Maytech’s guide to GDPR compliant file sharing
Any business which collects or processes personally identifiable information (PII) of European Citizens is subject to the EU General Data Protection Regulation (GDPR) as of 25th May 2018.
Maytech’s approach to GDPR compliance
As a Data Controller, it’s your responsibility to ensure that Personally Identifiable Information (PII) is stored and transferred in a secure manner.
Any organisation storing, accessing or receiving the PII on your behalf is a Data Processor. You, and they, must ensure that they act in compliance with the GDPR legislation while storing, transferring or accessing the PII.
While Maytech does not view, use or access your data, if PII is to be stored on our systems we are classed as a Data Processor. As such, Maytech can provide a Data Processing Agreement which we can both sign to confirm that appropriate controls and systems are in place for the relevant data processing activities we undertake on your behalf. This demonstrates you have carried out your obligations under GDPR in relation to the secure storage and transfer of your sensitive PII data.
How does Maytech keep your PII safe?
NIST 800-171 is designed for non-Federal (commercial) enterprises, whereas NIST 800-57 is specifically designed for Federal systems and organisations.
This article covers the requirements for NIST 800-171, although as data security experts, whatever standards you are working to, we are confident we will be able to meet your compliance requirements.
Mapping ISO 27001 to NIST 800-171
As a specialist secure file sharing company, Maytech takes security very seriously. We are compliant with the stipulations within the GDPR, and this pre-dates the GDPR legislation itself.
Quatrix®, our file sharing solution, addresses security concerns arising from unauthorised file sharing. It does this by providing a professional, own-branded solution that end users want to use, reducing the risk of uncontrolled file transfers via platforms with weaker security practices.
With Maytech you know exactly where your data resides at all times, who has access to it, and you can be confident that it’s stored safely within a secure and professionally managed platform.
What other compliance standards & certifications does Maytech maintain?
Quatrix manages file sharing for organisations in 35 industries across 60 countries, working with customers as diverse as Governments to Big Pharma and Enterprises of all sizes which require fast and secure file sharing.
To maintain the highest levels of security compliance, Quatrix meets the stringent requirements of a range of relevant accreditations:
- ISO 27001 – Maytech’s information security management system is ISO 27001 certified and audited twice a year by Lloyd’s Register Quality Assurance.
- PCI-DSS – Maytech is compliant with the latest Payment Card Industry Data Security Standards (PCI-DSS) version 3.2.
- HIPAA – Maytech is compliant with the Health Insurance Portability and Accountability Act (HIPAA) – a US legislation providing data privacy and security provisions for safeguarding medical information.
In addition, services are also scanned daily for over 40,000+ security threats and vulnerabilities with McAfee Secure, and customers can also arrange their own penetration test should this be a necessary requirement.
Key security features of our file sharing service
Whether sharing files online via Quatrix, transferring bulk data via SFTP or using our Outlook plug-in our service keeps your data safe while at rest and in transit. Read on to find out more about Quatrix security features:
data residency in a location of your choice. Your data never leaves your specified data centre.
data is encrypted in transit over HTTPS or SFTP and encrypted at rest using the NSA approved AES algorithm with 256 bit key strength. An advanced PGP module is also available.
Data retention policies
control your data and set retention policies with automatic delete rules for specified folders and time limited share links. Hourly snapshots (backups) are retained and available to customers to restore deleted or overwritten files for 28 days however persistent backups of customer data is not retained beyond this period.
Granular access control
granular permissions offer detailed control over access, file and folder permissions for each user. Additional controls exist to restrict data sharing to ensure only the intended recipients can receive the data.
Central control & two-factor authentication
central administration controls to create unique user identities for both internal and external users and ensure all parties authenticate to receive data. Set strong passwords with optional 2FA and add security pin for extra sensitive data.
Reporting / audit trail
all transactions are logged and a full audit trail is available for ongoing monitoring and compliance.