SynergySuite's Data Protection Policy and Commitment to GDPR and US Privacy Acts (CCPA, CPA, and CDPA)

Introduction

The European Union has taken steps in protecting the fundamental right to privacy for every EU resident with the General Data Protection Regulation (GDPR) which will be effective from May 25, 2018. EU residents will now have a greater say over what, how, why, where, and when their personal data is used, processed, or disposed of.

This rule clarifies how the EU personal data laws apply even beyond the borders of the EU. Any organization that works with EU residents’ personal data in any manner, irrespective of location, has an obligation to protect the data.

The GDPR act was the first comprehensive data privacy law and has inspired and become the basis of other legislation around the world, including the California Consumer Privacy Act (CCPA).

This rule clarifies how the EU personal data laws apply even beyond the borders of the EU. Any organization that works with EU residents’ personal data in any manner, irrespective of location, has obligations to protect the data.

SynergySuite’s Commitment

SynergySuite provides Software as a Service (SaaS) to the restaurant and hospitality industry. SynergySuite follows the GDPR steps to ensure full compliance with the Data Protection Regulation.

SynergySuite provides a processing platform for data to be entered by a user. No data is held for reasons beyond the scope of the client’s own use. The client owns full responsibility for the accuracy of the data entered. The data is entered by the client or by SynergySuite at the client’s request. However, ownership and management lie with the client. In this view, SynergySuite has been deemed a Data Processor and not a Data Controller, as such tools are provided to ensure the client is capable of completing any request deemed appropriate under GDPR.

According to Article 17 Sections 2 and 3, SynergySuite shall only act on the client’s instructions and the personal data we process is stored securely. In the event SynergySuite believes the client’s instructions conflict with the requirements of the GDPR or other EU or Member State laws, under Article 28 Section 3, the data protection officer will inform the client immediately.

SynergySuite will contact your assigned DPO contact in the event SynergySuite is required to publish any updates or changes in relation to GDPR or data production. In the event of a data breach, SynergySuite has specific steps in relation to notification, or communication. This is detailed further in this document.

Datacenter Security

To underline our commitment to security best practices, our use of the AWS (Amazon Web Services) infrastructure sets a standard of security management standards. This includes the certification of the ISO 27001:2005 Security Management standard, which ensures the proper selection of adequate and proportionate security controls to protect all information assets within the AWS data centers, more details can be found here: https://aws.amazon.com/compliance/iso-27001-faqs.

The security of your business-critical data and systems is our primary concern. To this end, SynergySuite utilizes best-in-class cloud data center services provided by AWS, no SynergySuite employees have direct access to the physical data centers, and the data centers are fully maintained by AWS-approved employees. 

Access to physical servers requires approvals and valid business justifications. Requests are granted based on the principle of least privilege, where requests must specify to which layer of the data center the individual needs access and are time-bound. Physical access is controlled at building ingress points by professional security staff utilizing surveillance, detection systems, and other electronic means. Authorized access utilizes multi-factor authentication mechanisms to access data centers. 

More details on the security and access of AWS’s physical locations can be found here: https://aws.amazon.com/compliance/data-center/controls.

All services provided by AWS can only be accessed through current authorized employees, using multi-factor authentication and encrypted VPN (Virtual Private Network) connections. 

Various firewalls are used for internal network communication, and external communication ensures only necessary ports are open to being accessed, and are fully monitored and alerted when unusual activity is identified.

Employees requiring direct access to data are vetted and trained on data security prior to access. Access is limited to data required for development and support purposes. General staff do not have source database access.

Utilizing the AWS infrastructure allows us access to unrivaled networking across the globe. Using their peering and interconnection services allows us to make SynergySuite available within multiple locales without the need for a physical presence. Details and policies on the Interconnect global network can be found here: https://aws.amazon.com/peering.

All SynergySuite transactional data is stored in AWS Aurora databases using cluster volumes. A cluster volume consists of copies of the data across three Availability Zones in a single AWS Region. Because the data is automatically replicated across Availability Zones, the data is highly durable with less possibility of data loss. This replication also ensures that your database is more available during a failover.

More details on reliability and repair can be found here: https://docs.aws.amazon.com/AmazonRDS/latest/AuroraUserGuide/Aurora.Overview.StorageReliability.html

For non-transactional data, SynergySuite uses AWS’s standard S3 data. Similarly to our database access, multiple copies of the data are replicated to ensure the data is highly durable and more available during a failover. More details on the S3 data protection standards can be found here: https://docs.aws.amazon.com/AmazonS3/latest/userguide/DataDurability.html.

Data Access and Ownership

Login access is granted by client administrators who are provided with login credentials. Passwords are required to meet a strong password policy including a min password length and an alpha-numeric format. Creating new accounts is done via an email activation process. Temporary passwords are provided, and prompt users to create unique passwords meeting our password policy. Passwords are not accessible after they have been set but can be reset upon request.

Upon logging in, SynergySuite provides an encrypted login token that is valid for 7 days or invalidated upon logging out of SynergySuite. SynergySuite also has systems in place to automatically invalidate login sessions after an inactivity period, set up by the client on request. These login tokens are encrypted into an alpha-numeric sequence and do not relate to any login credentials. After the token has been inactivated, the login token can never be used again. Upon logging back in to SynergySuite a new login token is provided.

Data stored by SynergySuite is accessible by the client through the SynergySuite portal. The client administrator has full access to amend and update all data. Upon request, an audit log can be provided detailing logged-in users and access times of logins, this is stored for two weeks at a time after which the data is removed.

SynergySuite staff that require access to client data can only be accessed via an approved login or when required via the database, this can only be accessed by approved employees using multi-factor logins and encrypted VPNs. Access is recorded via an audit trail and is logged for security reasons. SynergySuite staff are not permitted to access or amend client data, without the consent of the client administrators, according to Article 29. Access to data is only available to approved developers and approved support staff once consent is received. General employees of SynergySuite do not have access to client data. All SynergySuite persons authorized to access or amend client data have undergone appropriate training and are under obligation to ensure that data is strictly confidential. This is in accordance with GDPR Article 28 section 3.

SynergySuite does not use any client data for marketing or research purposes. Client data is also not shared with third parties or services without the consent of the client, according to GDPR Article 28 sections 2 and 4. In the event data is shared for purposes such as Payroll interface, and EDI ordering, the HR system’s clients would be required to provide written consent, if not already agreed upon to execute a service agreement. The third party will be deemed a sub-processor and must be appointed on the same terms as set out between the client and SynergySuite in accordance with GDPR Article 28 sections 1 and 2.

SynergySuite processes some personal data. This data is only accessible from valid logins with allowed permissions. Users without the required permissions have no way of accessing sensitive data. SynergySuite also provides biometric clocking for some clients. We do not store user fingerprints but do store an encrypted, one-way, alpha-numeric encoding of its identifying features that are calculated by the Biometric Device. This is then used again to confirm clocking processes. Below are the steps completed relating to the scanning of user fingerprints.

When the user places his/her finger(s) on the fingerprint sensor during the enrollment process, the biometric device takes a picture of that user’s finger’s key minutiae points. Then the biometric uses its proprietary mathematical algorithm and converts that picture into a unique mathematical template that is comparable to a 60-digit password. This unique template is then encrypted and stored in the biometric database.

IMPORTANT NOTE: Privacy issues should never be a concern when using the biometric device because no real image of a user’s fingerprint is stored. Only the minutiae-based templates are stored. Each time a user’s fingerprint is scanned, the device searches its database for a matching template. There is no way to obtain a person’s fingerprint from the minutiae-based templates which are stored. The minutiae-based templates can only be used to confirm a fingerprint scan matches a previously saved template.

GDPR Specifics

Personal data is any information that relates to an identified or identifiable living individual. Data that has been rendered anonymous in such a way that the individual was never or is no longer identifiable is no longer considered personal data. For data to be truly anonymized, the anonymization must be irreversible. 

Examples of personal data:

  • Name
  • Address
  • Email Address

SynergySuite understands it is your right to delete any or all data from the SynergySuite system. The client can exercise their rights under GDPR by simply logging in to SynergySuite to locate the data in question and delete it. If a larger amount is required for deletion, this can be done so upon request by Synergysuite, in line with GDPR article 33 section 20. 

SynergySuite understands it is your right to access personal data through subject access requests. SynergySuite has provided tools that allow users with the required permission to retrieve a Personal Report, detailing all the stored personal data from SynergySuite. It is the client’s responsibility to manage access to this data. As in accordance with Article 15 Section 3 of the GDPR, it is the controller who shall provide a copy of the personal data undergoing processing.

In the event a data breach on personal data has occurred, in accordance with Article 55, SynergySuite will inform the relevant Data Protection Officers, without any undue delay and no later than 72 hours after having become aware of the breach. Notifications will contain the below:

  • An outline of the breach;
  • A contact point for obtaining more information; and
  • Recommended measures to mitigate any possible adverse effects from the breach.


Where the notification to the supervisory authority is not made within 72 hours, it shall be accompanied by reasons for the delay.

SynergySuite’s primary communication is via email. Any product updates, changes, or anything that may impact the end user will be communicated to the key contact. This is usually the user who completed the signup process. All other emails from SynergySuite are via email subscriptions that can be controlled by each user’s mail settings. Any group-wide communications are managed by your system administrator.

SynergySuite will require access to data provided by some third parties. These include POS providers, vendors/suppliers, payroll systems, and accounts systems. Upon integration into any of these, a consent form must be signed by the client allowing SynergySuite to process any required data from the third party. SynergySuite will not share or use this data for any reason without the consent of the client.

From time to time SynergySuite might require remote access to client environments. This will be completed by LogMeIn or Teamviewer and requires the physical presence of the client to complete the connection. Access is only permitted on the basis that the client has approved a stored login process or provides a one-time login, where the token in use is valid for one session. Where access is not provided, SynergySuite will not be able to provide support in any remote instances.

SynergySuite will retain any processed data for the length of the agreement. Upon termination of the agreement, the data can be exported or deleted upon request. If a client has not requested either option upon termination, the data will be removed 3 months after the termination date. After such time the data is unrecoverable.

In accordance with Article 37, SynergySuite will appoint a Data Protection Officer. Their role will include:

  • Inform and notify of any changes or obligations under GDPR
  • Ensure SynergySuite is compliant and meets all requirements set under the GDPR
  • Address any requests directed to SynergySuite regarding any Data Protection issues or requests


The Data Protection Officer can be contacted by email or mail under the below details:

Email:
dpo@synergysuite.com

Address:
Data Protection Officer – SynergySuite
3300 N. Ashton Blvd., #375
Lehi, UT 84043
USA

CCPA Specifics

If you are a California resident, employees may ask employers to disclose what personal information they have about them and what they do with that information, request to delete your personal information, to direct businesses not to sell or share your personal information, to correct inaccurate information that they have about you, and to limit businesses’ use and disclosure of your sensitive personal information. 

The ownership of management of personal data is the employer’s responsibility. However, SynergySuite provides tools to help employers manage requests.

Any data that is used to identify an employee, such as name, address, email, phone number is classed as personal data. Other categories are not within scope of use within SynergySuite.

This is a specific subset of personal information that includes certain government identifiers (such as social security numbers), account login details, and biometric data. Other categories are not within scope of use within SynergySuite.

Similar to the GDPR policy, using the ‘Right to Access’ data under CCPA (granted by Cal. Civ. Code Sections 1798.100 and 1798.110) employees have a right to know what personal data is being used and for what purpose. SynergySuite does not process, use, or sell any personal data, and the data is owned by the employer. To fulfill requests by employees, the employer can run ‘Personal Reports’ to print off personal data for employees to see what is being stored. 

Again, similar to the GDPR policy, the ‘Right to Delete’ under CCPA (granted by Cal. Civ. Code Sections 1798.105) SynergySuite provides tools for employers to remove personal and sensitive data from employee records. Employers are responsible for owning and managing this process.

CDPA Specifics

The CDPA Privacy Act of Virgina builds on top of the GDPR, and CCPA privacy acts. While most rights under CDPA are covered under CCPA, the only difference between CDPA and CCPA when it comes to data within SynergySuite is consent of processing of data. As SynergySuite is not the owner of the data, it is the responsibility of the employer to arrange and document consent for any processing of personal data.