As of the 25th of May 2018, the General Regulation on Data Protection (GDPR) has taken effect for businesses operating or located within the European Union. 

What is GDPR?

The GDPR increased oversight for global privacy rights and compliance. A regulation such as the GDPR is a binding act, which must be followed in its entirety throughout the EU. The GDPR is is strengthening, harmonizing, and modernizing EU data protection law and also enhancing individual rights and freedoms. 

Among other things, it regulates how individuals and organizations may obtain, use, store, and erase personal data. 

Clust complies with the GDPR, this guide is intended to help our customers understand what we worked on to make sure they stay safe with Clust.

Team trainings

At Clust, employees have all been trained about the GDPR principles. New joiners, employees, consultants or freelancers joining forces with us are also strongly advised if not required to complete these trainings. 

Data Protection Officer

In accordance with the CNIL instructions we designated and officially registered a DPO (Data protection Officer).
This is also mentioned in our DPA, Data Privacy Agreement) that each of our clients is invited to sign. 

Our DPO is responsible for the following: 

  • Informing and advising Clust teams on good practices required under the GDPR
  • Monitoring compliance with Data Protection laws 
  • Advising Clust as to the possibilities of carrying out impact studies and to follow its smooth running; 
  • Cooperating with the CNIL and remaining its official point of contact 

Impact assessment 

We keep up to date confidential maps and impact assessment on:

  • How the data collected about Clust users is processes securely
  • The type of data collected 
  • The objectives of these operations as part of our business 
  • Who has access to this data

We also carried out an Privacy Impact Assessment, to make sure this process is made following the regulations.

Good practices and data security

Communications using our services uses the Transport Layer Security (TLS) protocol, which is updated regularly to use the latest encryption configurations and TLS configurations. 

In addition, we encrypt all customer data using the AES 256-T algorithm. We have also established in-house 10 key rules in terms of access and protection of users and security data.
We provide our employees with this information and good practices to maintain a reliable and regulated environment within our premises. 

All employees of Clust who are likely to manipulate personal data are held to the strictest confidentiality by a contractual confidentiality clause. 

Clust undertakes not to use or transfer user data for any purpose other than for the purposes of design, execution, maintenance and improvement of the company's services.

Data transfer 

Your data is kept on multiple servers to ensure that our systems remain operational and efficient even if one of our servers fails. Our dedicated physical servers are distributed in many Datacenters on each continent. The data of US customers are processed in the United States. The data of our customers are encrypted and even our host does not have access to it.

Cyber-security and risk management 

We work with an International Cyber-security company based in France. This company carries out regular audits on our site in order to control the risks of vulnerability and to maintain the good compliance with the regulations.

Product and integration development 

Our technical teams systematically develop the new software features, taking into account the OWASP requirements for IT security.
Similarly at the operational level, the: 

  • Feature requests; 
  • Software testing and quality assurance
  • Integration of technical partners 
  • Established and forthcoming sub-contractors

are selected/conducted/controlled with respect to the customer data Protection regulations. As such, we have also established rules about how we believe is the best way of selecting/working with subcontractors: 

  • Sharing our GDPR commitments to all our subcontractors 
  • Establishing of a specific list of pre-qualifying questions for potential candidates
  • Defining contractual commitments aligned with the GDPR 
  • Implementing and strictly following our approach when it comes to developing features or coding.

Customer Information

We modified both our Terms of Service, and Privacy Policy. Through the Security Center, users can learn more about their rights when it comes to GDPR when to comes to:

  • Accessing their Data 
  • Correcting their data
  • Deleting data 
  • Exporting data to digital medium, in a "structured" format (e.g.,. xls,. csv,. xml file)
  • Limiting and opposing themselves to the processing of their data

These rights also apply to the customers of our users.  
This means that upon request from their customers, our users (who are responsible for the processing of what they collect using Clust), can obtain access, rectification, deletion, export and limitation to the data.

Data Protection Act

Under the GDPR, there must be a written contract when one business processes personal data on behalf of another business.

In other words, the law requires that we (Clust) define in written agreement this business relationship in order for your business to be compliant with the GDPR.

You can sign the DPA here.

Helping you comply with GDPR

We encourage you to update as well your Privacy policy in order to specify to your clients that you're using Clust to collect securely personal data about your clients.
Once that's done, you'll be able to add the url of your Privacy Policy onto the secure client portal to make sure they read it before uploading their documents.

Is Clust Secure?
Is Clust HIPAA Compliant?
Data processing agreement

Did this answer your question?