Skip to main content
Druva Documentation

GDPR Compliance using Druva inSync

Overview

The General Data Protection Regulation (GDPR) is legislation enforced to strengthen and unify data protection across the European Union (EU). The GDPR applies to any organization in the EU or based outside of the EU that processes personal data of EU citizens or other nation citizens based out of EU. Please refer to this Druva white paper which describes how businesses can comply with GDPR.

Druva inSync provides features to meet many obligations required by the GDPR regulation:

Data Security and Protection

Relevant GDPR Articles

  • Article 5: Principles relating to processing of personal data

  • Article 25: Data protection by design and by default

  • Article 32: Security of processing

The following Druva inSync features enable data security and protection.

Secure by Design

Druva inSync is built with the primary goal of data security. Druva’s approach to storing enterprise data, utilizing advanced data-scrambling and envelope-based encryption model guarantees that the user data is secured.

Druva inSync has also completed SOC-2 Type II, HIPAA audits, and is FedRAMP ATO (Authorized to Operate), which emphasizes Druva's commitment to meeting and exceeding the highest security standards. For more information, see the Druva Security whitepaper.

Secure data using encryption

By default, Druva inSync backs up the user data to inSync Cloud and restores the user data from inSync Cloud over a secured TLS v1.2 channel. However, Druva inSync can be configured to encrypt data on the user devices, that provides a powerful, multi-layered protection of critical data that resides on your organization’s devices. For more information, see Data Loss Prevention.

Prevent unauthorized access to user information

Based on the user role, Druva inSync administrators can configure a Geofencing policy that restricts access to Druva inSync from outside the corporate network. This helps administrators control, monitor, and protect the data from unauthorized access from outside the organization. For more information, see Configure Geofencing Policy in your organization.

Prevent loss of data

To prevent loss of data, organizations can back up data on the user devices frequently using the profile associated with a user. For more information, see Configure the backup schedule.

Data preservation can be achieved by defining the retention period of the backup data, which helps ensure data availability and robust data recovery in case of loss of data or the user device. For more information, see Configure the backup retention policy.

Data Viewing and Monitoring

Relevant GDPR Articles

  • Article 33: Notification of a personal data breach to the supervisory authority

  • Article 34Communication of a personal data breach to the data subject

  • Article 35: Data protection impact assessment

The following features help the data compliance authority to view the data retained by your organization and comply with the reporting requirements in case of a data breach.

Data Governance and Compliance

You can utilize the Druva inSync Compliance1 capability that provides visibility into retention of sensitive and personal data and lets you proactively track, monitor, and get notified for data compliance risks in your organization.

Druva inSync Governance2 enables you to analyze and identify usage trends, globally search and filter files and folders across all devices, and set up real-time alerts to handle IT issues proactively.

  • Druva inSync administrators can utilize the Federated Search capability to quickly find end-user files and emails that are backed up by Druva inSync. Administrators can download the search results for offline review or ingest the files and emails into a third-party tool for further analysis.

  • Using the Legal Hold APIs, you can integrate Druva inSync with eDiscovery solutions to mine and access the data of custodians and access their data by using WebDAV protocol. For more information, see eDiscovery Software Integration.

  • You can also utilize the Legal Hold API and Direct Download Utility capabilities to bulk download files of required users for further processing. 

Data Breach Detection and Reporting

GDPR mandates businesses to maintain tamper-proof records of activities and be able to furnish it to the supervisory authority on request. Druva inSync can be configured to record activities of Druva inSync administrators and users using the Audit trails.

Druva inSync provides an extensive set of Events API that can be integrated with any third party SIEM tool. The alerts and events exported via the Event API help monitor Druva inSync events, detect malicious activity through IP address logging, and take corrective actions on reported alerts and failures. For more information, see Events API to export Druva inSync events.

Druva inSync also provides the Unusual Data Activity3 report that lists the devices and Cloud App accounts that are detected for anomalous behavior. A device or a Cloud App account is flagged and listed in this report if trends such as a large number of files deleted are added, unwarranted modification or suspicious encryption of files are observed on the configured device or a Cloud App account. For more information, see Unusual Data Activity Report.


1  inSync Compliance is available with Druva inSync Elite Plus subscription.

inSync Governance and all the features described in this section are available with Druva inSync Elite and Elite Plus subscription.

Unusual Data Activity is available with Druva inSync Elite Plus subscription.


Data Privacy and Disposition

Relevant GDPR Articles

  • Article 5 - Principles relating to processing of personal data

  • Article 15 - Right of access by the data subject

  • Article 17 - Right to erasure (‘right to be forgotten’)

  • Article 18 - Right to restriction of processing

  • Article 20 - Right to data portability

Search and Manage Snapshots

inSync administrators can remove or delete the snapshots created by Druva inSync after a successful backup, that contain the user personal data. The snapshot can be identified by looking into specific snapshot and downloading the files or folders before deleting the snapshot. For detailed instructions, see Delete Snapshots. 

Search and Delete personal user data from Druva inSync

Druva inSync administrators can utilize the Federated Search capability to quickly find end-user files that contain personal data and delete the files in the user dataset to address Right to be Forgotten requirements.

Delete users from Druva inSync

Druva inSync administrators can delete the user data by deleting the user from Druva inSync. All the user data backed up by Druva inSync or shared with the other is deleted. For more information, see Delete Users in Druva inSync.

Address subject access requests

Druva inSync users can request inSync administrators to view or access the data that is stored in Druva inSync. inSync administrators or user themselves can access the required data or the entire data backed up by Druva inSync to their devices.

  • Administrator triggered restore or download of user data 

Druva inSync administrators can trigger an on-demand data recovery or download of the data on the user devices. Based on the request, administrators can choose to do either do a single file recovery or download the entire snapshot on one or multiple devices. inSync users can view the data on their devices and take necessary action.

For more information, see Restore data to a device using Druva inSync administrator console 

  • User triggered restore of data

Druva inSync users can themselves access or download the desired data stored in Druva inSync using the Druva inSync Client or Druva inSync Web. Administrators can choose to do either do a single file recovery or download the entire snapshot on multiple devices.

For more information, see Restore data using the Druva inSync Client or Restore data using the Druva inSync Web.

  • Address “Right to Data Portability”

Druva inSync users can request Druva inSync administrators export a copy of their data. User data can be transferred onto an individual’s electronic portable device. inSync administrators are requested to contact Druva Support for assistance with such requests.

Protect user data in different regions

Druva inSync administrators can configure inSync to protect data of users to available storage locations based on the geographical location of the user.  

When creating a user in Druva inSync, an administrator can map a storage region to the user. All the user data is backed up to this storage location. For more information, see Change storage assigned to a user.

To configure multiple storage regions in your account, contact Druva Support.

  • Was this article helpful?