Data Security and EU Data Protection

AppsAnywhere understand the importance of data security to our customers. Trust is the foundation of all good relationships, and we value the trust that you place in us, and in turn the importance of your end-users having confidence in the security of the IT services that you provide to them.

AppsAnywhere support over 150 customers worldwide, delivering apps to over 1.5 million students and staff. Delivering apps and desktops to all of these service users generates a large amount of data, and we want to be transparent about how this data is stored and processed, and to do so in accordance with legal requirements such as the EU General Data Protection Regulations (GDPR).

What constitutes Personal Data?

Personal Data is defined under Article 4.1 of the EU General Data Protection Regulations as:

"any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person."

Within the range of available AppsAnywhere products and services, a natural person may be identified by a username or in some cases, by IP address. In both cases, further access to customer systems is required in order to identify the individual to whom the data relates.

What Personal Data is recorded by AppsAnywhere?

AppsAnywhere records personal data pertaining to user access in the system database, as well as in log files both on the server and end-user device.

Server-side data includes:

• Logged on username and AD Display Name (for the duration of the session)
• Device ID (system generated), local and remote IP and determined region
• Personal data on the launching of applications and duration of use

Client-side personal data includes:

• Records of the launching of applications on the end-user device
• Configuration of the end-user device (e.g. Logged on username, IP address, operating system, installed applications)

What Personal Data is recorded by Cloudpaging?

Cloudpaging records personal data pertaining to user access in the system database, as well as in log files both on the server and end-user device.

Server-side personal data includes:

• Records of the launching of Cloudpaged applications and duration of use

Client-side personal data includes:

• Records of the launching of Cloudpaged applications on the end-user device
• Configuration of the end-user device (e.g. Logged on username, IP address, operating system, system memory)

Who owns and controls Personal Data?

AppsAnywhere and Cloudpaging are installed to servers owned and controlled by the customer. The customer therefore retains ownership of and control over this data. From a GDPR perspective, the customer is the controller of the data, and AppsAnywhere is a data processor.

What Personal Data is processed by AppsAnywhere?

In the provision of support and in the course of fulfilling our contractual obligations to our customers, AppsAnywhere:

• Access log files and databases on supported customer systems.
• Process end-user log files that customers provide.
• View user account details via the AppsAnywhere LDAP browser.
• Store contact details and information related to individual customer contacts.*

*In this instance AppsAnywhere is the Data Controller under GDPR. Please refer to our privacy policy for information on how we process and store this data.

How does AppsAnywhere store this data?

AppsAnywhere does not copy any personal data outside of customer systems without explicit consent.

In the provision of support and in the course of fulfilling our contractual obligations:

• a) Customers may transfer log files containing personal data to AppsAnywhere.
• b) AppsAnywhere may take copies of log files containing personal data.
• c) Log files containing personal data may be copied to sub-processor’s systems.

AppsAnywhere use a range of secure systems to store data including:

• Support Ticket System – Zendesk
• E-mail and file storage – Microsoft Office 365
• FTP Storage – Rackspace
• Encrypted Disks in Secure Systems

Contact details and related information for individual customer contacts are also stored within our Support Ticket System.

What do we do with the data?

AppsAnywhere only use this data in the provision of support and in the course of fulfilling our contractual obligations to our customers.

Data related to individual customer contacts, for which we are the Data Controller, may also be used for marketing related activities in accordance with our Privacy Policy.

How long is the data retained?

Where personal data has been transferred to AppsAnywhere from customer systems, our policy is to securely erase this data as soon as possible after processing is complete.

Where data has been transferred into our Support Ticket System (Zendesk), we'll keep this data securely for no more than 6 months following the expiration of our contract with the customer.

For data related to individual customer contacts, for which we are the Data Controller, please see our Privacy Policy.

What organizational and technical measures does AppsAnywhere have in place?

To ensure the security and integrity of personal data, including protection against unauthorized or unlawful processing and against accidental loss, destruction or damage; AppsAnywhere have adopted a comprehensive set of policies, procedures and processes, including measures to:

• Pseudonymize and encrypt personal data.
• Ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and services.
• Restore the availability and access to personal data in a timely manner in the event of a physical or technical incident.
• Regularly test, assess and evaluate the effectiveness of technical and organizational measures for ensuring the security of processing.

All AppsAnywhere staff receive training in data security and compliance with legal requirements such as the EU General Data Protection Regulations.

By default, all personal data resides on customer systems. We do not transfer personal data outside of these systems without consent.

Who are AppsAnywhere’s sub-processors?

AppsAnywhere maintains an up-to-date list of the names and locations of all sub-processors used for hosting or other processing of personal data, which can be found here. The list also may be obtained by contacting info@appsanywhere.com.

Does AppsAnywhere transfer any personal data outside of the EEA?

AppsAnywhere stores all personal data pertaining to EU customers within the EEA.

Occasionally, in the provision of support and in the course of fulfilling our contractual obligations to our customers; AppsAnywhere may transfer log files to:

Numecent Inc. (a US based company).

Before such data transfers are made, the original log files are redacted, such that it is no longer possible for the natural individual to be identified either directly or indirectly. Pursuant to this, personal data is not transferred to Numecent Inc.

‍

AppsAnywhere Americas Inc. (part of the AppsAnywhere Group)In this case, transfers are made subject to the Standard Contractual Clauses approved by the European Commission for transfers from Controllers in the European Economic Area to Controllers outside the European Economic Area.