RequestManager Technical Whitepaper

Sending data made safe and easy

Collect and deliver structured or unstructured data safely and securely

Introduction

RequestManager has been developed to guarantee compliance with the new regulations regarding Data Portability and Right of Insight as defined in the General Data Protection Regulation (GDPR).

Individuals can now request data provided by and concerning him from any service provider. Requests may be submitted via a phone call, an email, or in person. Organizing, documenting and responding to requests thoroughly before the 30 day deadline will be a daunting task with high stakes. Especially for larger organizations who handle huge volumes of highly sensitive data. Having a process in place for dealing with the potentially hundreds of requests you could receive on a daily basis will allow you to avoid fines that could be up to 4% of your global turnover or 20m Euros, whichever is greater.

The Right to Data Portability allows data subjects to request the personal data that they have directly and indirectly provided to a data controller in a structured, commonly used and machine-readable format, and/or to transmit that data directly to another data controller free of charge and without hindrance.

RequestManager meet this demand while ensuring that data is being sent to and from the right person, and that consent is obtained directly from the end-user. RequestManager provides a complete audit log both covering Data Portability activity and Consent Management.

RequestManager will support users in handling the following Regulations of the GDPR:

Article 20: Right to Data portability
Article 7: Consent
Article 15: Right of access.
Article 16: Right to Rectification

Meeting the demand for Data Portability

Structured data request process

The GDPR does not specify how individuals should make data requests, or ‘Subject Access Requests’ (SARs). Requests may be made verbally or in writing, or to any of your employees. Regardless of how the request is made you will have a legal responsibility to identify the request and handle it accordingly. Providing an RequestManager request link on your company’s website allows you to control and log the request process. The RequestManager portal allows consumers to request the types of information you specify. This can reduce the number of requests for all data, which can reduce workload. When requestors use the RequestManager request link, requests will be authenticated and appear in RequestManager along with their due date and the types of information requested.

Sector specific templates

Data controllers must provide personal data to a requestor free of charge (Article 15). This means you must assume the costs of gathering and processing data.

One way RequestManager reduces the administrative costs of data delivery is by providing a wide range of sector specific templates that can be further customized for the types of data your organization collects. Most organizations control a wide variety of personal data, but the type of information varies. An insurance company, for example, handles primarily medical and financial information; while an online retail company might deal with financial information, like credit card numbers, along with browsing history, preferences, passwords, etc. The template forms RequestManager available, will help you quickly identify and merge personal data from multiple sources.

Data collection options

When data is being collected RequestManager offers different options:

File upload

It is possible to include (upload) a datafile directly to the request. This data might not be readable for the requestor as it requires specific systems to make sense. However data is transferred as requested. The advantage with this method is that data can easily be extracted and sent to the user and the methodology can also be used when a user requests the Right of Access. The downside is that the users is not necessarily able to read the information.

Manual collection in the predefined templates

With RequestManager you do not have to use sophisticated import methods. It is possible to manually input the data by copy and paste, drag and drop or simple manual input in an “old fashioned way” into predefined Templates. The advantage with this method is that it is a simple and easy method for smaller amounts of data that is readable for the Requestor. The disadvantage with this method is that it can be time consuming when handling larger amounts of data.

API import

RequestManager has its own API so companies with larger amounts of data and with complex data, simply and securely can automate the process of exporting data from the company’s system landscape into RequestManager – and directly send it to the requester. The advantages with this process are many: Data is instantly identified, transferred, logged and transferred to the requester, without delay or manual intervention. Data received via RequestManager (templates) can as well be downloaded in a smooth way.

The tight timeframe by which companies must respond to a data request (without undue delay and within a period of just one month), means that it is important to automate the process via integration as much as possible, while still ensuring safety.

With the help of powerful APIs, information can be gathered automatically from almost 200 different standard applications. Connections to most of these applications can be set up fast and seamless.

RequestManager’s also exhibit an open API that can be utilized to integrate existing branch specific legacy applications and allows companies to automate the data collection from more specialized/non-standard applications.

How the automated data collection works

Although the API can be used in many different ways, here is an example of what a workflow might look like in a larger organization where some data is using the API, and some data is collected manually:

A new data request is received
The requestor is authenticated
The person responsible for responding to the data request sees the request gradually get filled (in predefined templates) with data from multiple systems
Any missing data is manually entered by dragging files, or using an input form
The data is encrypted and send to the Requestor (Consumer) – or directly to a company on the consumers request.

Even in small or mid-sized companies using just a few systems, API integration can save a lot of manual work.

The requestor also has the right to have data forwarded to a new service provider for simple overview, to provide a customized price, personal interest and much more. RequestManager supports all these actions.

4-eye principle

It is possible for the company to define a specific approval process where named ressources will have to approve/screen the data delivery before it is being send to the consumer.

Complete Audit log

RequestManager ensure that all actions in the end-to-end process are logged for audit purposes, to secure compliance.

Documented and customizable consent

Data controllers must demonstrate that the data subject has consented to the processing of his or her personal data (Article 7). In RequestManager, consent is a module where you can customize your consent forms for the user, and ensure that you always have the consent logged. The consent module can also be utilized with third party apps to be part of the consent needed therein. The consent module is built for user-friendliness and based on several elements within the following categories:

Something you have (e.i. Nem-ID, apps)
Something you know (e.i. Passcodes)

User Role management

RequestManager manage access to the Consumer data, during collection and sending via four (4) distinct roles:

System owner – purchasing the system, setting up the company
System Administrator – manage system users, maintain more technical areas and modify templates
SystemManager – manage the incoming requests and are able to reassign responsibilities for request handling (bypassing processes)
System user – internal daily user of the system

API’s

API Capabilities

RequestManager provides almost 200 prebuild APIs for a wide variety of popular standard applications e.g. Dropbox, Outlook, Salesforce.

Besides standard application APIs, we have developed an open API that can be used to perform various actions:

List requests based on status/due date
Add or remove data to requests like files or single fields
Create / edit template forms
Add data based on template forms
Approve requests for delivery
Assign requests to other employees for further processing
Add new people as employees
Grant or remove roles

Technology stack

The solution is based on Microsoft Azure cloud services.

Technologies used

The solution is build using the following technologies:

Azure Web app
Azure Key Vault
Azure Blob Storage
Send grid (email notifications etc.)
SQL databases (always encrypted)
Stripe – for managing payments
Twilio – for SMSM validation
SenGrid – for e-Mail verification and correspondence
Future: Signicat – for national authentication e.g. nemID (coveres the national identifications in 13 countries

Communication

All communication with API is based on Transporting Layer Security (TLS 1.2) (https). Communicating over TLS preserves user privacy by protecting information between the user and the RequestManager API as it travels across the public Internet.

Back end

The back end solution, is built as a REST API, with Asp.Net Core 2 as backing technology. Responses will be in JSON. Secured by JWT tokens which is both API key secured and user specific. Should key be leaked, the owner of the system can go to a UI and generate a new API key which instantly invalidates the previous key. Most calls will also require a specific user login and password to login. For automation purposes, a refresh token will be provided. All this is done via IdentityServer4. This API is documented with Swagger, and will have examples of usage.

Below is an example of the documentation. It is a post-request:

Model shows the form fields expected by the server and which are mandatory / optional
Code shows the possible responses
The “Try it out” button allows the API to be executed directly within the documentation itself

What to expect when integrating

The API keys will be made available along with how-to and the link to the specific API documentation. The API is online and there will be no need to install any additional software. Any technology can be used to consume the API as long as it can make https requests against an online service and interpret JSON. JSON schemas will be available for pre-validation of data before interchange. Even further, NuGet packages in C# will be available for download.

Cloud infrastructure

RequestManager's cloud infrastructure is a purpose built, preconfigured solution that provides the capacity and lifecycle management for the system. Our design point is to focus on continuously delivering the services that applications depend on.

RequestManager is built on the Azure in West Europe – placed in Holland with redundancy in Ireland

RequestManager Security

Data is stored as relational SQL database in azure with “always encrypt “-enabled, which ensures data encryption both at rest and in transit. Azure key vault keeps one of the keys safe, whereas the other one is installed on the environment hosting the APIs.

This ensures that the certificates are not stored on the same machine, nor in the same environment. Both certificates are of 2048 bits length. In case of breach or suspicion hereof, the keys can be rotated easily and new certificates can be generated.

Data encrypted at rest

RequestManager uses ‘always encrypt protocol’ for the data. RequestManager provides encryption of all data and centralized key management from an Azure key vault. RequestManager encryption algorithms operate on block lengths of 2096 bits.

Data encrypted in transit

RequestManager is using encryption during transit with an asymmetric certificate encryption on both the transport layer (https) and the database connection (different certificate). Encryption in transit is mandatory for RequestManager traffic, requires authentication and is not publicly accessible.

Segregated Blob servers

When an RequestManager account is created – a segregated Blob server is create for the Company (one container per customer with a store certificate), where only the relevant system users within the Company (role management described above) can access the consumer data on the active requests. The Data that are send to (made available for) the Consumer, are automatically deleted after 32 days.

Consumer access

Only the Requester (the Consumer) has access to the data sent from the Company.

Privacy

Only the Requester (the Consumer) has access to the data sent from the Company.

Privacy by design

Data in RequestManager belongs to the User. The user retains the rights, title, and interest in the data stored in RequestManager. It is with this clarity of principle that it is ensured that the users privacy is maintained.

Our online services are operated on certain key principles:

We only use the users personal data to provide the user with the online services that the user have requested, including purposes compatible with providing those services.
We do not mine the users personal data for any purposes.
If the user ever chooses to leave the service, the users can take their data with them with full fidelity
Only the user has access to the data.
Access to the personal data is strictly limited.

Beyond this, we have privacy controls to allow organizations to configure exactly who has access to what within the organization. Strict access controls and design elements that ensure secure access.

Privacy by default

In addition to service-level capabilities, RequestManager enables the user to collaborate through the use of transparent policies and strong tools while providing the distinct ability to control information sharing:

Data will be encrypted with a 2048 bit encryption key and is only accessible to authenticated users.
Rights Management in RequestManager, allows individuals and administrators to specify access permissions to requests, ongoing work and audit logs. This helps the organizations to prevent sensitive information from being printed, forwarded, or copied by unauthorized people by applying intelligent policies.
Privacy controls for four-eye principle, provides verification functionality that has a number of privacy controls.

Privacy controls for new system users are always set to highest privacy setting by default. This setting can only be edited by the system admin for security purposes. One example is that a system user has no access to a request by default and can see no data. Another is that a system user cannot see the data of a requester that another system user is working on, nor is there any sharing functionality build in to RequestManager.

Auditing and retention policies

By using RequestManager auditing policies the system users can log events, including receiving, editing, and sending content such as data, files, pictures and more. When auditing is enabled as part of an information management policy, administrators can view the audit data and summarize current usage. The system administrator can use these reports to determine where information types is coming from within the organization, where requests are occurring from globally, manage compliance, and investigate areas of concern.

Support

RequestManager enables a consistent, integrated support experience that covers the full system lifecycle. To fully support your RequestManager system, customers need only two types of support contracts—

one with a registered RequestManager developer for firstline support (API service support) and one with RequestManager for second line system support.
Second line support is an integrated support experience that provides coordinated escalation and resolution, so customers get a consistent support experience. Second line information is described in detail in RequestManager under support. This support consists of a LIVE CHAT function, a mail and phone support during business hours.

Help

Questions? To find out whether RequestManager is the right fit for your organization schedule a call with us.