Connectid Business - Technical Whitepaper
Sending data made safe and easy
Collect and deliver structured or unstructured data safely and securely
Connectid Business has been developed to guarantee compliance with the new regulations regarding Data Portability and Right of Insight as defined in the General Data Protection Regulation (GDPR).
Individuals can now request data provided by and concerning him from any service provider. Requests may be submitted via a phone call, an email, or in person. Organizing, documenting and responding to requests thoroughly before the 30 day deadline will be a daunting task with high stakes. Especially for larger organizations who handle huge volumes of highly sensitive data. Having a process in place for dealing with the potentially hundreds of requests you could receive on a daily basis will allow you to avoid fines that could be up to 4% of your global turnover or 20m Euros, whichever is greater.
The Right to Data Portability allows data subjects to request the personal data that they have directly and indirectly provided to a data controller in a structured, commonly used and machine-readable format, and/or to transmit that data directly to another data controller free of charge and without hindrance.
Connectid Business meet this demand while ensuring that data is being sent to and from the right person, and that consent is obtained directly from the end-user. Connectid Business provides a complete audit log both covering Data Portability activity and Consent Management.
Connectid Business will support users in handling the following Regulations of the GDPR:
- Article 20: Right to Data portability
- Article 7: Consent
- Article 15: Right of access.
- Article 16: Right to Rectification
Meeting the demand for Data Portability
Structured data request process
The GDPR does not specify how individuals should make data requests, or ‘Subject Access Requests’ (SARs). Requests may be made verbally or in writing, or to any of your employees. Regardless of how the request is made you will have a legal responsibility to identify the request and handle it accordingly. Providing an Connectid Business request link on your company’s website allows you to control and log the request process. The Connectid Business portal allows consumers to request the types of information you specify. This can reduce the number of requests for all data, which can reduce workload. When requestors use the Connectid Business request link, requests will be authenticated and appear in Connectid Business along with their due date and the types of information requested.
Sector specific templates
Data controllers must provide personal data to a requestor free of charge (Article 15). This means you must assume the costs of gathering and processing data.
One way Connectid Business reduces the administrative costs of data delivery is by providing a wide range of sector specific templates that can be further customized for the types of data your organization collects. Most organizations control a wide variety of personal data, but the type of information varies. An insurance company, for example, handles primarily medical and financial information; while an online retail company might deal with financial information, like credit card numbers, along with browsing history, preferences, passwords, etc. The template forms Connectid Business available, will help you quickly identify and merge personal data from multiple sources.
Data collection options
When data is being collected Connectid Business offers different options:
It is possible to include (upload) a datafile directly to the request. This data might not be readable for the requestor as it requires specific systems to make sense. However data is transferred as requested. The advantage with this method is that data can easily be extracted and sent to the user and the methodology can also be used when a user requests the Right of Access. The downside is that the users is not necessarily able to read the information.
Manual collection in the predefined templates
With Connectid Business you do not have to use sophisticated import methods. It is possible to manually input the data by copy and paste, drag and drop or simple manual input in an “old fashioned way” into predefined Templates. The advantage with this method is that it is a simple and easy method for smaller amounts of data that is readable for the Requestor. The disadvantage with this method is that it can be time consuming when handling larger amounts of data.
Connectid Business has its own API so companies with larger amounts of data and with complex data, simply and securely can automate the process of exporting data from the company’s system landscape into Connectid Business – and directly send it to the requester. The advantages with this process are many: Data is instantly identified, transferred, logged and transferred to the requester, without delay or manual intervention. Data received via Connectid Business (templates) can as well be downloaded in a smooth way.
The tight timeframe by which companies must respond to a data request (without undue delay and within a period of just one month), means that it is important to automate the process via integration as much as possible, while still ensuring safety.
With the help of powerful APIs, information can be gathered automatically from almost 200 different standard applications. Connections to most of these applications can be set up fast and seamless.
Connectid Business’s also exhibit an open API that can be utilized to integrate existing branch specific legacy applications and allows companies to automate the data collection from more specialized/non-standard applications.
How the automated data collection works
Although the API can be used in many different ways, here is an example of what a workflow might look like in a larger organization where some data is using the API, and some data is collected manually:
- A new data request is received
- The requestor is authenticated
- The person responsible for responding to the data request sees the request gradually get filled (in predefined templates) with data from multiple systems
- Any missing data is manually entered by dragging files, or using an input form
- The data is encrypted and send to the Requestor (Consumer) – or directly to a company on the consumers request.
Even in small or mid-sized companies using just a few systems, API integration can save a lot of manual work.
The requestor also has the right to have data forwarded to a new service provider for simple overview, to provide a customized price, personal interest and much more. Connectid Business supports all these actions.
It is possible for the company to define a specific approval process where named ressources will have to approve/screen the data delivery before it is being send to the consumer.
Complete Audit log
Connectid Business ensure that all actions in the end-to-end process are logged for audit purposes, to secure compliance.
Documented and customizable consent
Data controllers must demonstrate that the data subject has consented to the processing of his or her personal data (Article 7). In Connectid Business, consent is a module where you can customize your consent forms for the user, and ensure that you always have the consent logged. The consent module can also be utilized with third party apps to be part of the consent needed therein. The consent module is built for user-friendliness and based on several elements within the following categories:
- Something you have (e.i. Nem-ID, apps)
- Something you know (e.i. Passcodes)
User Role management
Connectid Business manage access to the Consumer data, during collection and sending via four (4) distinct roles:
- System owner – purchasing the system, setting up the company
- System Administrator – manage system users, maintain more technical areas and modify templates
- SystemManager – manage the incoming requests and are able to reassign responsibilities for request handling (bypassing processes)
- System user – internal daily user of the system
Connectid Business provides almost 200 prebuild APIs for a wide variety of popular standard applications e.g. Dropbox, Outlook, Salesforce.
Besides standard application APIs, we have developed an open API that can be used to perform various actions:
- List requests based on status/due date
- Add or remove data to requests like files or single fields
- Create / edit template forms
- Add data based on template forms
- Approve requests for delivery
- Assign requests to other employees for further processing
- Add new people as employees
- Grant or remove roles
The solution is based on Microsoft Azure cloud services.
The solution is build using the following technologies:
- Azure Web app
- Azure Key Vault
- Azure Blob Storage
- Send grid (email notifications etc.)
- SQL databases (always encrypted)
- Stripe – for managing payments
- Twilio – for SMSM validation
- SenGrid – for e-Mail verification and correspondence
- Future: Signicat – for national authentication e.g. nemID (coveres the national identifications in 13 countries
All communication with API is based on Transporting Layer Security (TLS 1.2) (https). Communicating over TLS preserves user privacy by protecting information between the user and the Connectid Business API as it travels across the public Internet.
The back end solution, is built as a REST API, with Asp.Net Core 2 as backing technology. Responses will be in JSON. Secured by JWT tokens which is both API key secured and user specific. Should key be leaked, the owner of the system can go to a UI and generate a new API key which instantly invalidates the previous key. Most calls will also require a specific user login and password to login. For automation purposes, a refresh token will be provided. All this is done via IdentityServer4. This API is documented with Swagger, and will have examples of usage.
Below is an example of the documentation. It is a post-request:
- Model shows the form fields expected by the server and which are mandatory / optional
- Code shows the possible responses
- The “Try it out” button allows the API to be executed directly within the documentation itself
What to expect when integrating
The API keys will be made available along with how-to and the link to the specific API documentation. The API is online and there will be no need to install any additional software. Any technology can be used to consume the API as long as it can make https requests against an online service and interpret JSON. JSON schemas will be available for pre-validation of data before interchange. Even further, NuGet packages in C# will be available for download.
Connectid Businesss cloud infrastructure is a purpose built, preconfigured solution that provides the capacity and lifecycle management for the system. Our design point is to focus on continuously delivering the services that applications depend on.
Connectid Business is built on the Azure in West Europe – placed in Holland with redundancy in Ireland
Connectid Business Security
Data is stored as relational SQL database in azure with “always encrypt “-enabled, which ensures data encryption both at rest and in transit. Azure key vault keeps one of the keys safe, whereas the other one is installed on the environment hosting the APIs.
This ensures that the certificates are not stored on the same machine, nor in the same environment. Both certificates are of 2048 bits length. In case of breach or suspicion hereof, the keys can be rotated easily and new certificates can be generated.
Data encrypted at rest
Connectid Business uses ‘always encrypt protocol’ for the data. Connectid Business provides encryption of all data and centralized key management from an Azure key vault. Connectid Business encryption algorithms operate on block lengths of 2096 bits.
Data encrypted in transit
Connectid Business is using encryption during transit with an asymmetric certificate encryption on both the transport layer (https) and the database connection (different certificate). Encryption in transit is mandatory for Connectid Business traffic, requires authentication and is not publicly accessible.
Segregated Blob servers
When an Connectid Business account is created – a segregated Blob server is create for the Company (one container per customer with a store certificate), where only the relevant system users within the Company (role management described above) can access the consumer data on the active requests. The Data that are send to (made available for) the Consumer, are automatically deleted after 32 days.
Only the Requester (the Consumer) has access to the data sent from the Company.
Only the Requester (the Consumer) has access to the data sent from the Company.
Privacy by design
Data in Connectid Business belongs to the User. The user retains the rights, title, and interest in the data stored in Connectid Business. It is with this clarity of principle that it is ensured that the users privacy is maintained.
Our online services are operated on certain key principles:
- We only use the users personal data to provide the user with the online services that the user have requested, including purposes compatible with providing those services.
- We do not mine the users personal data for any purposes.
- If the user ever chooses to leave the service, the users can take their data with them with full fidelity
- Only the user has access to the data.
- Access to the personal data is strictly limited.
Beyond this, we have privacy controls to allow organizations to configure exactly who has access to what within the organization. Strict access controls and design elements that ensure secure access.
Privacy by default
In addition to service-level capabilities, Connectid Business enables the user to collaborate through the use of transparent policies and strong tools while providing the distinct ability to control information sharing:
- Data will be encrypted with a 2048 bit encryption key and is only accessible to authenticated users.
- Rights Management in Connectid Business, allows individuals and administrators to specify access permissions to requests, ongoing work and audit logs. This helps the organizations to prevent sensitive information from being printed, forwarded, or copied by unauthorized people by applying intelligent policies.
- Privacy controls for four-eye principle, provides verification functionality that has a number of privacy controls.
Privacy controls for new system users are always set to highest privacy setting by default. This setting can only be edited by the system admin for security purposes. One example is that a system user has no access to a request by default and can see no data. Another is that a system user cannot see the data of a requester that another system user is working on, nor is there any sharing functionality build in to Connectid Business.
Auditing and retention policies
By using Connectid Business auditing policies the system users can log events, including receiving, editing, and sending content such as data, files, pictures and more. When auditing is enabled as part of an information management policy, administrators can view the audit data and summarize current usage. The system administrator can use these reports to determine where information types is coming from within the organization, where requests are occurring from globally, manage compliance, and investigate areas of concern.
Connectid Business enables a consistent, integrated support experience that covers the full system lifecycle. To fully support your Connectid Business system, customers need only two types of support contracts—
- one with a registered Connectid Business developer for firstline support (API service support) and one with Connectid Business for second line system support.
- Second line support is an integrated support experience that provides coordinated escalation and resolution, so customers get a consistent support experience. Second line information is described in detail in Connectid Business under support. This support consists of a LIVE CHAT function, a mail and phone support during business hours.
Questions? To find out whether Connectid Business is the right fit for your organization schedule a call with us.