Compliance and GDPR
GDPR compliance and procedures
Version: January, 2023
Purpose of this document
This document is a declaration of compliance of the Stellia.ai solution with the General Data Protection Regulation (GDPR) of the European Union. It presents the data collected and processed, the purpose of the collection, its hosting and its security.
This document also presents the procedures allowing users of the solution to access, correct or delete data that concerns them, as well as the information procedure.
The Data Protection Officer is Ha Quang LE and can be contacted at DPO@stellia.ai
1. The GDPR regulation
1.1. The founding principles of the GDPR regulation
The General Data Protection Regulation (GDPR) of the European Union is essentially governed by the following 8 principles (see articles 5.1 and 5.2 of the GDPR) on the collection, management and processing of personal data:
- Lawfulness, fairness and transparency : “processed lawfully, fairly and transparently in relation to individuals (“legality, fairness and transparency”);”
- Limitation of purposes: “collected for specific, explicit and legitimate purposes and not subsequently processed in a manner incompatible with these purposes; further processing for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes will not be considered incompatible with the original purposes (“purpose limitation”).
- Data minimization : “adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed (“data minimization”)”
- Accuracy : “accurate and, where necessary, up-to-date; all reasonable steps must be taken to ensure that personal data that is inaccurate, having regard to the purposes for which it is processed, is erased or rectified without delay (“accuracy”).”
- Storage limitation : “kept in a form allowing the identification of the persons concerned for a period not exceeding the period necessary for the purposes for which the personal data are processed; personal data may be stored for longer periods to the extent that the personal data will be processed solely for archiving purposes in the public interest, for scientific or historical research purposes or for statistical purposes subject to the implementation of appropriate technical and organizational measures required by the GDPR regulation in order to safeguard the rights and freedoms of individuals (“storage limitation”)”
- Integrity and confidentiality (security) : “processed in a manner that ensures appropriate security of personal data, including protection against unauthorized or unlawful processing and against accidental loss, destruction or damage, using technical measures or appropriate organizational (“integrity and confidentiality”)”
- Responsibility : “The controller is responsible for compliance with paragraph 1 (“responsibility”) and must be able to demonstrate this”
1.2. End user rights under the GDPR regulation
To allow end users to control the data linked to their profile or activity, the European Union General Data Protection Regulation (GDPR) requires the data controller to offer them the following rights:
- Access : knowing if the data concerning them is being processed and accessing it (article 15)
- Rectification: when personal data is inaccurate, data controllers must correct it (article 16)
- Erasure: request erasure of data or right to be forgotten if personal data has been made public (article 17)
- Limitation of processing: request that the processing of your personal data be limited when such processing is not essential to the service provided to the end user (article 18)
- Information : the data controller must inform the recipients who obtained these data, wherever possible. The data subject also has the right to ask “who all the recipients have been able to access my data” (article 19)
- Data portability : right to obtain personal data concerning them in a structured, commonly used and machine-readable format in order to be able to transfer them to another controller (article 20)
- The right of opposition: right to refuse any processing of personal data to be carried out or in progress (section 21)
- Rights related to automated decision-making and profiling : the right of the data subject not to be subject to a decision based solely on automated processing, including profiling, in the event that this decision produces legal effects concerning him or her or significantly affects it (Article 22)
2. Stellia.ai GDPR Compliance Statement
Stellia.ai, the company developing and marketing the Stellia.ai solution, hereby confirms that it has worked to ensure and verify the compliance of Stellia.ai with the EU GDPR regulation and in particular, its founding principles and user rights end points mentioned above.
Stellia.ai is committed to continuing to work to improve or correct Stellia.ai's compliance with the GDPR, following any product developments, updates to the law or additional recommendations from any legal or regulatory authority. a GDPR/personal data audit.
How Stellia.ai complies with GDPR is detailed in the following chapters.
3. Stellia.ai GDPR Compliance Details
3.1. Purpose of Stellia.ai and relationship to data
Stellia.ai is a virtual learning/knowledge access assistant.
Stellia.ai complements an existing learning service provided to the end user by a service provider, typically an educational institution, training organization or business. Therefore :
- The relationship with the end user is the exclusive property of the service provider, which must cover the impacts of Stellia.ai on the collection and processing of personal data in its information to end users (see 3.5. Update of the General Conditions Customer Usage )
- To identify the end-user from one session to the next, in particular to show him his Q&A history, or track his learning progress, Stellia.ai relies on :some text
- either its own unique user ID, automatically generated during the user's first session and stored in a user session using a cookie. This identifier is randomly generated and is not associated with any personally identifiable information (PII).
- or a unique user identifier provided by the service provider via its learning platform (LMS). This user identifier can be anonymized using a hash function that adds a layer of pseudonymization preventing anyone from identifying the end user, even by accessing Stellia.ai and service provider data at the same time, without knowing the hash function and its key.
- for the knowledge anchoring service, the learner must accept the General Terms of Use and provide an email address in order to receive regular (up to once a day) solicitations to check the memory persistence of recently acquired knowledge/skills.
- To improve and personalize its service to end users, Stellia.ai collects and stores the end user's most important interaction events with its virtual assistant service, and may collect other interaction events on the main service (mainly learning activities) by the service provider through an API.
3.2 Data minimization, data collection and purpose
Stellia.ai is committed to the principle of data minimization, i.e. limiting the collection of data to its minimum in order to provide the service. However, in order to offer the best learning support experience to its end-users, Stellia.ai is also willing to customize its services to each user and context, as well as to continuously improve its service and must therefore collect a wide variety of data concerning the end-user, his/her activity and interaction with the service and its features.
More specifically, Stellia.ai relies on several artificial intelligence models whose performance increases considerably with the amount of data collected; many features and events can provide valuable inputs to optimize the outputs of our AI model and thus improve the performance of the service provided to the end user.
Stellia.ai may collect and store the following data:
Stellia.ai does not store personally identifiable information (PII) such as:
- user name, first name, telephone number, password *.
- e-mail address, unless the knowledge anchor service is activated
- user's IP address** , GPS coordinates, precise location or physical address
- User financial or health data
* The end user is authenticated by the service provider integrating Stellia.ai or is not authenticated (when using the Stellia.ai extension).
** The user's IP address is obtained, but only a few digits are stored.
3.3. Data storage
For services in Europe, user data collected by Stellia.ai is stored on cloud storage located in France, or in the European Union, and provided by Amazon Web Services (AWS).
Data storage is limited to a period of 18 months, as recommended by the European Union. Data is regularly backed up, and data older than 18 months is regularly deleted.
3.4. Data security
Stellia.ai devotes significant efforts to apply state-of-the-art security principles, such as:
- security experts to design a secure architecture and apply standard security principles for SaaS solutions
- maintain a technology watch to select the most secure tools, and remedy published security flaws in the software components used,
- implement regular software updates to correct security problems,
- raise awareness and train the Stellia.ai team in safety.
When it comes to user data and hosting, as the world leader in cloud hosting, AWS offers a wide range of security services to protect customer services and data.
On the Stellia.ai side, user data can only be accessed or modified by:
- the Stellia.ai interface when used by end users (accessing and updating only some of their own user data)
- Stellia.ai's statistics service to collect and store user activity (data access only)
- and database administrators, in particular to provide specific analyses requested by the service provider.
All interact with the data via our APIs and are authenticated via secure authentication services, preventing unauthorized access and modification of user databases.
In addition, all read and write accesses to user data are logged, enabling investigation in the event of unknown or unwanted access.
3.5. Updating the service provider's General Terms and Conditions of Use
To ensure that each user gives his or her informed consent after having been fully and clearly informed of the collection and processing of data generated by his or her activities, as well as of his or her rights over such data, the end-user service provider, providing the service to end-users, must ensure that its General Terms of Use contain the following elements:
- The above-mentioned data are listed as collected data with their processing purpose.
- Stellia.ai, supplier of Stellia.ai, virtual teaching assistant, is listed as a data processing subcontractor.
- The General Terms of Use (GTU) explain the process by which end users can access, update or delete the data attached to their profile.
- In such a case, the service provider using the Stellia.ai service must contact Stellia.ai's Data Protection Officer or Délégué à la Protection des Données (dpo@stellia.ai) to process the end user's request, see the following chapter Procedures
-
4. RGPD procedures
To date, data relating to a user is associated with a pseudonymized id and therefore cannot be associated with an identifiable user. Consequently, in this case, the data is not personal and the rights provided for by the RGPD regulation are not strictly applicable, but Stellia.ai nevertheless provides for their implementation.
From a practical point of view, by construction, Stellia.ai is unable to identify the data to an end user who would contact us by email in order to access their personal data; the service provider will therefore have to generate and provide Stellia.ai with the pseudonymized id used for the end user.
The only exception concerning the personal nature of the data is the knowledge anchoring service for which the email address is collected and the data collected is therefore associated with an identifiable user. In this case, the RGPD procedures described below are operational without the need to generate the pseudonymized id.
4.1. General procedure for handling RGPD requests from users
- As Stellia.ai does not own the customer relationship with the end-user, all end-user requests must be addressed directly to the service provider, for example via a dedicated online form or via a dedicated e-mail address.
- Before responding to a request from an end user, the service provider must:some text
- check the validity of the request, in accordance with the RGPD regulation, see 1.2. RGPD end-user rights. As a general rule, an end user can request that his or her user data be corrected, but if the requested modification is manifestly invalid (e.g. age = 150, name = Ano Nymous...), suspicious or malicious, the service provider must collect evidence of the validity of the request, before agreeing to process it.
- verify the identity of the user as registered on its service, for example by sending an e-mail to the end-user concerned requesting explicit confirmation that he or she is indeed the originator of the request. As a general rule, an original e-mail address can easily be falsified, so receiving a request to delete an account from a user's e-mail does not necessarily mean that it was created by that same user. On the other hand, access to an e-mail addressed to a user is accepted as proof of the requester's identity (unfortunately, it is almost impossible to guard against a more complex case, fortunately rare, where a hacker is able to access and use the user's e-mail address).
The Stellia.ai team, not having the relationship with the end user and therefore not possessing any of his contact details, is unable to contact the end user directly to carry out a check, will consider that these two checks have been processed by the service provider and therefore will not carry out any checks on its own, except in the case where the request is manifestly invalid or highly suspicious.
- Once the validity of the request and the identity of the requester have been verified, the service provider will process the request. The service provider will then send a request to dpo@Stellia.ai with:some text
- the end-user request
- if the knowledge anchor service is not active, the end user's unique identifier (pseudonym) used with the Stellia.ai service without any personally identifiable information (PII ), such as surname, first name, physical address or e-mail. Therefore, the service provided must delete them before communicating the request to Stellia.ai.
- if the knowledge anchor service is active, the end user's email address used with the Stellia.ai service.
- Considering that the validity of the request and the identity of the requester have been duly verified by the service provider, the administrators of the Stellia.ai database will process the end user's request, and confirm its processing or deliver its result to the service provider, so that it can provide the confirmation or response to the end user.
4.2. Processing time for RGPD requests from end users
Please note that the recommended processing time for an end user request is 72H. As Stellia.ai cannot guarantee a processing time of less than 2 working days, the service provider will provide the Stellia.ai team with the information required to process the end user's request as soon as possible.
The processing time is due to the time needed to free up an accredited internal resource to respond to the request, and not to the delay in the technical process.
4.3. Processing RGPD requests from end users
Relying on SQL databases to store end-user data, the Stellia.ai database administrator can easily handle key end-user RGPD regulation requests:
- Access request → SQL GET request on user ID
- Rectification request → SQL UPDATE request on user ID
- Delete request / Right to be forgotten → SQL DELETE request on user ID
For processing restriction or right of objection, at the end user's request, Stellia.ai is able to stop collecting user events from a user and rely only on context to support the end user; this involves disabling any personalization of the Questions / Answers service. However, it also disables the knowledge anchoring and adaptive learning services that rely heavily on user data and personalization.
With regard to informing users about the recipients of user data, Stellia.ai does not currently share data with any third parties. In the event that Stellia.ai is required to share user data with a third party, the service provider will be informed with reasonable advance notice so that it can inform end users about this prior to the implementation of such sharing.
For data portability, at the user's request, Stellia.ai can provide all user data in JSON format, with explicit fields, in order to allow their exploitation by any other service provider.
The rights relating to automated decision making and profiling do not apply to Stellia.ai's processing, as Stellia.ai's data processing is solely intended to assist the end user and is not intended to have any legal or financial or health effect on the user.
4.4 Information for users following a security breach
Whatever efforts are made to maximize data security, no organization can claim to be immune to security breaches and unauthorized access to its data. There are many examples of security flaws being exploited in highly security-sensitive organizations (public services, intelligence services, finance...), and some hackers are state-sponsored and have access to zero-day vulnerabilities, unknown to most security experts.
In addition to Stellia.ai's ongoing efforts to implement the highest security standards for its business, a specific procedure has been designed to organize the detection, management and communication in the event of the exploitation of an undesirable security breach.
4.4.1. Detecting a security flaw
All accesses and operations on user data are logged:
- Stellia.ai regularly checks the volume of these transactions by transaction type and the ratios between the volumes of these transaction types to identify abnormal volumes or ratios and investigate whether these can be explained by service transactions or are suspicious.
- It is planned to continually reinforce automatic alerts over the coming months, based on Stellia.ai's experience of normal and abnormal levels, to ensure that only relevant alerts are triggered.
- In addition, Stellia.ai regularly analyzes sample logs to check consistency or identify any anomalies.
What's more, by keeping a close watch on technological and security developments, Stellia.ai is quickly informed of the discovery of new vulnerabilities in the tools it uses, whether such vulnerabilities have already been exploited, and how to detect them. Naturally, Stellia.ai undertakes to update the tools it uses as quickly as possible, particularly in the event of a vulnerability discovery and the availability of a patch.
4.4.2. Security breach management: investigation, containment, correction
In the event of the discovery of a security vulnerability affecting Stellia.ai systems, the response must be handled in an orderly fashion:
- To stop the security breach, ideally, as much information as possible about the breach should be collected quickly to better understand the vulnerability, its exact scope and impact, and to identify means of resolution.
- To improve analysis, more detailed logs can be quickly activated and additional monitoring tools deployed.
- Then, as quickly as possible, often before we have a complete understanding of the flaw, major efforts must be made to stop the security breach, sometimes first by temporary means or emergency solutions when the definitive solution is not yet perfectly defined or needs a lot of time to be deployed.
- Sometimes, too, the quickest solution to deploy only partially limits the security flaw and its impact.
- However, despite the urgency, particular attention will be paid to analyzing the various possible solutions to avoid introducing additional vulnerabilities.
- Depending on the security flaw and its analysis, various solutions can be considered, including urgent deployment of an available security patch, resetting all credentials for system access, or blocking all incoming connections beyond a trusted network.
- In the worst case, this can lead to the deactivation of certain functionalities or even the temporary unavailability of the service for the end-user.
- When the security flaw has been blocked by temporary means, or at least considerably limited, the team has more time to design, build and deploy a definitive solution.
- As part of the first stage, the investigation is to be continued:some text
- to better understand whether the security flaw has been fully corrected
- to better understand the impact and scope of the security breach: what data and systems have been accessed, in particular whether the breach has led "only" to access or modification/alteration of data
- to attempt to gather information on the perpetrator of the security breach (when the attack is sophisticated, this attempt may be futile, but sometimes the results can be rapid)
- Finally, in the event that data has been modified, Stellia.ai can deploy data backups, as AWS hosting regularly backs up data.
- In conclusion, internal security tests and an external security audit can be carried out to ensure that such a security flaw cannot occur again, and that its correction has not introduced an additional vulnerability.
- A "post-mortem" analysis, ideally carried out with the assistance of an IT security expert, will be carried out to prevent any repetition of such a breach and improve security procedures.
4.4.3. Communication in the event of a security breach
The GDPR regulation requires organizations that collect user data to urgently communicate to end users any security breach and its impact on user data.
As Stellia.ai does not own the end-user relationship, Stellia.ai only communicates with the service provider that owns the end-user relationship and relies on the service provider to ensure communication with end-users.
In the event that Stellia.ai detects a security flaw, it will communicate all available information to the service provider within a maximum of 4 hours after the discovery of the security flaw, ideally with the following details:
- Security breach event information:some text
- Period of the security breach
- Users impacted or potentially impacted
- Data exposed
- Impacts on user data (access or modification) and users (impacts on service operation, impacts on use of exposed data outside the service, in this case access to the email address enables hackers to include the user in spam/phishing email recipient bases and attempt to access other services via the recovered email address and weak passwords)
- Any corrective or preventive measures to be taken by the end user
- Any corrective or preventive measures to be applied by the service provider
- Stellia.ai's efforts to correct, mitigate and investigate the security flaw
Stellia.ai will maintain daily communication with the service provider to share any new information until a definitive fix has been deployed and all information on the security flaw has been collected and analysis has been concluded.