Summary

Frappe is a Software as a Service (Saas) company in the Enterprise Resource Planning (ERP) domain and it also provides hosting services through its Frappe Cloud product. It handles sensitive information of businesses including company documents, financial records, accounting statements, employee details, assets etc. In order to serve its EU customers, Frappe is mandated to be GDPR compliant.

It has adopted International Organisation for Standardization (ISO) standards, in particular ISO 27001, to meet the technical and security standards. With the use of a strict password management policy and a data access control policy, it is able to restrict access to data within the organization. The Data Portability implementation enables customers to smoothly migrate between Frappe Cloud environment and self-hosted instances.

The Privacy and Cookie policy is written in a clear and concise manner, and provides a simple interface to the user to manage the cookie settings. Their Log Management and Backup Policies are conformant to industry best practices. The Data Retention policy is enforced as required by law and for auditing purposes. These procedures and methodologies have helped improve their customer base, and also be compliant with regulations.

Introduction

Frappe offers Software as a Service (SaaS) in the domain of Enterprise Resource Planning (ERP) and hosting services. It has its own product called Frappe Cloud, which has large amount of sensitive personal data of organisations including company internal documents, financial statements and accounting etc. Frappe personnel in India require access to the data in order to provide services to its customers. In order to cater to the European Union (EU), Frappe needs to be GDPR compliant while maintaining a robust and resilient privacy infrastructure.

Problem Statement

Privacy is recognised as one of the most important fundamental rights in Article 21 of the Indian Constitution. The Personal Data Protection bill which is now known as Data Protection Bill derives inspiration from the General Data Protection Regulation (“GDPR”). The GDPR applies to companies that operate in the European Economic Area (“EEA”), employ EU citizens, and with companies, like Frappe, who engage with EU citizens. The two primary reasons that Frappe needs to be compliant with GDPR are as follows:

1. Frappe delivers software services through the Internet, and the volume of data processed is massive, and so are the privacy and security risks associated with it.

2. The processing of data on Frappe Cloud makes it Data Processors when operating on the customers’ instructions, and with Frappe School, as Data Controllers in deciding the purposes and means of data processing.

Design Principles

Privacy and Cookie Policy

The Privacy Policy should enumerate the kind of data that is collected, the mode of collection, the purpose of collection, and the third parties with whom the user information is shared. The cookie policy describes the cookies themselves, the kind of cookies that are present on the website, their purpose, the data that is collected. These have to be listed in an articulate, unambiguous, comprehensible, and readily accessible form so that it is acknowledged and understood by the users of the product. Moreover, it should be written in clear and plain language, avoiding any legal jargon. The procedure to withdraw consent for the users should also be clearly mentioned in the Privacy Policy.

Data Access Control

A data access control policy document must be created internally which states that all the sensitive information that is protected using logical access controls to prevent unauthorised access, disclosure, modification, and deletion of information. Moreover, access to an organisation’s information systems and computing resources should be based on access privileges, for all employees and third parties. A half-yearly review needs to be done by the Infrastructure team on the privileged access given to the users. Access control to proprietary program source code should be restricted to privileged users only. A flow chart on the data access control policy in Frappe is given below:

Data Portability

Data portability is the act of ensuring smooth data transfers within different software applications, platforms, services, and computing environments, and also, outside of the organisation. The Right of Data Portability is enshrined in Article 20 of the GDPR. The personal data needs to be made available to customers in a machine readable format. Also, if customers are interested in migrating from a Frappe hosted cloud instance to a self hosted instance, it is mandated by the Right to Data Portability to provide migration support to the customer. Any such support requests raised by the user is addressed within 72 hours. Secure methods and anonymised/pseudonymised of the data are implemented when transmitting personal data from one server to another.

Data Retention

Data retention refers to holding data and managing it for purposes that include compliance with legal requisites, managing financial records, making it accessible for the better provision of services, and other business-critical requirements. In order to make the practice of data storage and management as transparent, comprehensive, and dependable as is practically possible, we must know exactly what data is required to be retained, where it has to be retained, and for how long does it has to be retained, how can it be made accessible to the data owner or the relevant party, the procedure to be followed for such procurement, a disposal of the data, and authority responsible for such disposal amongst others. Customer data and information may be stored in locations across the world to ensure its reliability and availability.

Backup Policy

A good Data Backup policy must enumerate the kind of data that it stores, which may include photographs, configuration data, databases, websites, company documents and others depending on the business of the organisation and its data dependencies. The policy must also describe how an organisation carries out backups and also mandates regular up keeping of the backup mechanism to ensure that the data is intact. It is a good practice to automate and run the backup process periodically. The customer is also eligible to download their backups and a user-friendly interface needs to be provided for the same.

Log Management Policy

A good Log Management Policy helps to ensure the collection and preservation of security logs to detect and protect unauthorised information processing activities. At Frappe, access to all customer sites and servers over SSH are logged in addition to application logs. The logs are retained for the appropriate duration, and the application logs are rotated based on the log size.

Reference Implementation

Frappe has adopted International Organisation for Standardization (ISO) standards to meet the technical and security standards under GDPR. It is compliant with ISO 27001, and has drafted Information Security Policies for security of financial accounts, employee details, third parties, and assets. There are 114 ISO 27001 Annex A controls, divided into 14 categories.

In furtherance of ISO 27001, a Password Management Policy Document that describes the guidelines to be followed to ensure password security has been created. The following guidelines are used when creating a new password:
1. It shall be at least 10 characters long.
2. It shall consist of alphanumeric and special characters.
3. For desktops, laptops and online services (Gmail, AWS etc), it shall be a combination of all the following four elements:
a. One upper case letter (A – Z)
b. One lower case letter (a – z)
c. One digit (0 – 9)
d. One special character (@, ~,!, etc.)

Passwords for Frappe-based sites should have long passphrases with three to four unrelated words and random capitalisation and numbers. User’s accounts shall be locked after three incorrect login attempts. Password enabled screen saver shall be activated for all desktops and laptops after an inactivity period of 10 minutes. Password expiry is set to 90 days.

The Cookie policy has a detailed “Your choices” section that informs the user about the ways in which they may alter and choose their preferred cookie settings. There also exists an option using the Cookie banner to reject the cookies they think are not suited to their needs. A notification is sent to the user if the cookies are stored in the User’s device. The cookies are categorised as follows:
1. Strictly Necessary Cookies/ Functional Cookies
2. Performance-Based Cookies
3. Analytics
4. Marketing Cookies

At this time, all offsite backups are stored in India, since Frappe is based in India. It is subject to Indian laws and regulations, including but not limited to the possibility of requests for access to data by law enforcement authorities. As part of the backup policy, Frappe has automated customer sites every six hours.

The backups may be retained for up to six months. Information that is deleted may be retained for backups. However, these backups will not be processed unless required for disaster recovery purposes or for legal compliance. Frappe retains the information and data in the customer account for at least as long as the customer has an active account with Frappe, and for a period of 180 days after the termination of the customer account, unless the customer has requested for deletion of the information in accordance with the ‘Right to Erasure’, as per the Privacy Policy of Frappe Cloud. Additionally, all billing-related information will be retained for tax-related purposes for the longest duration required.

As part of offsite backups, one out of every four automated backups is stored offsite, which means the files are stored on a different server than the site. This ensures that customers can access their backups even in an unfortunate event of server downtime. The customer can also trigger a manual backup operation for their site anytime. The frequency of automated backups are: 7 times daily, 4 times weekly, 12 times monthly, and 10 times yearly. Weekly backups are taken every Sunday. Monthly backups are taken every first day of the month. Yearly backups are taken every first day of the year.

The procedures and methodologies adopted for Frappe’s two celebrated verticals, Frappe School and Frappe Cloud, have helped them accomplish GDPR compliance.

Conclusion

As a company that offers software as a service and distributes open source software, Frappe has to collect personal data to carry out its business transactions. Thus, it becomes pertinent to have privacy procedures in place that help with the data protection of the personal data entrusted by its users in the capacity as a Data Controller and/or Data Processor. A robust and resilient privacy infrastructure has not only contributed to the growth in customers’ trust in its products, but has also greatly contributed in building a sound reputation globally, leading to an increase in its customer base in the EU region, and in other geographies.

References

1. Frappe Cloud Privacy Policy. https://frappecloud.com/privacy

2. GDPR Principles. https://gdpr-info.eu/chapter-2/

3. Frappe School. https://frappe.school/home