How ONLYOFFICE Enterprise Edition helps you be GDPR compliant

Every company that deals with personal data of the EU residents has already updated its privacy policy in order to comply with the GDPR (remember this vast number of letters concerning the updating in your mailbox).

We’re sure that security of users’ personal data is as important for you as it’s for us. Therefore, read this article to learn how ONLYOFFICE Enterprise Edition can simplify your compliance and help your organization meet GDPR requirements.

According to the new data protection law, ONLYOFFICE acts both as a data controller and data processor. Read more about it in this blog post.

Working with personal data of your users in ONLYOFFICE, you also act as a data controller. That’s why, we ensure not only our own compliance, but also help you comply with the GDPR.

The GDPR governs personal data rights, including the right to access, update and delete information, the right to withdraw consent to process personal data, the right to lodge a complaint with a supervisory authority, and other.

We’ve already tailored our data security policy taking these rights into consideration. So, learn how you can respect them acting as a portal administrator in ONLYOFFICE Enterprise Edition.

Right to access and update data

As an administrator or portal user you have access to the following personal data: first and last name, email, date of birth, contact information. You can easily update personal information at any moment on your Profile page. To change passwords and emails, additional steps are required. For security reasons, passwords in ONLYOFFICE aren’t displayed or sent directly to users. Instead, you receive a notification with instructions on how to proceed to the specified email address.

Administrators are also able to alter this info upon users’s request.

Right to be forgotten / Right to object

Being a portal user when leaving the organization, you can permanently delete your profile and all the personal data stored there on the Profile page (instructions on how to do that will be sent via email as well) or contact a portal administrator to do it.

To stop processing personal data, administrators can disable users. In this case, content created by disabled users remains on the portal, and can be enabled at any time upon the request.

Or delete the personal data permanently removing:

• all personal documents;
• CRM report files;
• all emails and attached files;
• attached files from Talk.

In order not to lose important corporate information, administrators can reassign some types of data to other users.

Right to be notified

If any data loss that compromises personal data occurs, administrators have to notify users within 72 hours via email or chat available in ONLYOFFICE.

On-premise installation and open source code guarantee transparency and reliability. Running ONLYOFFICE Enterprise Edition on your own server and keeping all data in-house, you don’t need to deal with external parties. You can be sure that nobody from the outside gets access to your own and your users’ data stored on the portal.

Besides, ONLYOFFICE Enterprise Edition provides portal administrators with a set of security tools and features.

Protect data from hacking

To encrypt, and therefore secure portal traffic, enable HTTPS protocol via the Control Panel interface.

Control access to the portal

• To ensure secure import of necessary users and groups to the portal, take advantage of the LDAP Support option provided by the Control Panel.
• To minimize the risk of unauthorized acquisition of login data, enable authentication via one of the installed single sign-on services (Shibboleth, OneLogin, or AD FS).
• To prevent unwanted visitors from accessing your portal, allow registration via trusted mail domains only and adjust IP restriction settings.
• To create stronger passwords resistant to brute-force attacks, determine password complexity criteria (the minimum length and certain types of characters).
• To prevent unauthorized access even if someone hacks the password, activate two-factor authentication. In this case, login to the portal is possible only after receiving and entering a passcode from SMS.
• To set up a period of time after which automatic log-out is performed, enable cookie lifetime option.

Control access to sensitive data and files

To protect specific data from unnecessary attention:

• Differentiate access levels within portal: guests with view-only permissions, users with basic privileges and administrators with advanced privileges.

• Set up access rights to each portal module, e.g. restrict access to any module for a certain user or a group of users.
• Manage access rights within modules – restrict access to any contact, task, case, or opportunity making it private in the CRM module, share documents and folders with different types of access rights* in the Documents module (Full Access, Review, Read Only, Deny Access).

* The traffic on your portal is automatically secured with JWT (JSON Web Token). It protects documents from unauthorized access, that’s why users, or guests are able to perform only certain operations and can’t access more data than permitted to them. 

Monitor potentially fraudulent behaviour

• Reveal any unauthorized access attempt with Login history option.
• Be aware of all actions (that can be unwanted) performed on the portal with Audit trail reports.

Prevent any data loss

• To guarantee private data safety in the unlikely event of any technical failure, automate the backup process via the Control Panel.

More instructions on how to secure ONLYOFFICE, you will find on the security page, or in this article.

In case you have any follow-up questions regarding ONLYOFFICE and our GDPR compliance, please contact us at support.onlyoffice.com.