Skip to main content
GDPR Compliance using Druva inSync
Updated over 8 months ago

Overview

The General Data Protection Regulation (GDPR) is legislation enforced to strengthen and unify data protection across the European Union (EU). The GDPR applies to any organization in the EU or based outside of the EU that processes personal data of EU citizens or other nation citizens based out of EU. Please refer to this Druva white paper which describes how businesses can comply with GDPR.

inSync provides features to meet many obligations required by the GDPR regulation.

Data Security and Protection


📝 Note
Relevant GDPR Articles:

  • Article 5: Principles relating to the processing of personal data

  • Article 25: Data protection by design and by default

  • Article 32: Security of processing


The following inSync features enable data security and protection.

Secure by Design

inSync is built with the primary goal of data security. Druva’s approach to storing enterprise data, utilizing advanced data-scrambling and envelope-based encryption model guarantees that the user data is secured.

inSync has also completed SOC-2 Type II, HIPAA audits, and is FedRAMP ATO (Authorized to Operate), which emphasizes Druva's commitment to meeting and exceeding the highest security standards. For more information, see the Druva Security whitepaper.

Secure data using encryption

By default, inSync backs up the user data to inSync Cloud and restores the user data from inSync Cloud over a secured TLS v1.2 channel. However, inSync can be configured to encrypt data on the user devices, that provides a powerful, multi-layered protection of critical data that resides on your organization’s devices. For more information, see Data Loss Prevention.

Prevent unauthorized access to user information

Based on the user role, administrators can configure a Geofencing policy that restricts access to inSync from outside the corporate network. This helps administrators control, monitor, and protect the data from unauthorized access from outside the organization. For more information, see Configure Geofencing Policy in your organization.

Prevent loss of data

To prevent loss of data, organizations can back up data on the user devices frequently using the profile associated with a user. For more information, see Configure the backup schedule.

Data preservation can be achieved by defining the retention period of the backup data, which helps ensure data availability and robust data recovery in case of loss of data or the user device. For more information, see Configure the backup retention policy.

Data Viewing and Monitoring


📝 Note
Relevant GDPR Articles

  • Article 33: Notification of a personal data breach to the supervisory authority

  • Article 34:Communication of a personal data breach to the data subject

  • Article 35:Data protection impact assessment


The following features help the data compliance authority to view the data retained by your organization and comply with the reporting requirements in case of a data breach.

Data Data Governance and Sensitive Data Governance

You can utilize the Sensitive Data Governance1 capability that provides visibility into retention of sensitive and personal data and lets you proactively track, monitor, and get notified for data compliance risks in your organization.

Data Governance enables you to analyze and identify usage trends, globally search and filter files and folders across all devices, and set up real-time alerts to handle IT issues proactively.

  • Administrators can utilize the Federated Search capability to quickly find end-user files and emails that are backed up by Administrators can download the search results for offline review or ingest the files and emails into a third-party tool for further analysis.

  • Using the Legal Hold APIs, you can integrate inSync with eDiscovery solutions to mine and access the data of custodians and access their data by using WebDAV protocol. For more information, see eDiscovery Software Integration.

  • You can also utilize the############{{legalhold}}APIand Direct Download Utility capabilities to bulk download files of required users for further processing.

Data Breach Detection and Reporting

GDPR mandates businesses to maintain tamper-proof records of activities and be able to furnish it to the supervisory authority on request. inSync can be configured to record activities of administrators and users using the Audit trails.

inSync provides an extensive set of Events API that can be integrated with any third party SIEM tool. The alerts and events exported via the Event API help monitor inSync events, detect malicious activity through IP address logging, and take corrective actions on reported alerts and failures. For more information, see Events API to export inSync events.

inSync also provides the Unusual Data Activity3 report that lists the devices and Cloud App accounts that are detected for anomalous behavior. A device or a Cloud App account is flagged and listed in this report if trends such as a large number of files deleted are added, unwarranted modification or suspicious encryption of files are observed on the configured device or a Cloud App account. For more information, see Unusual Data Activity Report.


1Sensitive Data Governance is available with inSync Elite Plus subscription.

2inSync Data Governance and all the features described in this section are available with inSync Elite and Elite Plus subscription.

3Unusual Data Activity is available with inSync Elite Plus subscription.


Data Privacy and Disposition


📝 Note
Relevant GDPR Articles

  • Article 5- Principlesrelating to processing of personal data

  • Article 15- Right of access by the data subject

  • Article 17 - Right to erasure (‘right to be forgotten’)

  • Article 18- Right to restriction of processing

  • Article 20 - Right to data portability


Search and Manage Snapshots

Administrators can remove or delete the snapshots created by inSync after a successful backup, that contain the user personal data. The snapshot can be identified by looking into specific snapshot and downloading the files or folders before deleting the snapshot. For detailed instructions, see Delete Snapshots.

Search and Delete personal user data from inSync

Administrators can utilize the Federated Search capability to quickly find end-user files that contain personal data and delete the files in the user dataset to address Right to be Forgotten requirements.

Delete users from inSync

Administrators can delete the user data by deleting the user from inSync. All the user data backed up by inSync or shared with the other is deleted. For more information, see Delete Users in inSync.

Address subject access requests

inSync users can request administrators to view or access the data that is stored in inSync. Administrators or user themselves can access the required data or the entire data backed up by inSync to their devices.

  • Administrator triggered restore or download of user data

Administrators can trigger an on-demand data recovery or download of the data on the user devices. Based on the request, administrators can choose to do either do a single file recovery or download the entire snapshot on one or multiple devices. inSync users can view the data on their devices and take necessary action.

  • User-triggered restore of data

inSync users can access or download the desired data stored in inSync using the inSync Client or inSync Web. Administrators can choose to either do a single file recovery or download the entire snapshot on multiple devices.

  • Address “Right to Data Portability”

inSync users can request administrators export a copy of their data. User data can be transferred onto an individual’s electronic portable device. Administrators are requested to contact Druva Support for assistance with such requests.

Protect user data in different regions

Administrators can configure inSync to protect data of users to available storage locations based on the geographical location of the user.

When creating a user in inSync, an administrator can map a storage region to the user. All the user data is backed up to this storage location. For more information, see Change storage assigned to a user.

To configure multiple storage regions in your account, contact Support.

Did this answer your question?