S.C PRESSINFRA S.R.L. is the company operating www.presslabs.com, hereinafter referred to as PRESSLABS, registered at the Trade Office under J35/1528/2017, unique identification number RO37483630, in Timișoara, Romania, 18 Traian Vuia Street. You can reach us at our general contact address firstname.lastname@example.org or for privacy and data protection matters at email@example.com.
1. The information we collect from our website visitors and how we use it.
1.1. Abuse prevention
1.1.1. What & how. When you visit www.presslabs.com we indirectly collect information that web browsers and servers typically make available, such as the browser type, language preference, referring site, and the date and time of each visitor request. PRESSLABS also collects Internet Protocol (IP) addresses via third party apps.
1.1.2. Purpose. The purpose of data collection is for preventing abuse of PRESSLABS’ website such as attacks. We also use this data to publish reports containing only aggregated data.
1.1.3. Legal basis. Our basis for processing this information is a legitimate interest to be able to protect and secure our service.
1.1.4. Who has access. Our development and support team has access to this data. This information is also available to our subprocessors’ authorized persons and to our collaborators and contractual partners with whom we cooperate based on confidentiality obligations and data processing agreements.
1.1.5. How long. The IP address is stored for 14 days which is backed up on secondary backup systems for archiving purposes.
1.2. Marketing, traffic and user behavior
What & How. For sending regular newsletters and informing prospective and current Customers about our service we collect the following personal information: e-mail.
Purpose. Our newsletter subscription is for sending notifications about our services and updates and for marketing purposes.
Legal basis. We process this information based on your consent.
Who has access. We use a third party service (MailChimp) to send out campaigns and our marketing and admin team has access to the personal data. MailChimp is a US based company registered under the Privacy Shield agreement.
How long. The personal data is stored in MailChimp until you request us to delete your e-mail or until unsubscription.
1.2.2. User traffic analysis
Purpose. We use these data for marketing purposes in order to learn more about our visitors and potential customers.
Legal basis. We process this information in our legitimate interests to improve our service.
Who has access. Our marketing and admin team has access to this data.
How long. Age range, gender, language, browser, operating system, location, network, mobile device is stored for 14 months in Google Analytics.
2. The information we collect from our Job candidates and how we use it.
What & how. We often have job openings and we set up an application form in our dedicated Jobs section. We ask for full name, e-mail, telephone number, Github handle, a motivational description about why they want to join our team, relevant links and their CV.
Purpose. This information is processed for recruitment purposes, for receiving job applications and selecting candidates.
Legal basis. We process this information based on your consent.
How long. We store this data for up to 5 years.
3. Where is the data stored?
PRESSLABS processes the collected information on servers situated in EU and abroad, especially in the US, under the Privacy Shield agreement. We rely on sub-contractors for specific parts of our operations, however we only work with sub-processors who take GDPR compliance seriously and similar data protection laws.
A list of all our sub-processors is available here
4. How do we secure and protect WEBSITE VISITOR information?
PRESSLABS takes all the neccesary technical and organizing measures to protect personal data against accidental or unlawful destruction, loss, alteration, unauthorized disclosure or access.
All PRESSLABS computers are password protected with strong passwords (minimum 10 characters long, letters, numbers and special symbols). In case a laptop is stolen or lost, the corresponding SSH key used for connecting to the PRESSLABS infrastructure is immediately disabled in order to prevent unauthorized access to any parts of the infrastructure.
The data centers where personal data is stored are strictly monitored and protected, according with each supplier’s policies. More details about the suppliers and their level of security can be found on the Data Centers section of PRESSLABS’s website.
The logs stored by PRESSLABS are going through pseudonymization, meaning that only a part of the IP addresses is retained. The only exception is a set of logs with full IP addresses, which are kept for the past 14 days. The only purpose for keeping these logs is to mitigate potential attacks done by certain IP’s against PRESSLABS’s infrastructure. After 14 days these logs are automatically purged.
Availability and Resilience
All PRESSLABS’s internal administration systems are having the relevant data backed up on a daily basis. The backups are stored for 90 days. Wherever applicable, PRESSLABS is having disk mirroring on all relevant servers. All internal systems are constantly monitored using internal and external monitoring services, with alert notifications as well as automatic notification with escalation policies in place, in case of incidents.
Regarding the servers where data is stored, PRESSLABS’s backup policy is detailed in the Docs.
All sites hosted by PRESSLABS are being automatically scanned for malware and viruses by a 3rd party provider StatusCake.
In case of DDoS attacks, depending on the capacity of PRESSLABS’s suppliers, the traffic is either filtered and dropped at the entry in the supplier’s network, or the attacked server(s)/IP(s) are null-routed and all the traffic is routed to other, clean IP’s. All front-end servers have at least 3 available IP’s at any time, in order to be able to mitigate such DDoS attacks.
5. Data breaches. How do we respond to security incidents?
A personal data breach can happen for a number of reasons, for example: inappropriate access controls allowing unauthorized/unnecessary access to data, equipment failure, human error, hacking attack, loss or theft of data or equipment on which data is stored, or through which it can be accessed.
As soon as a personal data breach is identified or suspected it is immediately reported to the Level 2 Support team.
Depending on the type and severity of the incident the Level 2 Support team will assess whether a full investigation into the breach is required. The investigation will: - a) Establish the nature of the incident, the type and volume of data involved and the identity of the data subjects - b) Consider the extent of a breach and the sensitivity of the data involved - c) Perform a risk assessment - d) Identify actions PRESSLABS needs to take to contain the breach and recover information - e) Assess the ongoing risk and actions required to prevent a recurrence of the incident.
The General Data Protection Regulation (GDPR) requires data controllers that all relevant breaches are reported to the supervisory authority within 72 hours of becoming aware of a relevant breach. If the breach is evaluated to result in a high risk for the rights and freedoms’ of the data subject, the incident it will also be reportable to you without undue delay.
6. What are your rights?
GDPR makes data subject’s rights much more explicit. Please find below information about individual rights.
In order to exercise your rights, please send us your request by email at firstname.lastname@example.org. The request will be handled by our Support and Administrative teams, based on the nature of the request. We will respond promptly or no later than 30 days. If you are a user of our Customer’s website and you want to exercise your rights we will forward your request to our Customer, as they are responsible for handling your request as data controllers.
6.1. The right to be informed and to have access to your data
Individuals can obtain confirmation whether a controller processes personal information about them and to be provided with details about that personal information and have access to it. Individuals should receive a description of the personal information being processed, for which purposes personal information is being collected and processed and the recipients or categories of recipients to whom personal information is disclosed.
An individual may make a request only in respect of their own personal information. However, an individual may give their consent, in writing, to another individual to make a request on their behalf (e.g. a lawyer acting on behalf of the individual). The communication of individual’s personal information will be in an understandable form and without compromising the privacy of other individuals.
A right to access may be restricted where providing access would be impossible or involve disproportionate effort.
Access to personal information may be limited to the extent that granting full access would reveal confidential commercial information (e.g. where the information is subject to contractual obligations of confidence or is being processed as part of an ongoing audit, investigation or enforcement activities).
6.2. The right of rectification.
Individuals have the right to correct data if it is inaccurate or incomplete.
6.3. The right of erasure (“the right to be forgotten”).
Individuals can request the data controller to erase personal information about them in case the data collection was unlawful, or on other legal grounds.
6.4. The right to object.
Individuals have the right to object to the processing of your data.
6.5. The rights to restriction.
This is a right for an individual to require a data controller to restrict processing of personal information about them in order to limit future processing operations.
6.6. The right not to be subject to automated decision making processes
You have the right not to be subject to a decision based on automated processing that results in a legal effect.
6.7. The right to data portability.
You have the right to receive your personal information in a structured, commonly used and machine readable format and to transmit that information to another controller, if certain grounds apply.
6.8. The rights to complain and to seek legal remedy.
Individuals have the right to complain to the National Data Protection Authority and to address a court.
6.9. The rights to withdraw your consent.
Where the processing operations were based on consent, you have the right to withdraw your consent at any time. Withdrawing your consent will only have effect in the future, the processing operations prior to withdrawal of consent will remain valid.
7. How we cooperate with public authorities?
PRESSLABS discloses personal information only in response to a subpoena, court order or other governmental request. If a governmental body sends PRESSLABS a demand for Customer’s data, PRESSLABS will attempt to redirect the governmental body to request that data directly from Customer. As part of this effort, PRESSLABS may provide Customer’s basic contact information to the government body. If compelled to disclose Customer’s data to a government body, then PRESSLABS will give the Customer reasonable notice of the demand, unless PRESSLABS is legally prohibited from doing so.
9. Legal framework
The policy is drawn on the provision of the General Data Protection Regulation (GDPR) and it is applicable as of 25 May 2018. Romanian Law 677/2001 on the protection of individuals regarding the processing of personal data and free movement of such data has been replaced by Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 (the GDPR).