Real-Time Delphi in Practice

Calibrum GDPR Compliance

Updated May 14, 2018 

 

About Calibrum GDPR Compliance

Calibrum will be GDPR (General Data Protection Regulation, https://www.eugdpr.org/ ) compliant by the May 25, 2018 deadline. Calibrum will also enable its customers to be GDPR compliant when using its software products. Two areas that are discussed on this page will enable the user to modify or delete a data point (such as a name), or delete an entire data set (such as a survey definition and its related respondent data). If you have additional questions about GDPR compliance, please contact Calibrum Support by selecting “Contact Us" in the upper-right corner of this web page.


Calibrum encourages its customers to seek their own legal advice as to how best to comply with GDPR.

  

Data Modification

A survey response can be edited if the user is allowed (this is controlled by Survey Administrators with setting the survey status to "Open"). This enables the user to correct errors and fulfill certain privacy legislation obligations. 

  

Data Deletion

Users solely determine when and what data to delete. Calibrum provides the platform; users collect and control their data. A user (including the Survey Administrator) with the proper permissions may:


- delete an individual data point (e.g. city)

- delete a single response

- delete multiple responses

- delete all responses

- delete the entire survey project (all related data)


These deletion (and modification) options enable the user to fulfill certain privacy legislation obligations.

 

When an entire survey project is to be deleted, three steps are required. These actions permanently delete data and associated/derivative information, including the survey definition and reports. Once the project is deleted, all information is then unrecoverable.

 

Backup & Data Retention

This section pertains to data in the Services, not Calibrum internal company retention procedures. All respondent data are backed up by Calibrum using two methods: automatic propagation across servers (immediate upon collection) and daily complete off-site encrypted backups. However, customers are encouraged to back up their data in case of accidental deletion/modification caused by one of their users, and for their own archive/data retention policies.


AUTOMATIC PROPOGATION

Calibrum uses advanced data storage technologies that record data to more than one physical device. This process is accomplished as soon as data is written, typically within a few seconds. It protects against storage device failure.


PERIODIC BACKUPS

Calibrum performs a full daily backup of all production data. These backups are stored at alternate data centers in the same region where the data were created. Every backup file is encrypted using an advanced crypto method with a large key (for security reasons, details are not released).


DATA RETENTION

Since customers/users own and control their data, they are responsible for accuracy, quality, integrity, legality, reliability, appropriateness, and intellectual property ownership of their data. They are also responsible for backup (there are numerous download formats and mechanisms) and retaining the backup according to their own retention policy. Depending on how active data were deleted, it may be possible for the user to undelete it using a feature in the software. Once data are permanently deleted, then the user must restore from a personal backup. Survey definitions, response data, and other information may be easily exported to the user’s own system/device. This is highly recommended as Calibrum is under no obligation to restore lost data not caused by its own negligence.


Complete daily backups of data are retained for 90 days. However, restoration from these backup data sets is for disaster recovery only. The backups are electronic (no tape) and stored in an alternate data center in the same region.


Deprecated or defective media (specifically, hard drives) are erased according to a U.S. Department of Defense compliant 3-pass overwrite standard, and/or physically destroyed.


Upon termination of a service agreement, data are retained for a short period of time to allow the customer to download and archive. After that, data may be unrecoverable. As stated elsewhere, data may be deleted by the user at any time using the standard web interface. It is incumbent up on the customer to determine its own data retention obligations as they related to their company’s policy or legal obligations.


While there has never been a request for a litigation hold, since the account is under the customer’s control, it is up to the Survey Administrator to disable user access to the account and prevent data from being modified. Calibrum has the ability to disable the entire brand, meaning no customer access whatsoever. Even so, Calibrum cannot legally represent anything related to the account usage or data for litigation purposes.