gdpr compliance / proxycheck.io

What is the GDPR?

The GDPR or General Data Protection Regulation is a new regulation within the European Union which protects the personal information of those living within the EU with regards to how their information is stored, accessed, processed and moved online. Specifically it lays out a set of mandatory guidelines that we have to follow to maintain the privacy of your customers when you send their personal information to us for processing.

As a Proxy and VPN detection company we need to have the IP Addresses of your visitors sent to us so that we can compare them to IP Addresses in our database and to process them through our real-time and non-real-time inference engine.

Due to this it means for a small time period we have IP information on your visitors and the GDPR considers IP Addresses to be personal information as they can be correlated through your customers internet service providers billing system with a date and time stamp to identify who had an IP Address at a specified time.

If I don't live in Europe am I still protected by your GDPR compliance?

Yes you are still protected by our GDPR compliance. We protect all our customer data the same way regardless of where you visit us from and we extend the same rights for data portability and deletion to all customers. We strongly believe everyone should have the highest possible measure of privacy and control over their data.

What kind of information audits have you conducted?

We have gone over all of our information processes and concluded that we are using best practices for data storage and processing. We make good use of encryption for the little data we do collect and store, we only collect the bare minimum of personal information to make our business viable and we know our limitations and plan for them accordingly. Below are some examples of what we do for our own customers.

  • All webpages on our website are delivered through TLS encryption with a valid certificate.
  • We only require an email address to signup which can be changed at any time.
  • We encrypt all customer passwords at creation time, we at no point ever store passwords without encryption.
  • We limit our exposure to customer banking details by having Stripe handle it through a secure payment window on our website.
  • When customers make payments we store only Stripe tokens on our servers to maintain our knowledge of successful transactions.
  • All communication between our server nodes within our cluster is encrypted with a pre-shared key known only to us.

In addition to the above we also have a specified process for how we handle the IP Addresses sent to us for processing by our customers. We have detailed that below also.

  • Only positive detections (meaning publically accessible Proxies and VPN servers) are stored long term in logs and databases.
  • Negative detections (meaning not a Proxy or VPN) are only stored for a maximum of one hour and are not logged.
  • We use differential privacy when collecting data from 3rd parties to guarentee they cannot glean information about our customers data.
What personal information do you store about me?

The only information we hold about registered customers are the following:

  • Your current email Address
  • Your email message preferences within your dashboard
  • Your current password (encrypted, the actual password itself is not retrievable by us)
  • All the positive Proxy/VPN detections you made with our API
  • Any currently whitelisted or blacklisted IP's / Ranges / ASN's within your dashboard
  • Statistics showing how many queries you made over the past 30 days
  • The querying IP Address you used with our API (we only store the most recent IP and only for 24 hours).

If you're a paying subscriber we also have information about you stored with Stripe. Below is a list of that information.

  • Your current email Address
  • The origin country of your payment information (as determined by Stripe)
  • The amount you have been billed and the date of the billing
  • Your full payment information (this is only accessible to Stripe)
  • Your payment card brand (Mastercard, Visa etc, this is accessible to both us and Stripe)
  • The last four digits of your bank card (accessible to both us and Stripe)
  • The expiry date of your bank card (accessible to both us and Stripe)
Can I request my data be erased?

We fully support the data ownership rights of our customers. If you wish to have every piece of information we have about you erased from our system we are happy to do that for you within 1 business day of the request.

With regards to the GDPR data portability requirements, can I export my data?

We have made your query statistics, positive detections, whitelists and blacklists exportable through a JSON API so that you can take a copy of your data to use with another data processing company at your convenience.

How seriously do you take personal information security?

We take all information security very seriously. Every single one of our features has been designed with security in mind from the first moment. We encrypt all customer passwords, we limit how much personal information we hold and we make a conscious effort to keep all our software up to date.

When exchanging any data between the server nodes in our cluster we use strong encryption with a pre-shared key known only to us. Our checking API that receives IP data from customers also offers a TLS encrypted endpoint which customers are encouraged to use.

We know how important security is, it's after all what our entire company is built around, helping you to keep your own web properties safe.

The GDPR requires that you obtain prior written authorisation from the data-controller (i.e. customers of proxycheck.io) before you use a sub-processor for their data, do you adhere to this stipulation?

What this responsibility means is, when you send IP Addresses to us for processing we cannot then send those IP Addresses to another entity to process on our behalf without written approval from the original IP Address provider (meaning you).

We do comply with this stipulation by making very large and broad requests of our partners data. What this means is we're implementing a type of differential privacy where our data sources are not aware of our customer data or whether the data we're requesting from them aligns with requests from our customers.

What this means is we do all data comparisons between our customers IP Address data and third party broad datasets on our own servers so that we do not hand your IP Addresses over to third parties.

How will you notify me of a data information breach?

Under the GDPR we're required to deliver a notice to our customers within 72 hours of us becoming aware of a data breach. We believe we can deliver such a notice within 24 hours and that is our current internal policy. All notices would be delivered by email directly to our customers. As of December 2018 we have had no data breaches of any kind.

Do you have data protection officers?

Under the GDPR companies whose core activities consist of processing operations which require regular and systematic monitoring of data subjects on a large scale or of sensitive personal data must have an appointed Data Protection Officer.

Due to our business not conducting large scale monitoring of data subjects and only holding one piece of non-sensitive personal information (IP Addresses) for a period of up-to only one hour we are not obligated to have a Data Protection Officer.

While IP Addresses under the GDPR are considered personal information they are not considered sensitive personal information which consists of racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, genetic data, biometric data, health data, sexual activity, sexual orientation and criminal history. All of which is data we do not collect from our customers.

In real terms the information we hold expires extremely quickly and by itself cannot be used to identify any individual. We are not an individual tracking company and so it is not in our business interest to build profiles of our customers or the subjects of the IP Addresses our customers send us to check.

How long will this compliance remain?

We intend to remain compliant forever. Even before we became aware of the GDPR all of the practices outlined in this document were already in place. We are happy to be in full compliance with the GDPR and welcome it as a standard baseline of data security that all companies should meet.

Every few months we read about data breaches in the news and misuse of peoples personal information for marketing, tracking and other nefarious uses. We are proud to have a very lean approach to information collection by only requiring the bare minimum to accomplish the goals our product sets out to meet.

What do I need to do as a data-controller when I use proxycheck.io?

Before you send IP Addresses to us for processing you should make your customers aware in plain english that their IP Addresses will be sent for processing to a third party to check that they're not operating a Proxy or VPN Server from the IP Address they're accessing your service from.

As a data-controller you have the responsibility to take care of your customers information and although we're a compliant data-processor you must make it clear to your customers that their data is leaving your organisation to be processed on your behalf by another organisation. You're free to make clear to your customers that proxycheck.io is your data processing partner.

To make sure you're compliant with the GDPR please read the official GDPR website here.


Back
Last Update: 24th of April 2018
24th of April 2018
A new section was added explaining how we apply our GDPR compliance worldwide and we also cleaned up some wording within the document that doesn't change any meaning of the text but makes it clearer/easier to understand.
16th of February 2018
First draft of our GDPR Compliance document.