Privacy/Records of processing activities

From Nasqueron Agora

These records of processing activities document the procedures by which personal data / personal identity information are processed.

It includes significant information about data processing, including data categories, the group of data subjects, the purpose of the processing and the data recipients.

By transparency, these records are made public.

Privacy actors

The responsable du traitement des données / data controller is the Nasqueron privacy SIG, the entity inside Nasqueron with the mission to organize procedures related to privacy regulations.

Categories

P-001. Operations PII

  • Category
    • Category number: P-001
    • Category name: Operations PII
  • Processing
    • Processing entity: Nasqueron Operations SIG
  • Data collected
    • Who are concerned? Members of the Nasqueron Operations SIG (inside use)
    • Personal data type: IP, e-mail, phone number
    • Datasource: given by the person concerned
    • Goals: internal contact, technical restriction based on this data, contact points for infrastructure incidents
    • How long data is kept? as long as the person belongs to Nasqueron Operations SIG, and then, as long there is a legitimate interest to keep the data
  • Security:
    • ACL. Only Nasqueron Operations SIG members can view, edit, audit the data
    • Storage.
      • Vault. Data is stored in Vault in an encrypted fashion, to be deployed to servers. Some data like IP addresses may be published in clear text in configuration files, but those can only be accessed by Nasqueron Operations SIG members, with a protection by SSH keys.
      • Private Git repository. Some data may be maintained as a Git repository, but this repository is put in the "Nasqueron Operations private" space on DevCentral and NOT replicated to third-party services; the Git repository is stored on a server only reachable by Nasqueron Operations SIG members.
      • Encrypted backup. The data may be backed up, but only in encrypted form, with keys not leaving our infrastructure premises.
    • Transfers of data. Data is kept in servers located in the European Economic Area (EEA).
  • Policy: Privacy/Operations PII

P-002. Web applications

  • Category
    • Category number: P-002
    • Category name: Web applications
  • Processing
    • Processing entity: Nasqueron Operations SIG
  • Data collected
    • Who are concerned? People who create an account on a web application hosted on the Nasqueron PaaS, for example devcentral.nasqueron.org (Phabricator), agora.nasqueron.org (MediaWiki)
    • Personal data type: IP, e-mail
    • Datasource: given by the person concerned
    • Goals: account management
    • How long data is kept? as long as the person wishes to keep the account on that service, and then, as long there is a legitimate interest to keep the data
  • Security:
    • ACL. Only Nasqueron Operations SIG members can access the data, and only for technical purposes.
    • Storage.
      • Database. Data is stored in databases, deployed on servers. Database access is restricted to (1) the application using this data (2) the authentication grove application, if a shared account is used (3) members of the Nasqueron Operations SIG for technical purpose. The application access is protected by credentials like password ; in addition, on the Docker PaaS, the database isn't directly exposed on the public InterNet but has a private IP address. Members of the Nasqueron Operations SIG, in their quality of system administrator, connect to the database through a server with audited SSH keys.
      • Encrypted backup. The data may be backed up, but only in encrypted form, with keys not leaving our infrastructure premises.
    • Transfers of data. Data is kept in servers located in the European Economic Area (EEA).
  • Policy: Privacy/General privacy policy