Personal Data Compliance
Fastpath and Privacy Information Compliance FAQ
Fastpath Assure is a cloud-based risk and compliance management platform designed to help companies achieve process efficiency, reduced costs, and enhanced control over their fraud, auditing, and compliance efforts.
Fastpath takes compliance with privacy regulations and standards, like GPDR and CCPA, very seriously. This FAQ will help all stakeholders of Fastpath – vendors, customers, partners, and end-users – better understand the actions Fastpath has taken, as a provider of cloud-based solutions, to address questions you may have regarding Fastpath and data privacy regulatory compliance. This FAQ will also help readers understand Fastpath’s general approach to other regulations and standards. We encourage all customers and prospects to evaluate their compliance with such regulations and make sure their software vendors have taken appropriate steps to ensure personal data privacy and security in the solutions they deploy. Many of the questions represented here are questions that should be asked of any software vendor, Fastpath included. Our goal at Fastpath is to support each customer as if they are our only customer, particularly in critical areas like GDPR or other regulations where Fastpath may be a part of the customer's controls to address the requirements of such regulations.
What is GDPR?
The General Data Protection Regulation (GDPR) is a law that establishes guidelines for collecting and processing the personal information of European Union (EU) citizens, regardless of where they are located or where the company that stores their data is located.
What is CCPA?
The California Consumer Privacy Act (CCPA) is similar in many respects to GDPR. It gives California residents the right to view, delete, and restrict the use of their personal information collected by companies. Although we focus here primarily on GDPR, this information also applies to the corresponding sections of the CCPA.
Who has the responsibility for ensuring GDPR compliance?
Several definitions apply to the parties responsible for GDPR compliance:
- Controller – The GDPR defines a Controller as the natural or legal person, public authority, agency, or other body that, alone or jointly with others, determines the purposes and means of personal data processing. Controllers make decisions about processing activities. Fastpath Customers are Controllers. They decide where and how personal data obtained by their systems is located (Data Protection Impact Assessment, or DPIA, inventory exercises) and establish the different risk levels for those data elements inventoried.
- Data Processor – A Data Processor will act on behalf of the Controller. Data Processors only operate via instructions from the Controller. Fastpath is the Data Processor that provides an application for the Customer (the “Controller”) to manage access to data that resides on the Controller’s business systems. However, that use is determined by instructions and decisions made by the Controller. Fastpath exercises no control over how a Customer uses Fastpath, including how personal data is processed or how the Controller decides to review user access and changes to personal data using Fastpath.
- Sub-Processor – A Data Processor can engage with "another processor," also called a "Sub-Processor" or a "Level 2 Processor". Fastpath engages with Microsoft as a Sub-Processor to host their solution and any associated data in the cloud using Microsoft Azure Data Centers. Microsoft, not Fastpath, provides the appropriate primary controls in their Data Centers to keep Fastpath Customer data secure from a privacy perspective. Customer data physically resides in the Microsoft Azure Data Centers and not on Fastpath hardware.
With the foregoing in mind:
Fastpath Customers are responsible for identifying their responsibilities regarding their clients' personal data and placing controls around that data to ensure compliance with the articles of GDPR. Fastpath does provide solutions to assist the Customer in GDPR compliance (Segregation of Duties, Access Reviews, Access Certifications, and Audit Trail), but the application of these modules is controlled by the Fastpath Customer, as the Controller, and not Fastpath.
Does Fastpath store or use personal data collected by their customers?
Fastpath does not have physical access to Customer data. Fastpath relies on the Platform as a Service (PaaS) offering from Microsoft Azure to complement the Software as a Service (SaaS) solution Fastpath provides to their Customers. Fastpath cannot copy or access any Customer data and has no logins into the Customer environment. The only access Fastpath has for its Customers is through an Azure administrative account to initially provision the Customer's application.
What controls or policies does Fastpath have in place to ensure GDPR compliance?
Fastpath has engaged Microsoft to host their solutions, and these solutions may contain Customer data. As a Sub-Processor to Fastpath, Microsoft is responsible for the controls around any personal data obtained by Fastpath Customers since this data resides on Microsoft hardware.
Fastpath conducts annual reviews of the Microsoft Azure System and Organization Controls (SOC) reports to ensure the controls Microsoft has in place are adequate and functioning as designed. Fastpath performs annual reviews of the SOC 1 and SOC 2 reports for Microsoft's Azure datacenters in the US, UK, Germany, Canada, and Australia.
A SOC 1 report determines whether an organization has the appropriate controls in place related to the processing of financial systems and the generation of financials. A SOC 2 examination reviews the controls in place for managing Customer data based on criteria the America Institute of Certified Public Accountants (AICPA) has developed around security, availability, processing integrity, confidentiality, and privacy.
Fastpath has taken the additional step to have SOC 1 and SOC 2 examinations conducted annually of the Fastpath Assure cloud platform, even though no Customer data resides on Fastpath hardware or facilities. These reviews cover the processes Fastpath has internally for their operations, including application development, backup and recovery, change management, and other areas defined in the SOC 1 and SOC 2 review criteria from the AICPA.
What personal information does Fastpath have access to?
Fastpath is used by its clients to verify whether certain users should have access to view or edit specific fields in the client's business software. Fastpath does not typically read the values of those fields, only whether a user has access to them. As a general rule, Fastpath is only concerned with user access to the Customer's business system, so the only personal information which Fastpath would typically access are those of the Fastpath Customer's staff and is limited to first name, last name, email address, login/UserID, and job title. The Fastpath Separation of Duties (SOD), Access Review, and Access Certification functions fall into this area.
A possible exception is related to the Fastpath Audit Trail function, which records changes made to values within a business application. A Customer could choose to track changes made by their staff to high-risk information data fields, such as SSN, credit card numbers, passport numbers, etc., using the Audit Trail product. Fastpath does not govern which fields a Customer decides to track with Audit Trail.
Will Fastpath data reside in the EU or any other countries other than the USA?
Data processing is typically performed at an Azure datacenter in the US. Data, if it is stored anywhere, can be stored in a different geographical datacenter (UK, Germany, Australia, etc.) as needed.
Fastpath's Audit Trail product retains information on data changes for auditing purposes. The before and after snapshots are retained in the Customer's environment (ERP, CRM, etc.) and not on Azure. The only exception to this is Fastpath Audit Trail for NetSuite, which stores its data in an Azure Data Center.
Does Fastpath ever download customer data? If so, what controls does Fastpath have in place to destroy that data?
Fastpath never downloads or has physical access to customer data.
What has Fastpath done to ensure my company's data remains secure and private when using Fastpath?
Fastpath does not have control over how a Customer implements Fastpath. Instead, the Customer makes the decisions governing the setup, configuration, and data management of Fastpath. Therefore, Fastpath does not guarantee that it will address a given Customer's GDPR needs since Fastpath does not verify the Customer implementation of Fastpath in accordance with GDPR.
However, Fastpath tools are designed to provide appropriate controls around monitoring and reporting user access and data changes. In addition, Fastpath relies on Microsoft as a Sub-Processer to have the appropriate controls to ensure the security and privacy of a Customer's data. If implemented correctly, Fastpath should give the Customer the desired controls in this area. However, monitoring user access and data changes is only a small part of GDPR compliance.
How can Fastpath help with my company's GDPR efforts?
GDPR is a complex regulation with 99 Articles organized into 11 Chapters, 173 Recitals, and includes the 8 "Rights" that drive much of what companies put in place around GDPR. There is much more to GDPR than just who has access to personal data and what they might be doing with that access. No software product will "make you compliant". Compliance with any regulation or standard (GDPR, CCPA, SOX, HIPAA, etc.) involves people, process, and technology. When they all work together correctly, then it is possible to achieve compliance success. Fastpath provides technical tools to address specific access requirements outlined in GDPR, but there are many additional areas related to GDPR where the Customer (as the Controller) must implement processes and controls themselves to address meeting all the requirements of GDPR.
Questions to ask your cloud provider
As you move your business applications to the cloud, here are some questions that you should ask your cloud provider:
Q: Who owns the security controls?
Cloud providers stake their business on providing security for your data and maintaining advanced threat detection tools. However, some controls will remain your responsibility on the application side. Ask your hosting provider and/or software vendor to help you understand your responsibilities for running your application in the cloud. The Shared Responsibility Model and Complementary User Entity Controls sections of SOC reports are also great places to start that discussion.
Fastpath’s response: The customer still owns the responsibility for assigning users and their access rights to data that resides in Fastpath. Fastpath does not have direct access to customer data or have logins to the customer’s Fastpath Azure instance. Application-related controls, such as user access and user provisioning, are the responsibility of the customer.
Q: Does the host provider have a SOC report?
System and Organization Controls (SOC) reports are reviews based on guidance from the AICPA concerning system integrity and availability, security, change management, and physical security. These reviews reflect responsibilities formerly performed on premises but will now be managed by the cloud provider and the software vendor.
A SOC 1 report focuses on the service organization's controls that would affect an audit of the customer's financial statements. In contrast, a SOC 2 report focuses on controls that affect operations and compliance, and include security, confidentiality, trust, and privacy.
Fastpath’s response: Fastpath takes compliance, security, and privacy seriously. As such, we have SOC 1 and SOC 2 Type 2 examinations conducted of our Fastpath Assure cloud platform annually. Customers can be confident that the controls Fastpath has in place are operating as designed, providing a sound platform for customers to process, analyze, and report on their security data through Fastpath. The Fastpath Assure cloud platform resides on Microsoft Azure (in most cases, it resides on the Azure Central Data Center outside of Chicago, Illinois, specifically). Microsoft has state of the art controls in place at their Data Centers, and these controls are reviewed annually via SOC 1 and SOC 2 Type 2 examinations Microsoft has conducted by the accounting firm Deloitte. As a part of their own internal controls, Fastpath reviews the Microsoft Azure SOC reports to ensure controls are indeed operating as designed and are providing the appropriate procedures around security, privacy, trust, and other areas.
Q: How often is the code updated by the software vendor? And are there scheduled downtimes?
Software updates contain new features, bug fixes, and security patches. Knowing that software is routinely updated as new releases are available ensures you are using the latest, most secure version. Cloud providers and software vendors will typically schedule a window of time when the system will be unavailable to allow them time to install these updates. Knowing when this downtime will occur and how long the downtime is expected to last is especially critical for companies with global operations, 24x7 uptime requirements, or privacy considerations.
Fastpath’s response: Fastpath has quarterly major releases, and monthly code updates. When releases occur, all Fastpath users are notified via email well in advance of the maintenance window when Fastpath Assure will not be available. These windows usually require a one- to two-hour period on a Friday night (Central Time). In addition to the notification of the planned downtime, Fastpath users are provided a release notes document that explains the functionality updates included in the release.
Q: Where does my data physically reside? And do the hosting provider's procedures meet privacy regulations?
The answer to this question is important to fully understand the implications of how an organization will handle data from your customers, since there can be severe penalties as a consequence of violating the EU’s GDPR or the State of California's CCPA. Passing data between countries often falls under additional requirements outside of GDPR, and these additional requirements should be understood and followed by all parties: the cloud provider, the software vendor, and the customer.
Fastpath’s response: The Fastpath Assure cloud platform resides on Microsoft Azure. Microsoft has state of the art controls in place at their Data Centers, and these controls are reviewed annually via SOC 1 and SOC 2 Type 2 examinations Microsoft has conducted by the accounting firm Deloitte. In addition, Microsoft holds many certifications related to privacy, security, and compliance with various regulations and standards. Microsoft has controls in place to address the requirements of GDPR, CCPA, and many other privacy regulations.
Q: Do you, the Software Vendor, have access to my data?
It is critical that customers know who has access to their data as well as whether the customer has the ability to review this access. Without controls in place around user access, there is a risk of inappropriate access to your data, and this could introduce greater risk of fraud, and/or present issues related to compliance with privacy regulations.
Fastpath’s response: Fastpath does not have direct access to customer data, nor does it have the ability to log into the customer’s Fastpath Assure instance. The Fastpath Assure cloud platform does provide robust user logging and user access reporting to allow customers to quickly identify who has access to their environments and what the users might be doing with that access.
Q: How often is business continuity/DRP (Disaster Recovery Plan) testing conducted of your solution and what is your RPO (Recovery Point Objective) and RTO (Recovery Time Objective)?
Customers cannot directly control the recovery of cloud-based software solutions, since, by definition, the application and data do not reside on their hardware. As such, it is critical to ask your software vendor about the policies, procedures, and testing they conduct around the recovery of their software and customer data if a problem occurs. Additionally, key metrics in this area, such as RPO and RTO, should be shared with the customer to verify these performance metrics meet the customer’s recovery requirements.
Fastpath’s response: Fastpath conducts annual business continuity and disaster recovery testing. These programs are also included in the scope of the SOC 1 and SOC 2 Type 2 examinations Fastpath has conducted every year. Additionally, Microsoft has a robust business continuity and DRP to ensure they can quickly restore customer environments in Azure, including Fastpath customers, if an interruption to Azure might occur. Fastpath also has a stated RPO of one hour and an RTO of one minute.
Changes to this Statement
Fastpath will occasionally update this Personal Data Compliance page to reflect company and customer feedback. Fastpath encourages you to periodically review this page to be informed of how Fastpath is protecting your information.
Fastpath welcomes your comments regarding this Personal Data Compliance statement. If you believe that Fastpath has not adhered to this Statement, please contact Fastpath at email@example.com. We will use commercially reasonable efforts to promptly determine and remedy the problem. If you have a GDPR DSR request, please contact Fastpath at GDPR@gofastpath.com.