Data security and processing policy

Article 1 – Introduction

The implementation of the General Data Protection Regulation in May 2018 brought new obligations taxable to companies and subcontractors.

In order to meet its regulatory obligations, improve its processes to permanently integrate the information security aspect, and thus improve the practices of all technical teams, Axelor has implemented this Data Security and Processing (referred to as PSTD in the remainder of this document), which is reviewed regularly.

The PSTD is distributed to all concerned, and Axelor implements the training and information necessary for its understanding, proper implementation and compliance.

The PSTD describes the commitments made by Axelor in terms of the security of data and applications hosted on its servers at OVH.

The PSTD applies to all services provided to clients.

The reference documents are as follows:

• Privacy policy
• The regulations relating to the Protection of Personal Data:
• Law n ° 78-17 of January 6, 1978 relating to computers, files and freedoms, amended by Law n ° 2018-493 of June 20, 2018.
• The General Data Protection Regulation (GDPR)

Article 2 – Stakes and objectives

The security of the Axelor hosting platform and applications is a major issue for Axelor in order to guarantee the protection of the company’s own interests, as well as that of its customers.

The PSTD is therefore implemented to take into account the main risks incurred and identified:

• Risk of unavailability of information and applications, and systems processing them.
• Risk of disclosure, or loss of confidentiality, of information provided by our customers and for which we act as a subcontractor.
• Risk of alteration, or loss of integrity, which could lead to a loss of information for our customers.

The implementation objectives of the DSPP are:

• Improve and formalize the management of the security of applications and their hosting.
• Extend best practices to all the services offered by Axelor.
• Ensure that Axelor complies with its legal obligations regarding the management of Personal Data (Data Protection Act, GDPR) as a subcontractor.
• Create a culture of safety with Axelor’s teams, and with its customers.

Article 3 – Organization of information security

Each employee has a job description that describes their missions, their positioning within the Axelor organization, their main activities, and the know-how and interpersonal skills they must master to carry out their missions.

Security is managed:

– At the strategic level at least once a year during a management review dedicated to safety.

– At the operational level during a monthly review.

The department heads are responsible for their teams’ compliance with the DSPP put in place.

Article 4 Human resources security

4.1 hiring

A structured onboarding process is put in place for each new employee. Access rights to information and applications may change depending on the status of the integration (minimum duration of presence, trial period completed, etc.).

4.2 Confidentiality

All Axelor employees have signed a confidentiality clause in their employment contract and have read the DSPP and are committed to respecting and enforcing it.

Axelor will therefore do everything in its power to respect the confidentiality of the data and documents sent to it

4.3 Security awareness

The process of supporting a new employee includes security awareness. Awareness sessions are also organized annually.

4.4 Competence and training

Skills management allows Axelor to identify training needs.

The department heads define the training needs for their teams, and send them to the HR department for consolidation and validation of an annual training plan.

4.5 Leaving of an employees 

A formalized process makes it possible to structure the actions to be taken upon the departure of any employee, and in particular the closing of their accounts for accessing the various resources to which they were entitled.

Article 5 – Authentication – Access control

5.1 Password policy

Each user is identified by a unique identifier and a strong password.

The password policy for users of hosted services is as follows:

– Personalization by the user during his first connection to the production environment.

– Minimum size: 8 characters.

– Complexity: at least 3 different types of characters among: lower case, upper case, numbers and special characters.

Passwords are personal and confidential, so they are not stored by technical teams.

If for any reason a technical worker needs to know a user’s password, the latter will be asked to change it before communicating it to the technician, and he will be obliged to reset it when logging in. next.

Administration accounts follow the same rules as users. These passwords are stored in a secure and encrypted database.

5.2 Management of permissions 

The day-to-day administration of the hosted environments is carried out by Axelor’s technical team through administration accounts with limited rights. Access by other technical staff is only authorized for the duration of the assignment or planned intervention.

5.3 Access rights 

Administrative access rights to the entire Axelor Information System are reviewed at least once a year..

Article 6 – Physical and environmental security

6.1 Hosting  and location

All of our servers are hosted by OVH on dedicated servers offering additional configurations and performance compared to the Cloud. The servers are fully managed by the Axelor teams.

The data (stored on the servers) is hosted in France on the sites of Gravelines, Roubaix or Strasbourg.

The bandwidth of the servers is at 1 Gbps (outgoing and incoming BP).

6.2 Security of OVH datacenters

– Location: data centers more than 200 km away in order to ensure redundancy and continuity of service. Possibility of PRA / PCA

– Electrical safety: systematic double power supply, inverters of 250KVA each, generators with an initial autonomy of 48 hours, 2 network arrivals minimum to the data center; inside, 2 twin network rooms capable of taking over from one another.

– Physical security: on-site presence, access controlled by badge, video surveillance, motion detection and 24/7 security; rooms equipped with smoke detection systems, access authorized only to OVH staff, with a nominative RFID badge for each employee to which their access rights are associated.

– Fire safety: fire detection and extinguishing system, fire doors. Compliance with the APSAD R4 rule for the installation of portable and mobile fire extinguishers, and possession of the N4 certificate for all centers.

– Anti-DDoS protection: implementation of 9 anti-DDoS infrastructures with a capacity of 6x600Gps + 1x 240Gbps + 2x120Gbps in OVH data centers.

– Service 365 days x 24h: management, maintenance and supervision of services.

– Eco-responsible: 98% of accommodation rooms do not have air conditioners, watercooling allowing to dissipate 70% of the heat emitted by the processor, aircooling allowing to evacuate the remaining 30%. PUE less than 1.2.

– Compliance with international requirements: OVH is ISO 27001: 2005 certified for the supply and operation of dedicated cloud computing infrastructures. The company relies on ISO 27002 and ISO 27005 standards for safety management and risk assessment and associated treatments, and has received SOC 1 and 2 type II certificates.

Article 7 – Saas infrastructure, backups and monitoring

7.1 Backups

Applications and their data are backed up daily. Two daily backups at 3:00 a.m. and 1:00 p.m. are performed.

The backed up data are: database and attachments.

These data are stored on a dedicated server isolated from production servers

7.2 Monitoring

The servers and applications are monitored 24 hours a day, 7 days a week by our internal Nagios monitoring system.

The following components are monitored: PING / CPU / RAM / Disk Space / Connection page response time / Number of database connections.

In the event of a failure, email / Chat alerts are sent to the teams for intervention (in the event of a critical failure) or for monitoring (in the case of a simple warning).

Article 8 – Compliance with European requirements

8.1 Right of access to your personal data

In accordance with European regulations, you have the right to access, rectify, delete, and limit the processing of your personal data. You also have the right to object to the processing of your information or to export it to another service. You just have to contact Axelor to exercise your right (how?).

8.2 Data controller

Axelor is the data controller of your personal data, that is to say, Axelor is responsible for processing your information and complying with applicable privacy laws.

8.3 Purposes and legal bases

Axelor processes your personal data for the purposes described in the Data Privacy Policy.

Your consent is collected for the processing of your personal data, and you are free to revoke your consent at any time:

• By modifying your settings in the Cookie Statement on our website
• By contacting rgpd@axelor.com

Axelor processes your personal data in accordance with its legitimate interests, as well as those of third parties, while applying the protective measures described in this PSTD, and in particular to perform the following operations:

• Offer its services, ensure their operation and improve them to meet the needs of our users;
• Develop new products and new features;
• Understand how its services are used to ensure and improve performance;
• Customize its services to provide a better user experience
• Carry out marketing actions to make its services known to users;
• Detect, avoid or deal with fraudulent activity, abuse, security breaches or any technical problem encountered by its services;
• Protect against any infringement of the rights, property or security of its applications, as well as those of its users, in application and in compliance with the law;
• Enforce court decisions, including to note possible cases of non-compliance with the applicable conditions of use.

Axelor also processes your data quite simply in order to provide you with access to its applications, or a service to which you have subscribed, a contract being concluded between you and Axelor in both cases.

Finally, Axelor processes your personal data to meet a legal obligation to do so, for example to comply with legal or administrative obligations.

Article 9 – Data processing as a processor

When you decide to use an Axelor application and call on our services for its integration into your IS, we may need to process the personal data that you collect as a subcontractor.

9.1 Definition

For the application of this article, the following terms should be understood in the sense defined below

Data Controller: means a natural or legal person, public authority, service or any other body which, alone or jointly with others, determines the purposes and means of the processing of personal data, in this case “you” , when using an Axelor application.

Data subject: person to whom the Personal Data relates.

Instruction: written and documented instruction, issued by the Data Controller to the Processor, asking it to take specific action with respect to Personal Data (including, but not limited to, de-personalization , blocking, deletion, provision).

Personal data: any information relating to an identified or identifiable person containing such information in Customer Data, and protected in the same way as personal data or personally identifiable information in accordance with the Data Protection Act .

Processing: any operation or set of operations carried out on personal data, for example the collection, recording, organization, structuring, storage, adaptation or alteration, recovery, consultation, the use, disclosure by transmission, broadcast or other means of making available, aligning or combining, restricting, erasing or destroying data.

Subcontractor: natural or legal person, public authority, service or other body which processes Personal Data on behalf of the Data Controller, in the case of “Axelor”.

9.2 Objet 

The purpose of this article is to define the conditions under which Axelor undertakes to carry out on your behalf the processing operations of personal data defined below.

As part of their contractual relations, the parties undertake to comply with the regulations in force applicable to the processing of personal data and, in particular, Regulation (EU) 2016/679 of the European Parliament and of the Council of April 27, 2016. applicable from May 25, 2018 (hereinafter, “the GDPR”).

9.3 Description of the processing which is the subject of the subcontracting.

You authorize Axelor to process the personal data necessary to provide you with the following service: hosting data on an instance of an Axelor application.

Within the framework of these services, the nature of the operations carried out on the data are as follows: recording, conservation.

The purposes of the processing are defined in your contract.

Personal data may relate to the following categories of person: customer, prospect, supplier, employee.

You must not use the Axelor applications for a processing purpose other than those listed in your contract and you agree to be the contact person for Axelor with regard to data protection.

9.4 Duration of service

This article applies for the duration of your use of the Axelor applications.

9.5 Axelor’s obligation toward the customer.

1. Axelor undertakes to process data only for the sole purposes listed in point 9.3.
2. You cannot issue instructions. The only general and tacit instruction taken into account by Axelor will be that of storing and hosting the data. Axelor considers that the processing carried out according to this tacit instruction does not constitute a violation of the GDPR or any other provision of Union law or of the law of the Member States relating to data protection. In addition, if Axelor is required to transfer data to a third country or to an international organization, under Union law or the law of the Member State to which it is subject, it must inform you of this legal obligation before processing, unless the law concerned prohibits such information for important reasons of public interest.
3. Axelor undertakes to guarantee the confidentiality of personal data processed under the Contract.
4. Axelor undertakes to ensure that the persons authorized to process personal data under the Contract:

• Undertake to respect confidentiality or be subject to an appropriate legal obligation of confidentiality
• Receive the necessary data protection training by default

5. Axelor undertakes to take into account, when it comes to its tools, products, applications or services, the principles of data protection from the design stage and of data protection by default.
6. You acknowledge that you have authorized Axelor to call on the OVH RCS LILLE METROPOLE Host 424 761 419 00045 to carry out processing activities relating to data retention as part of the hosting service offered by Axelor.

In the event of the recruitment of other subsequent subcontractors, Axelor must obtain your prior and specific authorization as a client.

The Host or any other subsequent subcontractor is required to comply with the obligations of this article on behalf and according to your instructions. It is up to Axelor to ensure that the Host or any other subsequent subcontractor presents the same sufficient guarantees as to the implementation of appropriate technical and organizational measures so that the processing meets the requirements of the European regulation on data protection. If the Host or any other subsequent subcontractor does not meet its data protection obligations, Axelor remains fully responsible to you for the performance by the Host or any other subsequent subcontractor of its obligations.

7. It is your responsibility to provide the information to the persons concerned by the processing operations when collecting their data.
8. As far as possible, Axelor undertakes to help you fulfill your obligation to respond to requests for the exercise of the rights of data subjects: right of access, rectification, erasure and opposition, right to limitation of processing, right to data portability, right not to be the subject of an individual automated decision (including profiling).
9. When the data subjects make requests to Axelor to exercise their rights, Axelor must send these requests by email to the contact person you have designated as soon as they are received.
10. Axelor will notify you of any personal data breach within a maximum of 36 hours after becoming aware of it by any means. This notification is accompanied by any useful documentation to enable you, if necessary, to notify this violation to the competent supervisory authority.
11. Help from Axelor in meeting your obligations. Axelor helps you to perform data protection impact assessments. Axelor helps you to carry out the prior consultation of the supervisory authority.
12. The security measures that Axelor undertakes to put in place are described in the previous points of this PSTD.
13. At the end of the provision of services relating to the processing of this data, Axelor undertakes to destroy all personal data. Once destroyed, Axelor justifies the destruction in writing.
14. Axelor has not appointed a data protection officer.
15. Axelor declares that it keeps a written register which identifies the customers for whom it keeps and records data. No data processing other than this is carried out by Axelor for any of its customers.
16. Documentation. Axelor provides you with the necessary documentation to demonstrate compliance with all of its obligations and to enable audits, including inspections, to be carried out by you or another auditor appointed by you, and to contribute to these audits.

9.6 Obligation of the Customer towards Axelor.

1 You agree to ensure, beforehand and throughout the duration of the processing, compliance with the obligations provided for by the GDPR on the part of Axelor

2 You agree to oversee the processing, including performing audits and inspections at Axelor.