GDPR

1. Overview

At Sherweb, we have always honored our users’ right to data privacy and protection. Sherweb supports over 40,000 customers in over 100 countries and territories. The success of our company builds on the trust that our customers have in our ability to protect and secure their data. Over the years, we have demonstrated our commitment to data privacy and protection.

Sherweb helps customers maintain control of their privacy and data security in a myriad of ways.

Data security

  • We provide our customers compliance with high security standards, such as encryption of data in motion over public networks, auditing standards (SOC2 and PCI-DSS), Distributed Denial of Service (“DDoS”) mitigations, and a Support team that is on call 24/7.
  • We use third-party equipment and components from market-leading vendors such as Dell, Compellent, Cisco, Check Point, and Fortinet.
  • Sherweb also protects your data against loss with its backup technology. This includes online backup to SAN, daily backup, weekly backup, and SAN-to-SAN offsite replication.
  • Background checks are performed on new employees, who are also required to review and acknowledge their receipt of relevant security policies.
  • Sherweb’s security administration team uses a variety of security utilities to identify and detect possible security threats and incidents. These utilities include, but are not limited to, firewall notifications, IDS or IPS alerts, vulnerability assessment reports, and operating system event logs. These alerts and notifications are reviewed daily by the security administration team.

Disclosure of customer data

  • Sherweb only discloses Service Data to third parties where disclosure is necessary to provide services, or as required by lawful requests from public authorities.
  • All Sherweb employees have to sign a non-disclosure agreement (NDA) before being granted access to Service Data.

Trust

Sherweb has developed security protections and control processes to help ensure a secure environment for its customers’ information. Independent auditors have confirmed Sherweb’s adherence to high industry standards. Sherweb’s SOC2 report and PCI-DSS AoC are available upon request.

Access management

  • Sherweb provides an advanced set of access and encryption features to help customers effectively protect their information. We do not access or use customer content for any purpose other than providing, maintaining, and improving our services, and as otherwise required by law.
  • Sherweb has implemented role-based security to limit and control access. Employees are granted logical and physical access to in-scope systems based on documented approvals by the appropriate management personnel. Sherweb’s employees are approved for access by an authorized administrator. The ability to create or modify user access accounts and user access privileges is limited to authorized personnel only. User access is reviewed annually or as needed to verify whether access is necessary for individual job functions and to identify the existence of any inappropriate accounts or access.
  • Unique user identification numbers, names, and passwords are required to authenticate all users to systems and servers.

Data location

  • Sherweb’s data centers are located in Canada and the USA. Your data location is chosen by you when you provision our services for the first time.
  • Sherweb relies on its data center contracted operators to implement industry standard controls regarding the physical and environmental security of the servers and network environments used by Sherweb. These controls include, but are not limited to, monitoring by video surveillance and on-site personnel, access control systems, uninterruptable power supplies, air conditioning, fire detection and suppression, and environmental monitoring and alert notification. Sherweb’s data center contracted operators all provide independent audit compliance reports regarding these controls.
  • Sherweb’s data centers are comprised entirely of carrier-class network hardware, featuring redundancy at multiple layers. These data centers are equipped with fully redundant 1 or 10 gigabit Internet connections. Multiple routers and switches are configured at the hardware layer in parallel with dynamic routing and switching to provide automated failover in the event of hardware, software, or link failure.

2. What is the GDPR?

The General Data Protection Regulation (“GDPR”) is a European privacy regulation that replaced the EU Data Protection Directive (“Directive 95/46/EC”). The GDPR aims to strengthen the security and protection of personal data in the EU and affects all organizations, government agencies, and companies throughout the world that collect or use personal data tied to EU residents.

3. When did the GDPR go into effect?

The GDPR became enforceable on 25 May 2018, after a two-year transition period.

4. To whom does the GDPR apply?

The GDPR applies not only to organizations located within the EU but also to organizations located outside of the EU that offer goods or services to, or monitor the behavior of, EU data subjects. In short, the GDPR applies to all companies processing and holding the personal data of data subjects residing in the European Union, regardless of the company’s location. The GDPR defines personal data as any information relating to an identified or identifiable natural person. This is a broad definition and includes data that is obviously personal (such as an individual’s name or contact details) as well as data that can be used to identify an individual indirectly (such as an individual’s IP address).

5. What is Sherweb’s approach to GDPR compliance?

We support the GDPR and will ensure all Sherweb services comply with the GDPR. We have thoroughly analyzed GDPR requirements and have put in place a dedicated internal team of crossfunctional stakeholders overseeing Sherweb’s GDPR readiness. As a data processor, Sherweb understands its obligation to assist its customers in meeting GDPR obligations.

6. What is Sherweb’s role under the GDPR?

We act as both a data processor and a data controller under the GDPR.

We act as a data processor when we process personal data on behalf of our customers in the provision of our services. This means we will, in addition to complying with our customers’ instructions, need to comply with the legal obligations that apply directly to processors under the GDPR.

We act as a data controller when we collect information from our customers for account management purposes or to send communications to our customers regarding our products and services. This information includes data such as a customer’s name and email address.

7. What is the customer’s role under the GDPR?

In the context of Sherweb’s services, our customers are data controllers. As such, customers bear the primary responsibility of ensuring that the processing of personal data complies with the GDPR. Without limiting the generality of the foregoing, Sherweb customers are responsible for obtaining necessary consents from data subjects and informing data subjects of processing activities conducted by Sherweb in the context of its services, for establishing policies, and for ensuring compliance with all applicable laws and regulations, as well as any and all privacy policies, agreements, or other obligations relating to the collection of personal data in connection with the use of our services by data subjects with whom Sherweb customers interact.

8. What have we done to comply with the GDPR?

Sherweb has taken a number of steps to ensure that it is GDPR compliant. These are summarized below.

  • Data mapping: Sherweb has reviewed where and how its relevant services process personal data and maintains internal records of all its data processing activities.
  • Gap analysis: We have conducted an extensive analysis of our operations to ensure we comply with the requirements of the GDPR. We have reviewed our products and services, customer terms, privacy notices, and arrangements with third parties for compliance with the GDPR.
  • Transparency: Sherweb has developed terms of services, a Privacy Notice, and a Service Data Privacy Statement, which transparently and accurately describes its personal data processing activities. These legal documents, which are located here, describe the processing of personal data relating to the users of Sherweb’s services. These documents have been updated to comply with the GDPR requirements.
  • Contractual commitments: Sherweb has reviewed and updated its contractual commitments to address GDPR requirements. We have prepared a Data Processing Agreement, which is available upon request, with provisions to assist our customers with their GDPR compliance. Sherweb has also reviewed its supplier contracts to ensure GDPR compliance throughout its supply chain, including cross-border data transfer requirements.
  • Enhancing data integrity and security: Based on information gathered through data mapping, Sherweb has added new systems to its internal access review process. Additionally, Sherweb’s privacy and security awareness program has been enhanced to include information relating to the GDPR, and all Sherweb employees have been trained on the GDPR regulations.
  • Data breach notification: Internal processes have been reviewed to ensure that Sherweb will notify its customers without undue delay after having become aware of a data breach.
  • Implement processes to accommodate the rights of data subjects: Sherweb support is happy to help answer any requests it may receive from customers regarding requests from data subjects about their rights under the GDPR.

9. Does Sherweb offer a Data Processing Agreement?

Customers subject to the GDPR who are required to enter into a Data Processing Agreement with Sherweb may send a request to execute the Provider’s DPA to privacy@sherweb.com.

10. Where is the service data located?

Service data hosted by Sherweb is located on servers in data centers in the United States and Canada. The default location of service data is based on the customer’s location and can be modified by the customer once the services are provisioned, subject to applicable fees.

If a customer subscribes to, purchases, enables, or engages with third-party services through Sherweb (e.g., Microsoft 365, Dynamics, etc.), the service data may be hosted by the related third-party provider. In such a case, Sherweb is not responsible or liable for the processing activities conducted by such a third-party provider and has no control over the location of the service data collected by the third-party provider. In the context of third-party services, the location of service data depends entirely on the service, and information can be provided by Sherweb upon request.

11. Is Sherweb certified under the EU-US Privacy Shield?

Sherweb is not certified under the EU-US Privacy Shield, mainly because Sherweb is a Canadian company, and Canada benefits from an adequacy decision issued by the European Commission.

12. What safeguards does Sherweb offer regarding the transfer of personal data of EU individuals to the United States?

Sherweb relies on the Standard Contractual Clauses for cross-border transfer of personal data. The Standard Contractual Clauses constitute appropriate safeguards under Article 46 of the GDPR and have the same effect as the EU-US Privacy Shield, which is to allow you to transfer personal data related to European end users to a third country. These standard contract clauses can be found at the following site and can be added to the Data Processing Agreement: https://ec.europa.eu/info/law/law-topic/data-protection_en.

13. What safeguards does Sherweb offer regarding the transfer of personal data of EU individuals to Canada?

Cross-border data transfers to a recipient in a third country may take place without the need to obtain any further authorization, if the European Commission has decided that such third country ensures an adequate level of data protection. The basis for this principle is that such jurisdictions provide sufficient protection for the rights and freedoms of data subjects without the need for further safeguards. In December 2001, Canada achieved adequacy status for transfers from the EU to Canada of personal data subject to the jurisdiction of the Personal Information Protection and Electronic Documents Act (PIPEDA).

14. Contact

Any GDPR-related questions can be addressed to Sherweb’s Compliance Manager at privacy@sherweb.com.