|Last updated||21 May 2018|
|Galaxkey||means Galaxkey limited|
|GDPR||means the General Data Protection Regulation.|
|Contact||means Galaxkey Data Protection Representitive|
|Register||means a register of all processing or contexts in which personal data is processed by Galaxkey and Galaxkey partners|
|Customer||means a Galaxkey paying customer or non-paying user (free subscription)|
|Galaxkey Account Data (PART A)||means the personal information about you that you provide to Galaxkey in connection with the following:o Creation or administration of your account. This personal information may include name, usernames, email address, phone number, physical address, company name, payment details
o Information that you provide when you contact us
o Information that you provide when you access our products and services
o information that you provide through consents and preference updates
|Data Content (PART B)||means the data content that you protect using the Galaxkey product and or services. This may include data, text, audio, video or images. Galaxkey does not have access to your data content. Your data content does not include account data.The Customer is solely responsible for the personal information that they protect using Galaxkey products or services as Galaxkey has no access to this information. Galaxkey terms of service and licence agreement apply to customer data content.|
PART A: Your Galaxkey Account Data
2. Policy overview
This Policy describes the obligations of Galaxkey regarding data protection and the rights of the “data subject”, relating to their personal information under the EU Regulation 2016/679 General Data Protection Regulation (GDPR).
Galaxkey is a limited liability company (registered number 07338597), whose registered office is at 2 Falcon Gate Shire Park, Welwyn Garden City, AL7 1TW, United Kingdom.
Galaxkey is a data security company and needs to gather and use certain personal information about individuals to provide the Galaxkey products and services. These can include information about customers, suppliers, business contacts, employees and other people that Galaxkey has a relationship with or may need to contact for the purpose of functioning and delivering products and services.
Galaxkey implements responsible and sophisticated technical and physical controls that are designed to prevent unauthorised access to or disclosure of customer personal information that is provided to Galaxkey by the customer for processing.
This policy describes Galaxkey’s obligations regarding the collection, processing, transfer, storage and disposal of personal information to meet data protection standards and to comply with the law. It refers to customer account data and not customer data content. Galaxkey does not have access to any customer data content.
For clarification purposes, Galaxkey includes a separate section in this policy relating to data Content.
3. Why the policy exists
Galaxkey is focused on GDPR compliance and will take any action necessary to ensure that we handle customer personal information in compliance with applicable law and will take necessary steps to ensure that both Galaxkey and our product and/or services are compliant with the GDPR and to ensure the security, confidentiality, integrity and availability of the personal information that Galaxkey processes is maintained.
We endeavour to keep our legal documentation up to date to reflect any changes to our product and/or services to ensure that, as a processor of our customers’ personal information, we meet the requirements of processors under the regulation. We assess our data collection and storage practices to ensure we take the necessary steps to comply.
The goal of this data protection policy is to depict the legal data protection aspects in one summarising document. It can also be used as the basis for statutory data protection inspections, e.g. by the customer. This is not only to ensure compliance with the GDPR but also to provide proof of compliance and accountability.
This data protection policy ensures that Galaxkey:
4. General provisions
This policy applies to all personal information that Galaxkey processes relating to identifiable individuals. This may include commercial information and personal information like:
Galaxkey will review this policy on a regular basis (at least annually) to keep it up to date.
5. Galaxkey’s role
Galaxkey as a data controller
If you are a registered Galaxkey user/customer or a visitor to our website we act as the data controller of personal data. This means that we decide how and why we process your data.
Galaxkey as a data processor
All Galaxkey employees and contractors working for Galaxkey have responsibility for ensuring personal information is collected, handled and stored appropriately. All personal information is handled and processed in line with this policy and data protection requirements by law.
7. Data Protection Law
The General Data Protection Regulation (GDPR) describes how organisations-including Galaxkey- must collect, handle and store personal information.
The GDPR defines “personal data” as any information relating to an identified or identifiable natural person (a “data subject”); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier, or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural, or social identity of that natural person.
These rules apply regardless of whether personal information is stored electronically, on paper, or on other materials.
8. Data protection principles
Galaxkey is committed to processing personal information in accordance with its responsibilities under the GDPR.
Article 5 of the GDPR requires that personal information shall be:
9. The Rights of Data Subjects
The GDPR sets out the following rights applicable to data subjects. See the relevant sections for details on how Galaxkey observes the rights of the data subject:
10.Lawful, fair and transparent processing
The GDPR seeks to ensure that personal information is processed lawfully, fairly, and transparently, without adversely affecting the rights of the data subject. All personal information processed by Galaxkey is done on at least one of the Lawful basis allowed for processing personal information (see ICO guidance for more information), they are:
12.Specified, Explicit, and Legitimate Purposes
Galaxkey collects and processes the personal information set out in the Register (see 26 of this policy for further details). This includes:
13.Adequate, Relevant, and Limited Data Processing
14.Accuracy of Data and Keeping Data Up-to-Date
Galaxkey ensures that all personal information collected, held, and processed is kept secure and protected against unauthorised or unlawful processing and against accidental loss, destruction or damage. (see sections 27 to 30 for further details on the security measures that Galaxkey takes).
17.Records and Accountability
Galaxkey keeps internal records of all personal information collection, holding and processing. This may include:
18.Data Protection Impact Assessment
Galaxkey will carry out a Data Protection Impact Assessment for any new processing requirements or uses of personal information when new technologies or processing are considered which may result in a high risk to the rights and freedoms of the data subject under the GDPR.
19.Keeping data subjects informed
Galaxkey will keep the data subject informed of how their information is collected, processed, transferred, and stored. Galaxkey shall inform the data subject of:
20.Subject Access Requests
Individuals have the right to access their personal information and any such requests made to Galaxkey shall be dealt with in a timely manner.
All individuals who are the data subjects of personal information held by Galaxkey are entitled to:
A data subject can contact Galaxkey requesting this information via a subject access request (SAR) free of charge.
The subject access request should be made by email to email@example.com. Galaxkey will verify the individual making the subject access request before handing over the information.
Galaxkey will aim to respond to such a request in, usually, one month of receipt but this may be extended if the SAR is complex. The individual will be kept informed of the progress.
21.Rectification of Personal Data
Data Subjects can request that their personal information be rectified. Galaxkey will rectify personal information it holds on request from data subject in a timely manner. Galaxkey provides an easy method for the data subject to rectify and update their personal information via the Galaxkey website or by emailing firstname.lastname@example.org
22.Erasure of Personal Data
Data subjects can request that their personal information that Galaxkey holds about them be erased. Galaxkey will erase personal information in accordance with the GDPR. Unless Galaxkey has reasonable grounds to refuse the erasure, all requests will be complied with.
23.Restriction of Processing
Data Subjects can request that Galaxkey stops the processing of their information. Galaxkey will comply and will only retain the personal information of the individual (if any) necessary to ensure that the information is no longer processed by Galaxkey.
Galaxkey ensures the portability of the data subject’s information. To facilitate data portability Galaxkey will make the personal information available in a Galaxkey encrypted format that is securely transferable to the data subject on request. This will be complied with in a timely manner.
25.Objections to Personal Data Processing
Data Subjects can object to Galaxkey processing their personal information based on legitimate interests, direct marketing, processing for scientific and/or historical research and statistic purposes. Unless the law allows, Galaxkey will comply with the data subjects request and stop processing their information.
26.The Rights with respect to automated decision-making and profiling
Galaxkey does not use personal data for automated decision making and profiling.
27.Register of Personal Data Collected, Held, and Processed
Galaxkey sometimes partners with third parties to provide the Galaxkey products and services. The third parties that we partner with are chosen by us, they adhere to the data protection regulation and data protection and privacy policies and practices.
We may need to share personal account data with these third parties to fulfil our function and contract. We only do this is if it is necessary and when we do we have safeguards in place to protect the data and privacy as outlined in this policy.
Below are our main third-party processing partners and links to their privacy policies. These partners do not have access to any of the data content protected with Galaxkey software.
28.Secure Transfer and Communications of Personal Data
Galaxkey takes the following measures with respect to all communications and other transfers involving personal information:
29.Secure Use of personal data
Galaxkey takes the following measures with respect to using personal information:
31.Secure Data Disposal
Galaxkey disposes of personal information in a secure manner such that the information is irrecoverable.
Technical and Organisational measures
Galaxkey takes adequate technical and organisational measures to ensure the protection of personal information.
32.Transferring Personal Data Outside the EEA
Galaxkey may transfer personal data to countries outside of the EEA as allowed under the GDPR. Including: The country or territory has adequate levels of data protection for personal information, the country has appropriate safeguards approved by the European Commission and ICO and is compliant with the GDPR, the data subject has provided consent for the transfer, the transfer is needed to fulfil the contract or pre-contractual steps between the data subject and Galaxkey, it’s required for public interest, it’s required for legal claims, it’s required to protect vital interest of the data subject or other individuals (someone’s life), the transfer is made from a register that by law is to provide public information that is publically accessible.
33.Disclosing of data for other reasons
In certain circumstances, Galaxkey is allowed to disclose personal information to law enforcement agencies without the consent of the data subject. Under these circumstances, Galaxkey will disclose requested personal information and will always ensure the request is legitimate by seeking advice from the Galaxkey board members and from Galaxkey’s legal advisers if necessary.
In the event of a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal information, Galaxkey shall promptly assess the risk to people’s rights and freedoms and if appropriate report this breach to the ICO within 72 hours after having become aware of it. Galaxkey will then follow the advice of the ICO on how to proceed and the measures to take. (more information on the ICO website).
Galaxkey aims to ensure that individuals are aware that their personal information is being processed and that they understand how their personal information is being used and how to exercise their rights under the GDPR.
This is available from Galaxkey on request and is available on the Galaxkey website at www.Galaxkey.com
PART B: Your Data Content
Galaxkey realises that customers require privacy as well as data security. That’s why Galaxkey allows customers ownership and control over their data content. Galaxkey provides the customer with technologies, tools and features that allow them to determine their privacy and security through customer control over where information is stored, their security (in transit and a rest) as well as access control and management. Galaxkey can manage encryption keys and identities if the customer chooses this option and consents to this option, alternatively, Galaxkey does not control the customer encryption keys.
As a Galaxkey customer, you own your data content and you choose which Galaxkey products and/or services you use to protect, process and store your data content. Galaxkey has no access to your data content. You choose the data content that you protect, process and store whilst using Galaxkey.
As a non-paying user, your encrypted data content is stored in our secure Galaxkey cloud in the EEA. As a paying customer, you can choose where to store your data content. This can be on premise or in the cloud.
As a Galaxkey customer, you control your data content. You manage the access to your data content and Galaxkey services and resources through users, groups, permissions and credentials that you control. Galaxkey does not control any of this or your data content. Galaxkey provides strong encryption and data protection technologies for you to secure your data but you control when and how this is used to secure your data content. As a paying customer, you can also decide where and in which jurisdiction your data content is stored. A non-paying user’s encrypted data content is stored in the secure Galaxkey cloud within the EEA.
As a Galaxkey customer, you manage access to your data content and user access to Galaxkey services and resources. Galaxkey provides an advanced set of access, encryption, and logging tools and features to help you do this effectively and securely. Galaxkey has no access to your data content or your encryption keys. We can never use your data content or derive information from your data content. Galaxkey can manage encryption keys and identities if the customer chooses and consents to this option.
As a Galaxkey paying customer, you choose the jurisdiction in which your data content is stored. We do not move or replicate your data content outside of your chosen jurisdiction. Galaxkey uses AWS security approved datacentres to store your encrypted data content if you choose this option. If this is your chosen option of storage you decide the jurisdiction according to your geographic requirements. Non-paying user’s encrypted data content is stored in the secure Galaxkey cloud within the EEA.
Galaxkey provides strong encryption, data protection technologies for your data content in transit and at rest. Systematic strong encryption and key management processes are in place to protect customer credentials. The Galaxkey architecture does not store any end-user access passwords in any form (encrypted or hashed). We do not have access to your encryption keys. You are responsible for keeping your credentials safe so that no one else can access your account using them. Galaxkey performs cloud and local backups at regular intervals.
Galaxkey utilises security best practices for privacy and data protection to help our customers operate securely when using Galaxkey products and/or services. Our processing partners have adequate levels of protection and comply with their obligations under the GDPR. Galaxkey uses data centres with ISO 27001 accreditation.