Data Security in On-Premise FotoWare Installations

Under GDPR, software vendors are required to clearly identify the data they store for customers, how that data is being secured, and the purpose for storing that data.

However, as FotoWare has long been supplying software for installation on the customers’ own servers – a.k.a. on-premise installation – we don’t process the data on those servers in the same way that we do in our cloud services, where we’re responsible for maintaining and securing the entire server infrastructure.

This document aims to clarify the following:

  • What measures FotoWare takes to ensure the security of software delivered for on-prem installation
  • What data security responsibilities rest on the customer with regard to securing the infrastructure surrounding their FotoWare installation
  • What data FotoWare can and cannot access in an on-prem installation
  • How FotoWare handles support requests from customers running FotoWare on-premises

Security reviews and penetration testing

FotoWare is committed to performing regular security reviews of our software. Additionally, independent penetration tests are regularly executed by third party companies on behalf of customers in their own environment. Although we can never guarantee that our software is free of vulnerabilities, any vulnerabilities found are immediately addressed and fixed with the highest priority. Unauthorized access, data inconsistency and privacy violation are all considered security vulnerabilities and will be addressed.
 
FotoWare provides general guidelines on how to secure and protect the installation of our software through our documentation. However, we cannot guarantee the security of surrounding infrastructure managed by the customer, including networks, operating systems and web server configurations. We therefore recommend that our customers who run on-premise installations of FotoWare software perform internal security reviews of their installations. Although we always do our best to ensure our software protects the customer, their users and their data, the customer must be aware that exposing any data on the internet always has a risk, and security should always be considered with a holistic approach.

What FotoWare cannot access

In on-premise FotoWare installations, FotoWare cannot access the workflow configuration, user database, actual use or usage patterns, or the content that is stored in such systems.

The FotoWare system does have built-in tracking at the function level, which is completely anonymized (we cannot say which customer or individual user accesses data, what data there’s talk about or where it originates). This information is used solely to determine which program functions are regularly used and which are less frequently used, to allow us to improve our products and plan future development. This sort of anonymized tracking is what most software vendors in the industry use.

What information FotoWare has about customers

The information FotoWare stores about a customer installation is limited to contact information and email to the person(s) that are tied to the account you have with FotoWare. This information is used to get in touch with you through newsletters (consent required) when we release updated versions of the software, notification of service contract renewals and other information tied to the customer relationship you hold with FotoWare.
It’s possible to opt out from such newsletters at any time through a simple “unsubscribe” request in our emails.

Access to customer data at FotoWare is limited internally to those employees who need it to do their work (such as license management and fulfillment, customer support).

Should you want to know who’s listed as contact persons on your account with FotoWare, we can look this up and amend the information as required. Each customer account has a primary contact person who can make such requests. FotoWare has several mechanisms in place to verify the veracity of such a request for access.

Personal data in the case of support requests

On registering a support case, a customer with an on-premise installation will primarily get in touch with their local FotoWare partner. What information a partner has about a customer, must be cleared with the partner in question.

Depending on the severity of a case, a partner can escalate a support request to FotoWare. The partner will submit a support ticket in FotoWare’s support system (ZenDesk, GDPR compliance certified), and we may receive a copy of prior email correspondence to learn more about the issue at hand. The information we receive will not be used for other purposes after the case has been solved.

In some cases, FotoWare may request remote access to the customer installation if this is at all possible. High-security installations, such as emergency services and military typically don’t allow this. Should such a connection be set up, it will be at the customer’s discretion and monitored by a customer representative for the duration of the session. Login information for such sessions is not stored anywhere in our support systems.

You can always contact us concerning questions pertaining to data security and how best to secure an on-premise installation. Such requests can be directed to support(at)fotoware.com or privacy(at)fotoware.com