Cloud Security

Description

The article contains the overview of data security, processing, and protection in eWay-CRM, including GDPR compliance.

Content:

  1. Compliance with applicable data protection regulations (GDPR)
  2. Availability of a Data Processing Agreement (DPA)
  3. Overview of the technical and organizational measures (TOMs) in place to protect data
  4. Information on data encryption
  5. Location of data hosting / processing
  6. Access control and authorization mechanisms
  7. Backup and disaster recovery procedures
  8. Any relevant certifications (e.g. ISO 27001 or comparable standards)

1. Compliance with applicable data protection regulations (GDPR)

eWay-CRM is fully GDPR compliant. Both the Business Terms and Conditions and the Privacy Policy explicitly reference adherence to GDPR and related legislation. Both we as the provider and client must follow GDPR rules regarding personal data, including obtaining required consents and ensuring lawful processing.

2. Availability of a Data Processing Agreement (DPA)

A Data Processing Agreement (DPA) is available. Data processing is governed by the Business Terms and Conditions and the Privacy Policy, and a DPA template is maintained and can be provided to clients upon request.

3. Overview of the technical and organizational measures (TOMs) in place to protect data

Technical and organizational measures include:

  • Use of secure data centers (Cloud4com in the EU, OVH US in the USA)
  • Regular backups and offsite storage
  • Use of Cloudflare for additional network security and DDoS protection
  • Role-based access control and minimum permissions principle
  • Anti-malware protection and EDR are used
  • Active log monitoring (SIEM-like)
  • Encryption of endpoint devices
  • Regular process reviews
  • ISO 27001 certification

4. Information on data encryption

  • Data is encrypted in transit using HTTPS (TLS)
  • We do not encrypt data at rest

5. Location of data hosting / processing

Data hosting is determined by client location:

  • US / Canada: Data is hosted in Virginia, USA (OVH US)
  • EU and others: Data is hosted in the Prague, Czech Republic (Cloud4com)

6. Access control and authorization mechanisms

Access is strictly controlled:

  • Role-based access, minimum permissions, authentication, and audit logging are implemented
  • Only authorized personnel can access production systems

7. Backup and disaster recovery procedures

  • Regular backups are performed
  • Backups are kept for 2–3 weeks, also stored offsite
  • Disaster recovery can restore the platform from backups
  • eWay-CRM Desktop also supports offline mode, allowing recovery from local database

8. Any relevant certifications (e.g. ISO 27001 or comparable standards)

  • eWay-CRM is ISO 27001 certified. Certificate is available here.
  • Our hosting partners (OVH, Cloud4com) also hold ISO 27001 certifications and others