I am a Zivver admin
Configure and manage Zivver
Zivver data access, retention, and deletion
Introduction
In privacy laws, such as the GDPR, access control and data retention are important requirements. Typically, personal data cannot be processed or shared without a reason. Zivver helps organizations comply with the GDPR requirements for data access and deletion, as well as with country-specific regulations. Examples include the UK NCSC and the Dutch NTA 7516.
Retention is relevant for both the content of messages and the audit trails generated within Zivver. This article first explains the standard retention period for audit trails and then details the granular options for configuring message content retention.
Retention of audit trails
The audit trails in the audit and communication log of the administrator panel are retained for six years. This aligns with international standards such as HIPAA. Any event in these logs is deleted six years after it was originally created, and can no longer be viewed in the administrator panel. This retention period is not configurable and applies to all Zivver customers. Please contact your Customer Success Manager if you have binding legal obligations to retain logs for longer than six years.
Data access control options
In Zivver, there are functions that affect data access by stakeholders. Some of these functions are available to senders, while others are available to organization admins. Message senders control who can access the data and for how long. In addition, there are organizational controls that can affect both data access and retention.
What are the consequences?
- For user access to data.
- For admin access to data.
- For data storage by Zivver.
Function types
Access control measures
Measures that ensure accounts cannot access data. These measures apply to users for whom access to the data is not necessary or desirable. For a large majority of GDPR-related operations, this type of measure is relevant. If access is revoked for all recipients, Zivver automatically triggers a data deletion measure.
Data deletion measures
Measures that ensure data becomes inaccessible. These types of measures involve all stakeholders. This means that recipients with whom the data was shared can no longer access the data in Zivver after this measure is applied. The message becomes inaccessible because Zivver discards the encryption key. Metadata, including the subject and recipients, remains accessible. These measures are only suitable for specific situations — for example, when sensitive information is accidentally shared with the wrong person.
Access control options for senders
In Zivver client software, senders of messages and files have the following options to manage data access and retention:
Set expiration period
Senders of a secure message can set an expiration period. After this period, the sender can choose between two options:
- Only recipients lose access — this is an access control measure.
- Everyone, including the sender, loses access — this is a data deletion measure.
With the first option, senders can also ‘unrevoke’ access for recipients. With the second option, this is not possible because the message becomes permanently inaccessible — the decryption keys are discarded, so the message remains encrypted. This feature enables compliance with the organization’s data retention policy. Users can set the expiration period directly from their Zivver-enabled client.
Direct access revocation
For every sent message, senders can immediately revoke access. This feature is useful when a mistake is made — for example, if the sender entered the wrong email address.
The sender can choose between:
- Only recipients lose access — this is an access control measure.
- Everyone, including the sender, loses access — this is a data deletion measure.
With the first option, senders can ‘unrevoke’ access for recipients. With the second option, this is not possible because the message becomes inaccessible. With this feature, Zivver deliberately does not allow revocation for individual recipients, only for the entire message. This design prevents mistakes in high-pressure situations. Users who want to revoke access for a specific recipient can use the Remove a participant option instead. Access can be revoked directly from the Zivver client.
For more information on direct access revocation for administrators, refer to Message revocation in the Zivver WebApp administrator manual.
Remove a participant
When users send a message in Zivver, they start a conversation with the addressed recipients, called participants. The owner of the conversation — the initial sender — can remove individual participants from the conversation. This is an access control measure. However, this is only possible if that participant has not replied to the initial conversation. If users need to block access after a reply, they must use Direct Access Revocation.
Delete conversation
Users can also delete a conversation. This removes them as a participant from the conversation. This is an access control measure. Other participants still retain access to the conversation.
Access control options for admins
In addition to user controls, admins have the following options to manage data access and retention:
Set default expiration period
Admins can set a default expiration period for messages sent by users. This period applies to all messages unless a user manually overrides it. As with the user-level setting, the admin can configure the expiration in two ways:
- Only recipients lose access — this is an access control measure.
- Everyone, including the sender, loses access — this is a data deletion measure.
See Message revocation for instructions on how to set the default expiration period.
Perform user actions via impersonation
In Zivver, admins can grant specific users — including themselves — access to other users’ accounts. The delegated user has access to all the user-level controls described earlier.
This feature is useful to revoke access to a message on behalf of a user, for example, if the user cannot do it themselves or in case of malicious sharing of sensitive information.
Disable a user account
Admins can disable any user account, either manually or via synchronization with a directory service such as Active Directory (using SCIM 2).
Disabling an account blocks the user from logging in, but it does not affect data access for other participants. This is an access control measure.
Delete a user account
Admins can also delete user accounts. This removes the user from all conversations in which they participated. This is an access control measure.
NoteDelete the organization
This option deletes all user accounts and their associated data from Zivver. This is an access control measure.
Overview of data access and data retention measures in Zivver
User actions
| Action | Type |
|---|---|
| Set expiration period – disable access for recipients | Access control measure |
| Set expiration period – disable access for everyone | Data deletion measure |
| Direct access revocation – disable access for recipients | Access control measure |
| Direct access revocation – disable access for everyone | Data deletion measure |
| Remove a participant | Access control measure |
| Delete a conversation | Access control measure |
Admin actions
| Action | Type |
|---|---|
| Set default expiration period – disable access for recipients | Access control measure |
| Set default expiration period – disable access for everyone | Data deletion measure |
| Disable a user account | Access control measure |
| Delete a user account | Access control measure |
| Delete the organization | Access control measure |
What happens when data is deleted
With hard delete, the messages and files of the user(s) are physically deleted. Specifically, this operation removes the following artifacts from the Zivver system:
- All encryption and decryption keys.
- The messages and all associated files.
Hard delete overwrites these objects with empty objects. This ensures that no information remains on the low-level hardware.