Zivver data access, retention, and deletion

Introduction

In privacy laws, such as the GDPR access control and data retention are important requirements. Typically, personal data cannot be processed or shared without a reason. Zivver helps organizations to comply with the requirements in GDPR for data access and deletion, and with country-specific regulations. Examples include the UK NCSC, Dutch NTA 7516.

In the Zivver platform, senders of data are in control of to whom data are accessible and for how long data. In addition, organizational controls exist that can affect data access and retention.

What are the consequences?

  • For the access of data by users.
  • For the access of data by admins.
  • For the storage of data by Zivver.

Data access control options

In Zivver, there are functions that affect the access to data by stakeholders. Some of these functions are available to senders. Others are available to admins of the organization.

Function types

Access control measures
Measures that make sure that accounts cannot access the data. These measures are for users, for whom access to the data is not necessary or desirable. For a large majority of GDPR-related operations, this measure is relevant. If access is revoked for all recipients, Zivver automatically triggers a data deletion measure.

Data deletion measures
Measures that make sure that data is physically deleted. These types of measures involve every stakeholder. That means that the recipients with whom the data was shared cannot access this data in Zivver after this measure. These kinds of measures are only for specific situations. For example, when sensitive information was accidently shared with the wrong person.

Access control options for senders

In Zivver client software, senders of messages and files have these options to modify data access and retention:

Set expiration period
Senders of a secure message can set an expiration period. The sender has these alternatives after the expiration period:

  • Only recipients lose access. This is an access control measure.
  • Everyone including the sender loses access. This is a data deletion measure.

With the first option, senders can also ‘unrevoke’ access for recipients. With the second option, it is not possible because the message is deleted. With this feature users can comply with the data retention policy of their organization. Users can set the expiration period directly from their Zivver-enabled client.

Direct access revocation
For every sent message, senders of a secure message can immediately revoke access to that message. That feature is useful when the sender makes a mistake. For example, the sender entered a wrong mail address.

The sender has these alternatives.

  • Only recipients lose access.
    This is an access control measure.
  • Everyone including the sender loses access.
    This is a data deletion measure.
  • With the first option, senders can also ‘unrevoke’ access for recipients. With the second this is not possible because the message is deleted. For this feature, Zivver deliberately does not let users revoke access for a recipient. Users can only do this for a message. The reason is that they can select the wrong recipient because of the stressful situation. Users can remove a specific recipient from a conversation with a separate option. This option is Remove a participant. Users can directly revoke access from their Zivver client.

    For more information on Direct access revocation for administrators, refer to .Message revocation.

    Remove a participant
    When users send a message in Zivver, they start a conversation with the addressed recipients, participants. The owner of this conversation, the initial sender of the initial message, can remove individual participants from a conversation. This is an access control measure. But this is possible only if that participant did not send a reply to the initial conversation. If users must block information in that scenario, they can use Direct Access Revocation.

    Delete conversation
    Users can also delete a conversation. In this case they actually remove themselves as participants from the conversation. This is an access control measure. Other participants still can read and access the conversation.

    Access control options for admins

    In addition to the user controls, admins have these options.

    Set default expiration period
    Admins can set the default expiration period for user messages. This expiration period is for every message sent, unless a user overrides. Similarly to the user option, an admin can configure that only recipients lose access. This is an access control measure. Or that the sender also cannot access the information from that point onwards. This is a data deletion measure. Do user action via ‘impersonation’: In Zivver, admins have the option to grant specific users access to other users’ accounts, including themselves. The delegated user has access to all of the user options described above.

    You can use this feature to revoke access to a message on behalf of a user. This is useful if the user cannot correct themselves or in case of malicious sharing of sensitive information.

    Disable a user account
    Admins can disable every user account, either manually or via synchronization with a directory service such as Active Directory (with SCIM 2).

    When an account is disabled, the login by the specific user is disabled, but nothing changes on a data level. This is an access control measure).

    Delete a user account
    An admin can also delete a user account. This also means that the user is removed from all conversations in which they participated. This is an access control measure.

    Note: Zivver automatically triggers a data deletion measure if all the users lose access to a specific conversation. But if you delete a user account, you do NOT automatically delete the messages that the user sent

    Delete the organization
    This option deletes all the user accounts and their underlying data from Zivver. This is an access control measure.

    Overview of data access and data retention measures in Zivver

    User actions Type
    Set expiration period - Disable access by recipients Access control measure
    Set expiration period - Disable access by everyone Data deletion measure
    Direct access revocation - Disable access by recipients Access control measure
    Direct access revocation - Disable access by everyone Data deletion measure
    Remove a participant Access control measure
    Delete a conversation Access control measure
    Admin actions Type
    Set default expiration period - Disable access by recipients Access control measure
    Set default expiration period - Disable access by everyone Data deletion measure
    Disable a user account Access control measure
    Delete a user account Access control measure
    Delete an organization account Access control measure

    What happens when data is deleted

    Zivver offers two types of data deletion.

    • Hard delete
    • Soft delete

    These are the differences and their implications.
    Hard delete
    This type physically deletes the messages and files of the user(s). Specifically, this operation removes these artifacts from the Zivver system.

    • All the encryption and decryption keys.
    • The messages and all the files.

    Hard delete overwrites these objects with empty objects. This is to make sure that no information stays on the low level hardware. This type is the default setting of Zivver.

    Soft delete
    This type does not immediately delete the messages and the files of the users. The deletion occurs after a set period of time, for example 365 days. After this period, a hard delete occurs. During that period, organizations can still access the data in Zivver. They can see, for example, what actual data was shared in case of a suspected data leak. After a soft-delete, an individual user does not see the data. Contact your Zivver account manager if you want to enable the soft-delete option.

    For admins, Zivver data is available through FTP, or with the impersonation procedure until the data is hard deleted.

    Zivver holds incremental backups with encrypted data for disaster recovery for 28 days. Thus, after the information was physically deleted, during that period, you can still access your data in case of a data leak. But this involves significant manual work from Zivver support engineers and the involvement of the admins of your organization.

Was this article helpful?

thumb_up thumb_down