“What is the GDPR?”

The General Data Protection Regulation (“GDPR”) is a European data protection law that is in effect as of May 25, 2018. It aims to update data privacy standards to address the increase in the creation and processing of personal data in today’s technology, including the cloud and social media with robust accountability. In short, GDPR with its new requirements for handling personal data and documenting those practices requires organizations that process personal data to be accountable for it. It also emphasizes increased transparency and choice for data subjects (i.e. the individuals described by personal data).

GDPR Preparation & Compliance

“Does RxPhoto adhere to requirements of the GDPR?”

RxPhoto is committed to protecting the documents and data provided by its customers. RxPhoto adheres to the regulations set forth in the GDPR in the delivery of its Signature service.

“How has RxPhoto prepared for the GDPR?”

Recognizing the impact of GDPR, RxPhoto identified a team of experts to lead its compliance program. RxPhoto closely reviewed GDPR (including regulator interpretations) and BCR as well its existing common control framework to identify changes or improvements in RxPhoto’s data protection program. Teams comprised of individuals in IT, Product, Legal and Compliance have been engaged to draft policies, standards and procedures or to develop changes to the features or functionality of the RxPhoto Signature Service.

In complying with GDPR, RxPhoto is building on a strong compliance culture and a history of compliance with stringent security standards including:

Encryption: All data submitted by our customers when using the RxPhoto service is automatically encrypted with an AES 256-bit, or equivalent, encryption key.

Europe’s Data Protection Directive and the GDPR do not prohibit transfers of personal data outside of the European Economic Area (EEA), but there are requirements an organization must satisfy to do so lawfully. There are defined methods or mechanisms identified by the European Commissions as ‘appropriate safegaurds’ for personal data transferred outside of the EU, including Binding Corporate Rules (BCR). Currently, data processed by RxPhoto for customers in the EEA is stored with RxPhoto’s data center in Europe.

“Can RxPhoto offer GDPR terms in its contracts with customers?”

RxPhoto provides customers with additional data processing terms as required under GDPR, including the obligation to secure protections from any subprocessor.

“Does RxPhoto offer data residency in the EU?”

While the GDPR does not require data residency, RxPhoto ensures that all eDocuments from an account are physically stored in the geographic location where the customer’s account is located (if the customer’s account is in the U.S. or Europe). For example, if customer’s account is in EU, then the customer’s eDocuments are also stored in EU.

The GDPR does not require personal data of EU citizens and residents to be only stored within the EU. Currently, user data, which includes personal data, is replicated across the globe to support global use of the Signature service. RxPhoto’s product roadmap includes a new approach to access to the Signature service that will limit replication of personal data across the globe.

Data Deletion & Retention

“What is RxPhoto’s ‘Right to be Forgotten’ process and how long does it take to respond?”

RxPhoto customers determine their account’s retention policies. Once an eDocument or its envelope is purged, it is also purged on a near real-time basis from the active sites. In addition, customers are free to purge their eDocuments at any time and can use the API to verify that a purge has been completed.

“If I purge my envelopes, what data is retained?”

Envelope purging is a process to permanently remove documents and their field data from completed and voided envelopes after a specified retention period. If a customer purges the envelopes sent from their account, RxPhoto retains the audit log data (which includes the Certificate of Completion (CoC) and history) to support RxPhoto’s ability to attest to the details of a transaction. This behavior is viewed by customers as a valuable feature that allows RxPhoto to serve as a virtual witness.

Audit log data may include:

• Envelope addressing information, including sender and signer(s)
• Envelope history
• Specific envelope transaction information such as:
• IP’s
• Date/time of signing
• Authentication methods used by recipients

RxPhoto provides a feature, when enabled, that allows customer administrators to redact personal data from the audit log as part of the purge process. More information on the Redact Personal Data feature can be found in the RxPhoto Support pages.

Data Access

“Will RxPhoto employees have access to our data and what data will they have access to?”

The segmentation and systematic encryption (and key escrow management) employed by RxPhoto does not allow RxPhoto personnel to view or read eDocuments sent through the RxPhoto Signature service for electronic signature. Only select RxPhoto employees (based on role/responsibility) with a demonstrated need to know have access to transactional data surrounding envelopes. These employees cannot generate or extract reports on the data.

Such transactional data includes:

• Username
• Phone number
• Envelope metadata
• Email Address
• Authentication method
• Envelope history
• Address Envelope subject

RxPhoto’s employee logical access authorization chain requires direct manager approval, application/data source owner approval and, in cases of sensitive applications and data sources, security management approval. Access to critical applications and data sources is removed at employee termination and is reviewed at least quarterly to verify that appropriate and current access levels are maintained. RxPhoto is ISO 27001 certified and maintains formal policies and procedures including our RxPhoto Access Control Standard.

RxPhoto enforces the “rule of least privilege” and has documented segregation of duties. RxPhoto enforces formal logical and account separation of the development, QA, and production environments.

Data Transfers

“How will RxPhoto manage data transfers under the GDPR?”

Europe’s Data Protection Directive and the GDPR do not prohibit transfers of personal data outside of the European Economic Area (EEA), but there are requirements an organization must satisfy to do so lawfully. There are defined methods or mechanisms identified by the European Commissions as ‘appropriate safegaurds’ for personal data transferred outside of the EU, RxPhoto meets all of the GDPR safeguard requirements, both a data controller and data processor.

Breach Response

“How does RxPhoto inform data breaches under the GDPR?”

As per the requirements under GDPR Article 33 (2), the processor (RxPhoto) shall notify the controller (The Subscriber) “without undue delay” after becoming aware of a personal data breach. Unless notification is delayed by the actions or demands of a law enforcement agency, RxPhoto shall report to Customer: (a) any unlawful access or unauthorized acquisition use, or disclosure of Customer Data persisted in RxPhoto Signature (a “Data Breach”) following determination by RxPhoto that a Data Breach has occurred.

In the event of a breach requiring notification to customers, RxPhoto will identify one or more methods of communication to efficiently alert affected customers. RxPhoto’s Security and Data Breach Policy can be found at https://www.rxphoto.com/gdpr/security_policy/

Privacy Notices

“Do you have a documented Data Privacy and Security Policy which is in compliance with GDPR?”

Our privacy policy, updated for the GDPR, is available at https://www.RxPhoto.com/gdpr/privacy. We have also developed internal personal data protection policies that are based on privacy principles gathered from several international privacy regemes, including the GDPR.

Training and Awareness

“Do RxPhoto employees undergo mandatory Data Protection (GDPR) & Data Security Training?”

RxPhoto has developed annual GDPR training and security training content that is mandatory for all employees to complete. These trainings are tracked to ensure employee completion. RxPhoto also provides periodic privacy and security reinforcements for employees to reinforce data privacy and data security best practices.

Privacy by Design

“Does RxPhoto comply with data protection by design and by default principles in the design and development of its services?”

RxPhoto’s Product and Engineering teams collaborate with our legal privacy leads (individuals with certifications and extensive experience with data privacy) to assess and mitigate potential privacy risks during the various phases of product development starting from concept, through requirements gathering, and throughout implementation. The collaboration typically includes regular meetings where the teams collaborate on developing products/services that meet and/or exceed applicable data privacy requirements.

“Does RxPhoto conduct Privacy Impact Assessments to identify and minimize the privacy risks of new projects?”

RxPhoto’s privacy professionals assess a variety of activity involving personal data for risk and frequently make recommendations for how to reduce any risks identified. Under GDPR when these assessments identify a high risk, RxPhoto will conduct full data protection impact assessments.

Subcontractors / Subprocessors

“How does RxPhoto govern subprocessors?”

RxPhoto provides customers with additional data processing terms as required under GDPR, including the obligation to secure similar protections from any subprocessor. RxPhoto maintains a list of the subprocessors employed, including the activities and services performed and their country locations.