Last Modified: 19 May 2021
Data Processor GDPR Statement
- About this Statement
This Compliance Statement provides a general description of how Dubber processes and safeguards personal data as a processor in accordance with the GDPR and aims to cover the questions a controller would typically raise in a data processing questionnaire for processors. The “GDPR” means: (1) the General Data Protection Regulation (EU) 2016/679) (the “EU GDPR”); and (2) the GDPR as amended and adopted by UK law by virtue of section 3 of the European Union (Withdrawal) Act 2018 (the “UK GDPR”) collectively referred to as the “GDPR”. Dubber Ltd an English company with registered office at 49 Greek Street, London, England, W1D 4EG (“Dubber”, “we”, “our” or “us”) is committed to protecting the privacy and security of personal data.
The terms “data subject”, “personal data”, “process”, “processing”, “appropriate technical and organisational measures”, “controller”, and “processor” shall be interpreted in accordance with the GDPR within the EU and with the Data Protection Act 2018 (as applicable) in the UK. References to an “Article” or “Recital” shall mean an Article or Recital of the GDPR. “Recordings”: means telephone recordings, voice recordings, Unified Communications Recordings (UCR), transcripts, and any such other record made by Customers and uploaded to our system via Dubber’s API.
- Dubber as Processor
The GDPR applies to the processing of personal data in the context of the activities of an establishment of a controller or processor in the European Union or the UK as applicable (Article 3(1)). Furthermore, the way in which processors collect, store, protect or otherwise use personal data on behalf of controllers is also regulated by the GDPR (e.g. Article 28 GDPR). The purpose of this Compliance Statement is to aid in the demonstration of Dubber’s compliance with, amongst other things, Article 28 of the GDPR. Dubber provides Recording solutions. When our customers use Dubber’s Recording and Artificial Intelligence (AI) Platform (“Dubber Platform”) or receive ancillary services from Dubber, Dubber will be acting as a processor (or as a sub-processor). Such customers, who act as controllers or as processors under the instructions of a controller (the “Customers”), determine the manner in which any personal data are to be processed, and for what purposes.
- Summary of Dubber Processing Activities as a Processor
3.1 Data subjects. The personal data we process for the provision of our services concerns the following categories of data subjects: (a) Data subjects connected to our Customers who have their voice or communications (audio, video or text) recorded. (b) Customer Representatives who, by virtue of their employment or other contractual relationships with the Customer, engage in conversations with end users, and are subsequently recorded.
3.2 Categories of data. We envisage that the personal data processed will likely concern the following categories of personal data:
(a) Any personal data contained in Recordings. Due to the nature of Recordings, it is possible that a wide variety of information, including personal data, may be disclosed by data subjects and subsequently processed by Dubber.
(b)Information provided by our Customers when they join us or they interact with our customer services or representatives. Personal data may include first name, last name, date of birth, financial data, or other details concerning the Customer’s products and services.
(c) Information provided by our Customers (or their customers) when they use the Dubber Platform. Personal data may include email addresses and names of Customer representatives.
(d) Special categories of personal data. Dubber will not ask for any personal data which may be considered a special category of data. However, due to the nature of recording, Recordings could contain special categories of personal data.
(e) Any personal data generated as a result of Dubber AI. Where Dubber AI is configured, Dubber may generate text transcriptions using Customer supplied Recordings.
3.3 Methods of collection. Dubber collects personal data in the following ways:
(a) Through the Dubber Platform. (i.e. when Recordings are stored in our platform).
(b) Direct interactions. Customer representatives may give us their identity and contact data by filling in forms or by corresponding with us by post, phone, email or otherwise. This includes personal data provided when creating a Dubber account.
(c) Automated technologies or interactions. As data subjects interact with our website and the Dubber Platform, we will automatically collect technical data about equipment used, browsing actions and patterns.
(d) AI generated. Data generated as part of Dubber AI processing may contain transcripts of Customer supplied Recordings.
3.4 Processing operations. Dubber will process personal data to make available, and operate, the Dubber Platform to the Customer, and any other services requested by the Customer in accordance with the agreement we have in place with the Customer.
3.5 Duration of the Processing of Personal Data. Dubber will process personal data during the term of its contracts with each of its Customers, including an exit period (if any), and thereafter, as long as Dubber is required to process the personal data by applicable law. Please refer also to Section 12: Destruction of Data and Termination of Contract, below.
3.6 Sub-processors within the EEA or in an adequate country or sector. A list with the sub-processors we use and how the sub-processors process the relevant personal data is available at https://www.dubber.net/legal/subprocessors/. 3.7Personal Data transfers outside the EEA or outside an adequate country or sector. (a) Dubber will always store Recordings coming from EEA or UK Customers in EEA or UK databases (e.g. an AWS S3 bucket). (b) Depending on the geographic location of Dubber’s Customers or their individual end users and the nature of the services Dubber provides to them, Dubber may also engage third parties and one or more of its Affiliates as Sub-processors. (c) Dubber affiliates located outside the EEA or the UK may, in limited cases and on a “need to know basis”, access customer data (including personal data contained therein) in the course of providing support, operating, delivering, and maintaining Dubber services including (i) cloud storage solutions for the Dubber UK Entities and their clients; Call Recording, UCR and Voice-AI software-as-a-service development, testing and support; and (iv) the provision of other operational, business development, sales and support services to Dubber. (d) When we transfer personal data to any recipient (e.g. a sub-processor Dubber Affiliate) outside the European Economic Area (the “EEA”) or the UK to provide our services, we will take adequate technical and organisational measures to ensure that such personal data is handled securely and with an adequate level of protection comparable to and at the same level as the protection offered in the EEA or the UK.
- Security Overview
4.1 We have implemented appropriate technical and organisational measures in such a manner that processing meets the security requirements of Data Protection Legislation.
4.2 The Dubber Platform has been designed to provide maximum functionality with sophisticated security systems. Our security practices ensure that personal data is protected at every stage of the communication capture process and beyond to storage and analysis in accordance with good industry practice. 4.3 All user, Recording and Dubber AI data is stored in encrypted repositories. Dubber recordings are encrypted using 256-bit Advanced Encryption Standard (AES-256).
- Records of Processing
5.1 We maintain a written record of all categories or processing activities carried out on behalf of a data controller as required by Article 30(2). This record is updated at least annually by the Information Security Team and maintained in a format that can be used to demonstrate our processing activities to our Customers and the relevant supervisory authorities, as required.
5.2 When acting as processor (or as a sub-processor), our records contain:
(a) our name and contact details;
(b) the name and contact details of each controller or
processor on behalf of which we are acting;
(c) the categories of processing carried out on behalf of each controller;
(d) where applicable, any transfers of personal data to a third country or an international organisation, including the identification of that third country or international organisation and, where required, the documentation of suitable safeguards; and
(e) where possible, a general description of the technical and organisational security measuresreferred to in Article 32.
- Contracting and Procurement
6.1 We have included controller to processor (e.g. Article 28 GDPR) compliant contract wording in Customer agreements and third-party vendor agreements. We regularly review our procurement processes for the purposes of meeting our compliance obligations under the GDPR. In addition:
(a) Any arrangement in which an external supplier has access to Dubber information or systems is to be subject to previous appropriate security controls. This is to be given effect, by: (i) requiring the external supplier to comply with all relevant security standards, policies and procedures specified in Dubber’s information security management system (“ISMS”) policy; (ii) carrying out a risk assessment based on the nature of the service being provided by the external supplier.
(b) It is important to note that large suppliers do not recognise small provider nomenclature and classification of terms etc. In that instance we adapt our approach accordingly to bridge any gaps and ensure the integrity of our ISMS is not compromised by such a supplier using different language or practices.
6.2 Sub-processors. Where authorised to do so by the relevant data controller, we appoint sub-processors in the manner prescribed by Article 28. We ensure our contracts with any sub-processors are compliant with Data Protection Legislation.
- Threat Management and Incident Handling
Dubber adheres to the GDPR data breach notification regime as required under Article 33(2). We will inform a controller of personal data that is subject to a security threat or incident without undue delay after becoming aware such a threat or incident. Where it is not possible to provide the information at the same time, we will provide additional information as it becomes available, without undue further delay.
- Personnel Security
8.1 Dubber employees go through appropriate levels of background and reference checks pre-employment, and any additional post-employment requirements depending on their role and commercial requirements.
8.2 Dubber employees do not have access to any of our Customers’ personal data and Recordings, unless this is strictly necessary for them to perform their duties and on a“need toknow basis” (e.g. when we spot check a very small number of Recordings for training, quality and product development purposes only).
8.3 All Dubber employees are required to complete mandatory information security training.
8.4 Dubber employees commit themselves to confidentiality in accordance with the Data Protection Legislation requirements. We will deal promptly with breaches of our security policies and procedures through formal processes, including disciplinary action.
- Physical Security
9.1 We limit access to our premises (sites, buildings or internal areas) where personal data is stored. We ensure that no Customer data is stored in any physical Dubber site.
9.2 Dubber’s physical security protection measures including secure lock and key for personnel files and secured doors (building and office passes and controls).
9.3 We inspect the premises used for the provision of our services for risks and threats at least annually.
- Network and Cloud Security
10.1 Dubber’s service provides a private and secure link between communication networks. Our service benefits from built-in firewalls that allow private networks to link telephony equipment with Dubber, with additional control access of Dubber instances.
10.2 We implement security measures across our networks, to safeguard the confidentiality, availability and integrity of Customer end users’ personal data. There are logical and role-based access controls across information systems. Privileged access reviews are conducted at least twice a year. We regularly conduct security / penetration testing.
10.3 All recorded caller user data, including metadata and recorded data, is stored in dedicated data silos for each individual user. Customer’s users are only granted access to the data that belongs to their registered accounts.
10.4 All user, Recording and Dubber AI transcripts are stored in encrypted repositories. The Recordings are fully encrypted using one of the strongest block ciphers available – 256-bit Advanced Encryption Standard (AES-256).
10.5 We have systems in place in line with good industry practice to detect any security breaches that might occur. This allows us to act quickly to rectify any breaches and identify the sources of the attack.
10.6 Dubber’s security measures include:
(a) use of controls in place that aim to prevent any purposeful attack;
(b) secure communications between devices as appropriate; including the encryption of all non-console administrator access;
(c) strong architectural design, which are tiered and zoned with effective robust identity management and operating system configuration which must be appropriately hardened and documented;
(d) the disabling (where practical) of services, applications and ports that will not be used;
(e) the installation of the most recent security patches as soon as practicable;
(f) ensuring appropriate measures are in place to handle denialof service attacks;
(g) monitoring all applicable vendors and other relevant information sources for vulnerability alerts;
(h) Keeping Recordings secure. Recordings are protected in transmission and storage through use of secure protocols and encryption;
(i) Defence in depth. The network is partitioned into zones with different trust levels, and restrict traffic between those zones;
(j) Protect what you can, detect everything else. Networks are monitored to detect unauthorised connections and suspicious traffic;
(k) Secure application development processes: this is incorporated into the Dubber software development life cycle to reduce the risk of vulnerabilities being introduced into to applications. This includes the use of use of secure design and programming methods, and testing and validation techniques for software application development;
(l) Development, testing and production environments are segregated from one another to reduce the likelihood of a weakness in a non-production system leading to the compromise of production data;
(m) All system clocks are synchronisedwith a certified Network Time Protocol (NTP) provider via internal intermediary time servers, and modification of system clock times are prevented; (n) All traffic between the security domains traverse, and are filtered by, an application layer firewall or equivalent (proxy); (o) Production data is not used in development or test environments;
(p) Two-factor authentication is used for management access to cloud resources;
(q) Only secure protocols are used for transmission of data between environments Insecure protocols (e.g. FTP, HTTP, Telnet) must be ‘tunnelled’ via a secure protocol such as SSH or TLS.
(r) We have a businesscontinuity plan in place which has been developed, implemented, and tested to deal with events where the CSP’s environment is unavailable;
(s) All cloud deployments are security tested in line with comparative on premise deployments, including vulnerability scanning and penetration testing; and (t) VPN connections are authenticated using TLS-AUTH, or an industry recognised secure alternative.
- Industry Standards and Certifications
11.1 ISO/IEC 27001. We adhere to and are compliant with the ISO/IEC 27001 industry standard. We are audited by an independent body annually on the ISO/IEC 27001 standard. Our certificate is available in the Dubber Website. A copy of the Statement of Applicability is available upon request.
11.2 HIPAA Compliance. We have a standard Business Associate Addendum (“BAA”) we present to Customers for signature.
11.3 Payment Card Industry Data Security Standard (“PCI DSS”). We are a PCI DSS Level 4 Merchant and have completed the Payment Card Industry Data Security Standard’s SAQ-A. We completely outsource all our credit card data-handling operations to a PCI-certified service provider. A copy of the self-assessment is available upon request.
11.4 OWASP Secure Coding Standards. We adhere to OWASP security standards in our coding practices.
- Destruction of Data and Termination of Contract
12.1 Where Dubber is contractually required to destroy data for which we are a processor or a sub-processor, authority to do so must include a request or confirmation to destroy data from the Customer. Upon receipt of this request, Dubber will suspend the account(s) identified and undertake the following treatments within a reasonable period:
(a) Data held securely within Dubber applications is deleted from their respective repositories; and
(b) Where Data is held by a Dubber sub-processor for processing purposes, data is deleted from each of the destination sub-processor’s repositories.
12.2 Where we receive a request to transfer data to the Customer at the termination of the relevant Customer agreement, Dubber and the Customer will agree the full terms of the transfer, the transfer methods and the details of what data is to be transferred and what data is to be destroyed.
- Accountability and Governance
13.1 Data Protection Officer (DPO). DPOs are mandatory for private organisations whose core activities include either regular and systematic monitoring of data subjects, or processing special categories of data, or data relating to criminal offences (Article 37). We have appointed a DPO, whose contact details is as follows: firstname.lastname@example.org. The DPO independently monitors our GDPR compliance with the GDPR. The DPO and senior management communicate and work together to ensure data protection compliance. Information security and compliance is regularly reviewed with Dubber’s Senior Management.
13.2 Regulator & European Representative. Dubber Ltd is an English company established and incorporated in England. Therefore, Dubber’s supervisory authority is the Information Commissioner’s Office (“ICO”) of the United Kingdom.
13.3 EU Representative. Dubber has appointed an EU Representative to comply with Art. 3(2) and Article 27 of the EU GDPR and their details are: RSM SPAIN | Address: c/ d’Entença, 325, 335, 08029 Barcelona (Spain) | Email: email@example.com | Website: www.rsm.es.
13.4 Training. All Dubber employees receive training on information security, data protection and other relevant privacy laws. All Dubber employees are aware that unlawful access to and/or disclosure of personal data is prohibited. For details on Personnel Security, please refer to Section 8: Personnel Security.
13.5 Related Policies and Procedures. We have specific policies and procedures in place regarding the protection of personal data used in the course of our business.