party has the right to exercise the rights provided for in Articles 15 and ss. of the RGPD, listed below and precisely:

  • obtain confirmation from the Data Controller whether or not personal data concerning him is being processed and, in this case, obtain access to personal data and the following information (so-called right of access):
  • know the purposes of the processing, the categories of personal data in question, the recipients or categories of recipients to whom the data have been or will be communicated, in particular if recipients of third countries or international organizations, when possible the retention period of the data provided or the criteria used to determine this period, and if the data are not collected from the interested party, obtain all available information on their origin;
  • obtain the rectification of data concerning him (so-called right of rectification);
  • obtain the cancellation of data concerning him (so-called right to be forgotten);
  • obtain the limitations of treatment (so-called right to limitation of treatment);
  • obtain data portability, i.e. receive them from a Data Controller in a structured format, commonly used and readable by an automatic device and transmit them to another data controller without impediments, in the cases provided for by law (so-called right to data portability );
  • oppose the processing at any time (so-called right of opposition);
  • be made aware (with the possibility of objecting) of the existence of an automated decision-making process relating to individuals, including profiling;
  • revoke the consent given at any time;
  • propose a complaint to a Supervisory Authority (Guarantor for the Protection of Personal Data).

It should be noted that there may be conditions or limitations to the rights of the interested party. It is therefore not certain that, for example, you have the right to data portability in all cases, this depends on the specific circumstances of the processing activity, or, if you decide to oppose the processing of data, the Data Controller you have the right to evaluate your request, which may not be accepted if there are compelling legitimate reasons to proceed with the processing that prevail over your interests, rights and freedoms.

 

  1. Procedures for exercising rights

Without any formalities, the interested party may at any time exercise your rights clearly and explicitly by sending:

– an e-mail or by contacting the RPD / DPO: dpogruppo@bv-tech.it  – +39/02.85 96 171

or by contacting the Data Controller directly by sending:

– a registered letter with return receipt at Defenx Italia S.r.l. Via Larga 7, Milan 20122

– an e-mail to the address: info@memopal.com

 

Milan 12/23/2021

Start using Memopal and receive 3 GB for free