How ONLYOFFICE complies with GDPR

ONLYOFFICE welcomes the new data protection law coming into force on May 25. Keeping our users’ data safe and secure has always been one of our top priorities, and we have fully tailored our data security policy to GDPR standards.

Learn what measures have been taken by ONLYOFFICE to meet its requirements.

Adopted by the EU Parliament in April 2016, General Data Protection Regulation (GDPR) is aimed at defending individuals from privacy and data breaches. It specifies the lawful way to process personal data for companies that work with the EU residents.

The main principles:
 

• Companies practice data minimalism and collect only the data absolutely necessary for the completion of their duties.
• The data is used only in a legal and transparent way, with data subjects being informed of what personal data is processed, how and for what purposes.
• Individuals have the right to access their own personal data, request a copy and that their data be updated, deleted, restricted, or moved to another organization.
• Companies shall implement technical and organizational measures to ensure a level of security appropriate to the risk.

Read the full text of the legal act here.

The law describes two types of companies dealing with personal data:
 

• Data controllers determine the purposes for which personal data is processed and how it’s done.
• Data processors process personal data on behalf of the data controller, for example, store or analyse it.

We act both like data controller and data processor. For example, when you put information about your clients into our CRM system, you act as a data controller, and we are a data processor to you. But we are also becoming a data controller when we are supplying services to you and using your personal data. So, it’s important for us to ensure our own compliance as well as make it easier for you to comply as a data controller.

We are committed to complying with the new legislation. Here’s the list of measures taken by us to achieve that:

Legal agreements updates

We have reviewed our legal agreements – Terms and Conditions, Privacy statements and all the license agreements – and made all changes necessary to comply with the legislation. The improvements touch upon users’ consent for processing their personal data. Using personal data for marketing purposes is streamlined as well – we are now collecting unambiguous consent only to receive our marketing communications.

All the agreements can be found in the Legal notice section.

Appointing data protection officer (DPO)

Having expertise in data protection and law, Timur Shugaev, our manager in Latvia, started to act as a DPO responsible for data protection compliance within our company and communication with the GDPR supervisory authorities. You can get in touch with him using this email.

Data management adjustments

We mapped and analyzed all our systems connected to storing and processing personal data. We have already implemented advanced security measures, but it was important for us to put procedures in place so that our users can realize their rights guaranteed by the GDPR, including:
 

• Right to access data. You can request access to personal data stored by ONLYOFFICE as well as information on how it is processed, and we will provide it in electronic format.
• Right to be informed. We’ll notify you which data we are processing and if there are any sub-processors.
• Right to be forgotten. We will delete all of your data if you don’t want it to be processed. For example, if you are using ONLYOFFICE in the cloud, go to Data Management settings and press Delete to delete your portal permanently. To delete your ONLYOFFICE Personal, go to your profile.
• Right to object. You can stop our processing of your data at any moment.
• Right to be notified about any data loss that compromises an individual’s personal data. We have organized processes so that in the unlikely event of a data breach we ensure proper notifications within 72 hours for our customers and GDPR authorities.

To send access, rectification or deletion request, use our support system or contact us via e-mail support@onlyoffice.com. Note that you will have to pass a simple procedure of identification.

According to the GDPR, each company must build a strong security program, and that is already in use here, at ONLYOFFICE. You can be confident in ONLYOFFICE for a number of reasons:

Reliable hosting for cloud solutions

Amazon has already confirmed that all of their services are GDPR-ready and can be implemented as a key part of other companies’ compliance plans. Among the tools offered by Amazon we chose those to ensure our GDPR compliance:
 

• Encryption of personal data. The files are stored using 256-bit AES encryption and the portal access is allowed through the HTTP with SSL (Secure Sockets Layer).
• Regular backups to restore access to personal data in the event of a physical or technical incident. Note that you can also do manual backups to third-party storages and to your local drive.
• Regular testing and evaluating the effectiveness of technical and organizational measures to guarantee privacy and security.

Authentication filtering and monitoring

ONLYOFFICE offers a number of features to protect your web offices in the cloud or on-premises:
 

• Two-factor authentication;
• Single Sign-on via Shibboleth, OneLogin or AD FS;
• IP and mail domains restrictions;
• Login history;
• Audit trails.

Access management and data leak prevention

Be sure that no one’s getting access to your/your customers’ personal data, thanks to:
 

• Storing data locally. ONLYOFFICE can be run on a private network. Additional tips on how to keep your local office safe and secure can be found here.
• JWT-based protection from unauthorized access. This technology secures the portal traffic and ensures that users cannot access more data than permitted to them, which is critical in case of external user invitation.
• HTTPS for a private server. ONLYOFFICE allows encrypting your traffic through moving own-server portals to HTTPS protocol, whether you already possess an SSL certificate or not.
• Access rights management. Group your users and arrange the access rights for each user or group to protect personal data from unwanted attention and insider actions.

Learn more about the ONLYOFFICE security program here.

In conclusion, we would like to underline that we fully support the law. We have always treated our users’ data with respect and will always do so.

If you have any concerns regarding GDPR and ONLYOFFICE, do not hesitate to contact us at support.onlyoffice.com.