Mavim complies to the GDPR. We meet the following requirements:
- lawful, fair and transparent processing
- limitation of purpose, data and storage
- data subject rights
- personal data breaches
- privacy by design
- data protection impact assessment
- data transfers
- data protection officer
- awareness and training
Within Mavim as well as Azure there is no logging of personal or confidential data. Only application health and changes are logged. If production data is needed for support and debugging purposes, we have dummy data in place. If in a rare case the issue seems to be with a particular customer and data is needed, we ask the customer to provide us with the data under strict agreements regarding who has access and how long we retain the data. In that case production data is cleansed and masked where needed.
We log data using Application Insights and the standard Azure logging functionality. We maintain separate logs for each customer. We log:
- user authentication activities (incl. logins, logouts, and password resets).
- application/process startup, shutdown, or restart.
- application/process abort, failure, or abnormal end.
- Configuration changes to applications, services, systems, and networks, including software installs and updates.
- Alerts from antivirus, anti-spyware, and intrusion detection systems.
- Changes to firewall rules and host ACLs.
- Changes to logging configurations.
Note: in Azure there is no logging of personal or confidential data. Also, only authorized users can access audit logs. Security event logs are reviewed on a daily basis. All logs are stored encrypted for a period of 3 months.
Data to execute our contract: