GDPR

GDPR

The General Data Protection Regulation (GDPR) is the legal framework for the processing of personal data in Europe that introduces stringent requirements that set new standards in compliance, security and data protection.

Game Interaction Group and the GDPR

In addition to ensuring its compliance, Game Interaction Group is committed to offering services and resources that allow clients to comply with any GDPR requirements that they are required to comply with regarding their activities. In this regard, Game Interaction Group has released new features and others will be.

Definition of the GDPR 

To avoid misinterpretations of regulatory obligations, the essential expressions for understanding the GDPR are defined below: 

  •  personal data: any information relating to an identified or identifiable natural person, i.e. the interested party. An identifiable natural person is a natural person who can be identified, directly or indirectly. 
  •  processing: any operation or set of operations performed with or without the support of automated processes and applied to data or sets of personal data (collection, registration, transmission, storage, conservation, data mining, consultation, use, interconnection, etc …).

Responsible for data processing: natural or legal person, public authority, service or other body which, alone or with other subjects, determines the means and purposes of the processing. In the text of the GDPR, it is indicated as the data controller.

Sub responsible for data processing: natural or legal person, public authority, service, or other body that processes personal data on behalf of the data controller. In the text of the GDPR, it is indicated as the data controller.

Game Interaction Group as a sub responsible for data processing

Game Interaction Group plays the role of “sub processor” when processing personal data on behalf of a data controller. This is the situation that occurs when using Game Interaction Group services and storing personal data on the infrastructure used by Game Interaction Group. Within the limits of its technical constraints, Game Interaction Group will process hosted data solely as directed by you, and on your behalf. 

Game Interaction Group’s commitment as a sub responsible for data processing

In the role of data processing person, Game Interaction Group undertakes, in particular, to carry out the following actions:

  •  process personal data exclusively for the correct execution of the services: Game Interaction Group will never use your information for other purposes (marketing, etc …) 
  •  do not transfer your data outside the EU or outside countries recognized by the European Commission as possessing an insufficient level of protection 
  •  inform you of any recourse to other appointees who may process your personal data even if, to date, no service that provides access to the content stored by the user is outsourced outside of Game Interaction Group 
  •  implement high-security standards in order to ensure a high level of protection for our services 
  •  notify you as soon as possible in the event of a data breach 
  •  assist you in fulfilling your regulatory obligations  by providing you with adequate documentation of our services 

Game Interaction Group as the data controller

Game Interaction Group plays the role of “data controller” when it determines the means and purposes of the processing of personal data.  

This is the case where Game Interaction Group collects data for billing, service and performance improvement, sales operations, commercial management, etc …, but also when Game Interaction Group processes the personal data of its employees.  
In this case, “your” data hosted on Game Interaction Group services, are not affected, unlike some information concerning you or your employees (for example information relating to the identity and contact details of your contact in Game Interaction Group as part of a request for Support ). This is why Game Interaction Group is keen to explain the safeguards put in place to ensure the protection of this personal data: 

  •  limit the collection of data to those strictly necessary: in this way, only the data required by Game Interaction Group to provide services relating to billing, assistance or fulfill legal obligations in the context of data retention are entered 
  •  not to use personal data for purposes other than those for which they were originally collected 
  •  keep personal data for a limited period. For example, the data processed for purposes related to the management of relations between clients and Game Interaction Group (surname, name, address, email, etc.), are kept by the company for the entire duration of the contract and the following 36 months. At the end of this period, they are permanently erased from all media and backups 
  •  not to transfer this data to third parties who are not part of the Companies connected to Game Interaction Group that are involved in the execution of the contract. During migrations within the Group, some data may be transferred outside the European Union based on the corporate rules implemented by the Game Interaction Group Group 
  •  implement adequate technical and organizational measures in order to guarantee a high level of safety

Security measures 

Game Interaction Group is committed to guaranteeing the maximum security of the infrastructures where the Client’s Platform is installed. SeeWeb S.r.l., the hosting provider of Game Interaction Group, guarantees a continuity of service of 99.90% thanks to specific levels of assurance that allow to reach up to 99,95% of warranty with penalty (SLA or Service Level Agreements).

Seeweb has a special attention to services quality and security. For this reason, SeeWeb is provided with the most important quality and process certifications available.

  • ISO9001 certification process
  • ISO14001 Environmental Management System Standard
  • ISO27001 Data security System Standard
  • Registrar among the italian ccTLD and Eurid for the TLD .EU
  • LIR – Local Internet Registry for IPv4 and IPv6, RIPE NCC certified
  • reliability validation audit with Netcraft Ltd
  • Oracle Partner Gold Level (OPN: 44361900)
  • Microsoft Partner with SPLA authorization and Microsoft Certified Personnel
  • CISPE certification: CISPE (Cloud Infrastructure Services Providers in Europe) is a trade association gathering IAAS cloud providers adhering to the CISPE Data Protection Code of Conduct. On the top of the required compliance to meet with the GDPR, the Code also ensures that IAAS Customers may choose to have their data located and processed exclusively in Europe, and that the supplier will not re-use customer’s data.

Game Interaction Group takes the necessary measures to preserve the security and confidentiality of the personal data processed, in particular, to prevent them from being violated, damaged, or from unauthorized third parties accessing them. 

Thanks to the agreement with SeeWeb, Game Interaction Group undertakes to implement:

Access to the rooms – The access to the rooms is reserved exclusively to Seeweb personnel and to eventual third party conveniently authorized. An access Badge/Secret is requested. The access to the data center is furtherly secured by SmartCard/Secret, that only the authorized personnel possesses. The Datacenter A is endowed with access controls with biometric face recognition. All the accesses are logged on the computer system, eventual third party entering exclusively accompanied by Seeweb staff must be registered after making sure of the identity and verifying the aim of their access.

Rooms surveillance – The 365/7/24 surveillance is assured by remote monitoring systems. An external and internal perimetral video surveillance system works by means of video cameras with legal registration and retention. It detects all the movements in the critical areas with subsequent activation of the alarm circuit. The video surveillance with registration and detection is present inside the datacenter technical and operative rooms, too. The location 4) is endowed with dedicated armed surveillance during the less attended hours; in the sites 1) and 2) the armed surveillance staff is that of the Campus.

Intrusions detection – A system of detection of intrusions with volumetric access monitoring is active for all the site rooms and data centers with remote acoustic and optic signal through radio alarm towards the surveillance institute.

The site 4) is also protected by external perimeter through microwave barriers, coordinated with access control systems and video surveillance.

Accidental and catastrophic events – The datacenter 4) is secured by a progressive and multi-area smoke detection Vesda system. The Marioff HI-FOG® fire suppression system is a water-mist, high-pressure and twin fluid system compliant with the NFPA 750 and UNI CEN/TS 14972 standard. It is a very refined system, allowing the coexistence of the operators involved while the fire fighting process is underway, so reducing the impact to the services provided to the bare minimum. The datacenters 1), 2) are protected by a EN54-7 and EN54-5 smoke detection system. Environmental saturation fire fighting system with Argon gas. Flooding detection through appropriate detectors installed in the underfloor. The data centers are all located above the rural area and they are protected by a very sophisticated system of protection from eventual losses of water of the refrigeration plants, the only thing that can lead to a flood.

Power supply continuity – The power supply system is fully redundant and it follows the EIE-CE regulations. Every rack row is equipped with sockets and security power plugs that are tear resistant and fire fighting. Every rack containing the plants receives the power supply from two different lines, coming from redundant UPS. The datacenter 4) is provided with a full TIER-IV electric design with double UPS and double STS on the rack power lines with double electric routes, detached and separated. The sites are endowed with generating set with automatic start and at long range (72h for the site 4); 24h for the site 1), 2), 3) at full load) with possibility of rapid supply rapido at street level. The location 4) is provided with a N+1 system of generation of emergency able to work continuously, covering for the public network power supply.

 

Rooms conditioning – The conditioning system provides for air filtering, inside ventilation and cooling guaranteeing a balanced temperature and an adequate air turnover. The conditioning plant is redundant following a fully protected and 2N+1 architecture, extended to the water refrigerant groups, the external condensers and the air treatment units (UTA) present in the data center. The system not protected (when a breakdown is underway) presents a an over dimensioning of 20% in respect to the maximum capacity of the supplied data center area. In case of complete breakdown, a manual drive air washing system through intake/expulsion of the external air (free cooling) comes into action. The parameters of exercise are constantly measured i n steps of 5 minutes with local and remote alarm (tele alarms on the surveillance institute) when the critical values are exceeded. The system guarantees the parameters maintenance based on the ASRHAE 2008 class A, and just in case of breakdown it could downgrade to A1.

 

Network physical infrastructure – The data center network infrastructure is is at three levels, completely redundant in the involved equipments and in the connections to the rack of application. The backbone and aggregation levels are located in a specific area of the data center and adequately protected, the level of distribution is local to the single row of racks. Both connections being part of the redundant couple are always active and monitored in their functioning. For the datacenter, all the routes of copper and fiber of the redundancy bundle networkinfrastructureare on physical paths detached and with compartments.

 

Shared responsibility

What is meant by shared responsibility? 

In terms of compliance and data security, both Game Interaction Group and the client are both responsible, albeit on different fronts.  
Game Interaction Group will then take care of the maintenance, updating and protection of the physical infrastructure on which all cloud services are run.  
Only at the explicit request of the client, Game Interaction Group will be able to intervene at a technical level on the service purchased. 
Based on the Game Interaction Group service used, the competencies of shared responsibility are detailed below. We invite all clients to read their responsibilities concerning the services used. 
Game Interaction Group is committed to applying all reference standards to ensure information security

Platform

Game Interaction Group

  • Keep systems updated with the most stable and secure software version
  • Monitor servers and data synchronization processes to ensure continuity of service
  • Daily backup checks to ensure data integrity
  • Additional Backup

Customer

  • Export data at least monthly / bimonthly
  • Set complex passwords to access the service
  • Carefully guard the access data to the Platform and all the services included and limit their disclosure. With particular attention to the passwords.
  • Promptly inform Game Interaction Group in case of anomalies that could determine a data security problem
  • Promptly intervene in the event of Game Interaction Group reports on problems relating to the service