vMOX GENERAL DATA PROTECTION REGULATION Compliance

GDPR Frequently Asked Questions

What does vMOX do to secure client data?

vMOX utilizes best-in-class technology and organizational measures to secure client data and to ensure it complies with all applicable privacy laws. In particular, vMOX has undertaken the following measures in accordance with the GDPR and the Standard Contractual Clauses (SCCs).

  1. Measures of encryption of personal data
    vMOX has an encryption policy that maintains approved encryption algorithms. vMOX encrypts data in transit using TLS 1.2 with 256-bit encryption. vMOX encrypts data at rest using AES-GCM 256-bit encryption. All confidential and restricted data, including personal data, are encrypted using vMOX’s encryption standards.
  2. Measures for ensuring ongoing confidentiality, integrity, availability and resilience of processing systems and services
    vMOX has an Information Security Program in place to ensure the ongoing confidentiality, integrity, availability, and resilience of the processing systems and services. vMOX’s information security management program (ISMP) is reviewed on an annual basis and updates are made to continuously strengthen the ISMP processes. vMOX’s dedicated regulatory compliance and information security team monitors and implements the ISMP. The ISMP is based on ISO 27001 to ensure data confidentiality, integrity, and availability. All data collected is only used for intended purposes.
  3. Measures for ensuring the ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident
    vMOX has backup procedures that specify how often data is backed-up and maintained. In addition, vMOX’s business continuity and disaster recovery plans ensure backups are tested on a periodic basis.
  4. Processes for regularly testing, assessing, and evaluating the effectiveness of technical and organizational measures in order to ensure the security of the processing
    Testing and monitoring are built into vMOX’s information security framework and controls are implemented based on the feedback received during the testing and monitoring process. vMOX has vulnerability management procedures that include scanning, monitoring, remediating, and mitigating vulnerabilities on a periodic basis.
  5. Measures for user identification and authorization
    Passwords, multifactor authentication, access controls, and access review and monitoring are implemented to maintain data credibility and integrity, while reducing the risk of security breaches.
  6. Measures for ensuring physical security of locations at which personal data are processed
    vMOX’s physical security policy, clean desk policy and data classification policy are employed to ensure security of personnel, information security assets, and data.
  7. Measures for ensuring events logging
    vMOX maintains logging procedures where all systems are centralized in a SIEM tool to ensure logs are captured and monitored.
  8. Measures for ensuring system configuration, including default configuration
    vMOX has hardening procedures to ensure systems are configured using security guidelines that are regularly reviewed and approved.
  9. Measures for ensuring data minimization
    vMOX only collects data that is essential to provide services. All data is held based on contractual and legal requirements.
  10. Measures for ensuring limited data retention
    vMOX has data classification and retention policies that require data to be retained based on contractual, legal, and regulatory obligations.
  11. Measures for ensuring accountability
    All vMOX employees are required to comply with the vMOX’s acceptable use policy (AUP). Individuals who are noncompliant are held accountable by human resources. Owners are assigned to information systems and assets to ensure responsibility and accountability.
  12. Measures for allowing data portability and ensuring erasure
    vMOX’s data disposal policy requires data to be wiped before disposal.

How does vMOX import the data in accordance with GDPR standards?

The GDPR requires that for personal data to be transferred from the EU to the US, there needs to be a data transfer mechanism to ensure the personal data is adequately protected. vMOX relies on the EU developed SCCs, which have been approved by the European Commission, as a satisfactory method of transfer. The SCCs comprise specific contractual obligations, between vMOX and a discloser of personal data, that are designed to provide legal protection for personal data when transferred outside of the EU.

What personal information will vMOX need in order to provide the services?

  • Name

  • Personal mobile numbers

  • Role

  • Personal addresses (on a case-by-case basis depending on the services)

What are vMOX’s privacy compliance obligations with respect to international transfers?

vMOX’s privacy policy addresses international transfers and can be found on our Privacy Policy page.

How does vMOX ensure compliance when it subcontracts contractual obligations to third parties?

By contract, vMOX’s subcontractors are subject to all the same compliance requirements as vMOX. In addition to the commercial agreements vMOX enters with its subcontractors, vMOX enters the SCCs to ensure there are back-to-back compliance obligations, in addition to indemnification rights, in the event the subcontractor breaches the contract.