Organizations desire to adopt best practices around data which are aligned with the risk management approaches they have in place. With increasing complexity around privacy and data security, it is necessary to gain deep understanding of the strategic directions adopted at some of leading organizations in India. With this intent, the Privacy Mode Fellowship programme was put together to work with practitioners who document easily adopted practices that are flexible and are based on well understood design principles. The Best Practices Guides provides a quick introduction to some of the topics which receive a lot of attention.
The Privacy Mode Fellowship programme considered the following themes while publishing the Call for Submissions:
- Data protection/security practices.
- Consent frameworks tied to purpose use limitations.
- Data rights.
- Encryption practices.
- Ankita Roychoudhury and Yashodhara Shukla , Frappe Technologies Private Ltd.
- Pratyush Pullela, Doosra, Ten20 Infomedia Pvt. Ltd.
- Rohan Verma, Zerodha Broking Ltd.
- Sathish KS, Zeotap
The following abstracts provide an insight into the topics covered by them. The abstracts are linked to the complete reports:
- Frappe: GDPR Compliance for ERP
- Doosra: Protecting your mobile number
- Zerodha: Data protection, security and privacy practices
- Zeotap: Privacy in Data as a Service (DaaS) business
- Anwesha Sen - Programme Coordinator
- S Kannan - Technical Writer
- Anish T P - Illustrations
- Stephanie Browne - Product Support
- David Timethy - Administration
1. [Uzma Barlaskar](https://www.linkedin.com/in/uzmabarlaskar/), Head of privacy and growth at WhatsApp. 2. [Anand Venkatanarayanan](https://twitter.com/iam_anandv), Independent cybersecurity researcher. 3. [Sankarshan Mukhopadhyay](https://www.linkedin.com/in/sankarshan/), Editor at Privacy Mode.
View acceptance criteria for the fellowship program 👉 here
Frappe: GDPR Compliance for ERP
Frappe is a Software as a Service (Saas) company in the Enterprise Resource Planning (ERP) domain and it also provides hosting services through its Frappe Cloud product. It handles sensitive information of businesses including company documents, financial records, accounting statements, employee details, assets etc. In order to serve its EU customers, Frappe is mandated to be GDPR compliant.
It has adopted International Organisation for Standardization (ISO) standards, in particular ISO 27001, to meet the technical and security standards. With the use of a strict password management policy and a data access control policy, it is able to restrict access to data within the organization. The Data Portability implementation enables customers to smoothly migrate between Frappe Cloud environment and self-hosted instances.
Frappe offers Software as a Service (SaaS) in the domain of Enterprise Resource Planning (ERP) and hosting services. It has its own product called Frappe Cloud, which has large amount of sensitive personal data of organisations including company internal documents, financial statements and accounting etc. Frappe personnel in India require access to the data in order to provide services to its customers. In order to cater to the European Union (EU), Frappe needs to be GDPR compliant while maintaining a robust and resilient privacy infrastructure.
Privacy is recognised as one of the most important fundamental rights in Article 21 of the Indian Constitution. The Personal Data Protection bill which is now known as Data Protection Bill derives inspiration from the General Data Protection Regulation (“GDPR”). The GDPR applies to companies that operate in the European Economic Area (“EEA”), employ EU citizens, and with companies, like Frappe, who engage with EU citizens. The two primary reasons that Frappe needs to be compliant with GDPR are as follows:
Frappe delivers software services through the Internet, and the volume of data processed is massive, and so are the privacy and security risks associated with it.
The processing of data on Frappe Cloud makes it Data Processors when operating on the customers’ instructions, and with Frappe School, as Data Controllers in deciding the purposes and means of data processing.
A data access control policy document must be created internally which states that all the sensitive information that is protected using logical access controls to prevent unauthorised access, disclosure, modification, and deletion of information. Moreover, access to an organisation’s information systems and computing resources should be based on access privileges, for all employees and third parties. A half-yearly review needs to be done by the Infrastructure team on the privileged access given to the users. Access control to proprietary program source code should be restricted to privileged users only. A flow chart on the data access control policy in Frappe is given below:
Data portability is the act of ensuring smooth data transfers within different software applications, platforms, services, and computing environments, and also, outside of the organisation. The Right of Data Portability is enshrined in Article 20 of the GDPR. The personal data needs to be made available to customers in a machine readable format. Also, if customers are interested in migrating from a Frappe hosted cloud instance to a self hosted instance, it is mandated by the Right to Data Portability to provide migration support to the customer. Any such support requests raised by the user is addressed within 72 hours. Secure methods and anonymised/pseudonymised of the data are implemented when transmitting personal data from one server to another.
Data retention refers to holding data and managing it for purposes that include compliance with legal requisites, managing financial records, making it accessible for the better provision of services, and other business-critical requirements. In order to make the practice of data storage and management as transparent, comprehensive, and dependable as is practically possible, we must know exactly what data is required to be retained, where it has to be retained, and for how long does it has to be retained, how can it be made accessible to the data owner or the relevant party, the procedure to be followed for such procurement, a disposal of the data, and authority responsible for such disposal amongst others. Customer data and information may be stored in locations across the world to ensure its reliability and availability.
A good Data Backup policy must enumerate the kind of data that it stores, which may include photographs, configuration data, databases, websites, company documents and others depending on the business of the organisation and its data dependencies. The policy must also describe how an organisation carries out backups and also mandates regular up keeping of the backup mechanism to ensure that the data is intact. It is a good practice to automate and run the backup process periodically. The customer is also eligible to download their backups and a user-friendly interface needs to be provided for the same.
A good Log Management Policy helps to ensure the collection and preservation of security logs to detect and protect unauthorised information processing activities. At Frappe, access to all customer sites and servers over SSH are logged in addition to application logs. The logs are retained for the appropriate duration, and the application logs are rotated based on the log size.
Frappe has adopted International Organisation for Standardization (ISO) standards to meet the technical and security standards under GDPR. It is compliant with ISO 27001, and has drafted Information Security Policies for security of financial accounts, employee details, third parties, and assets. There are 114 ISO 27001 Annex A controls, divided into 14 categories.
In furtherance of ISO 27001, a Password Management Policy Document that describes the guidelines to be followed to ensure password security has been created. The following guidelines are used when creating a new password:
1. It shall be at least 10 characters long.
2. It shall consist of alphanumeric and special characters.
3. For desktops, laptops and online services (Gmail, AWS etc), it shall be a combination of all the following four elements:
a. One upper case letter (A – Z)
b. One lower case letter (a – z)
c. One digit (0 – 9)
d. One special character (@, ~,!, etc.)
Passwords for Frappe-based sites should have long passphrases with three to four unrelated words and random capitalisation and numbers. User’s accounts shall be locked after three incorrect login attempts. Password enabled screen saver shall be activated for all desktops and laptops after an inactivity period of 10 minutes. Password expiry is set to 90 days.
1. Strictly Necessary Cookies/ Functional Cookies
2. Performance-Based Cookies
4. Marketing Cookies
At this time, all offsite backups are stored in India, since Frappe is based in India. It is subject to Indian laws and regulations, including but not limited to the possibility of requests for access to data by law enforcement authorities. As part of the backup policy, Frappe has automated customer sites every six hours.
As part of offsite backups, one out of every four automated backups is stored offsite, which means the files are stored on a different server than the site. This ensures that customers can access their backups even in an unfortunate event of server downtime. The customer can also trigger a manual backup operation for their site anytime. The frequency of automated backups are: 7 times daily, 4 times weekly, 12 times monthly, and 10 times yearly. Weekly backups are taken every Sunday. Monthly backups are taken every first day of the month. Yearly backups are taken every first day of the year.
The procedures and methodologies adopted for Frappe’s two celebrated verticals, Frappe School and Frappe Cloud, have helped them accomplish GDPR compliance.
As a company that offers software as a service and distributes open source software, Frappe has to collect personal data to carry out its business transactions. Thus, it becomes pertinent to have privacy procedures in place that help with the data protection of the personal data entrusted by its users in the capacity as a Data Controller and/or Data Processor. A robust and resilient privacy infrastructure has not only contributed to the growth in customers’ trust in its products, but has also greatly contributed in building a sound reputation globally, leading to an increase in its customer base in the EU region, and in other geographies.