- Data Protection
- Capsule data storage and the EU Data Protection Directive
- How does Capsule ensure secure storage of the data I hold?
- Who can access my data?
- How are users I invite protected from unauthorized use of their log-in
- What information is available to monitor who is accessing my data?
- Will my data be shared with third parties?
- What is Capsule’s data deletion and retention policy, and associated timescale?
- How can I get a copy of the data I store on my Capsule account and will it be in a format I can use?
- How is my data protected from accidental destruction?
- What service levels do you provide for Capsule and will the capacity of Capsule allow for demand from other customers or will it impact the quality of my service?
- Can I get access to my data where and when I want it?
- In what countries does Capsule process your data and what safeguards are in place at these locations?
- Will Capsule only process data in accordance with my instructions, and is there a written contract?
- What is Capsule doing to prepare for GDPR?
This FAQ is intended primarily to help our European Union (EU) customers assess their compliance with EU data protection requirements.
The requirements of the EU Data Protection Directive have been implemented in different ways in each EU member state. So, for example, in the UK the Directive has been implemented through the Data Protection Act 1998 and in Germany through the Federal Data Protection Act. The law that applies to you will generally be that of the EU country in which you are resident or, if you are a business, in which you are established.
However one common thread is that responsibility for complying with the Directive rests with the data controller. As you are the data controller in respect of personal data you store on Capsule, it is your responsibility to ensure compliance with the data protection law of your home country.
In order to make an assessment of whether Capsule allows you to meet the requirements of your local data protection laws, we recommend that you carry out a simple risk analysis. As a starting point, The UK Information Commissioner’s Office (ICO) has produced a useful general Guide to data protection and Guidance on the use of cloud computing that provides a helpful checklist (on page 22) that a data controller should consider in assessing the credentials of any provider of internet-based services.
Answers to the following questions will help you complete a risk analysis for yourself or your organization. We do so with the firm belief that Capsule is well placed to protect the personal data that you entrust to us in accordance with your local data protection law.
Our Security page explains our approach to ensuring the safety of your data, including details on data center security, data encryption, security updates and third party reviews.
You choose who to invite to your Capsule account and the permissions they have. You may also choose to grant access to other applications that integrate with Capsule. You should apply the same security assessment to any application or third party which you grant access to.
Capsule staff (or 3rd parties we use) do not have access to passwords or the ability to login to your account. You may choose to invite us as a temporary user to help us to solve a question you have.
In order to provide the service, we do have authorized operations staff with access to the underlying infrastructure and therefore the underlying data in raw form. However we never access specific customer data unless we are working with the customer to investigate a problem and we have permission from the customer to run a specific query on the data to help us narrow down the issue.
When you invite a user to Capsule, they choose a username and password that they will use to log-in to Capsule. Currently when a user sets a password, Capsule follows NIST guidelines which means the user must choose a secure password of at least 8 characters and that is not a commonly used password (such as password or 12345678). We may revise password rules inline with NIST or other best practise guidelines in the future.
We recommend that you ask your users to enable two-factor authentication (2FA) on their accounts. Two-factor authentication helps protect a user’s account even if someone has obtained or guessed their password.
In the Users list of your Capsule account settings, you can see which users have enabled two-factor authentication.
For accounts integrated with a Google G-Suite account, users log in to Capsule using Google’s single sign-on service (SSO) without re-entering their G-Suite password into Capsule. Refer to G-Suite documentation for managing user security
The account owner can monitor log-in activity on the account by visiting the Account Settings > Users > Recent Logins.
As described in clause 6.3 of the Capsule Terms:
“When an account is cancelled, the account and any content left behind in the account will be made inaccessible. For a period of 14 days after any account has been cancelled you may request that we restore your account. After this period, your account and all data contained within it will be permanently deleted and the agreement between us as set out in these Terms will automatically terminate. Please note that partial data may reside on our archival systems for backup purposes for a period of up to 50 days.”
How can I get a copy of the data I store on my Capsule account and will it be in a format I can use?
Capsule provides a function to export your data. The export includes a separate file for your contacts, cases and opportunities. Each is a .csv file that can be opened in a range of spreadsheet applications. Read more about how to do an export in our support docs.
Our systems automatically replicate your data across multiple locations in real-time to maximize availability. Data is also constantly backed up to ensure we can restore access to your data and the service in the unlikely event that the data replicas in all locations fail at once.
In the event that one of your users accidentally deletes a record, the account owner has 30 days to restore it. Read more on how to restore records in our support docs.
In addition, you have the ability and are encouraged to download and retain your own backup.
What service levels do you provide for Capsule and will the capacity of Capsule allow for demand from other customers or will it impact the quality of my service?
Capsule benefits from Amazon’s EC2 Service Level Agreement which is designed to provide 99.95% uptime. Typically we achieve better than this and our published uptime report demonstrates our track record.
Capsule operates with spare capacity to support the demands of all customers, and because Capsule is hosted on a cloud platform, we can increase capacity at short notice. Fair use rate limits and other protections are also applied to all customers of Capsule to protect against one customer impacting the quality of the service.
We aim to make Capsule available 24/7 and you can securely login to access your data at a time and place convenient to you through a PC, Mac, or your mobile phone.
In what countries does Capsule process your data and what safeguards are in place at these locations?
Your data will only be transferred to a country that the European Commission has determined provides an adequate level of protection, or to service providers who have an agreement with us committing to the Model Contract Clauses defined by the European Commission, or certified under the Privacy Shield. Further information on Model Contract Clauses can be found in the UK Information Commissioner’s Office (ICO) guide.
Our servers and your data are hosted securely in Amazon’s US data centers. We have signed a Data Processing Addendum agreement with AWS that commits to the Model Contract Clauses, as are defined by the European Commission. This enables transfer of data to AWS in accordance with UK data protection laws.
Much of the GDPR when it comes into effect in May 2018 builds on the existing EU data protection framework which we are already well placed for. However, GDPR does introduce a number of changes that impact on us and you.
The actions we are taking to prepare include:
Putting in place a Data Processing Agreement, which is an extension of our Terms & Conditions that sets out the obligations between us, and permits Capsule to continue to receive and process the data you upload to the system when GDPR takes effect in May 2018
Reviewing Capsule functionality to consider whether we can make any improvements that make Capsule more efficient for users who are subject to GDPR.
From a customer perspective GDPR does raise the bar on data privacy. We suggest you review the advice given by the UK Information Commission Office (ICO) as they are responsible for implementation the GDPR legislation in the UK. They provide practical advice such as an overview including key areas for Data Controllers to consider and get in place for May 2018, along with their 12 steps to take now.
The Information Commissioner has also started posting a series of myth busting articles that set out to explain that GDPR is an evolution, not a revolution and which clarifies questions like “Do you require consent to process personal data?”.