Zivver data access, retention, and deletion

Introduction

In privacy laws, such as the GDPR access control and data retention are important requirements. Typically, personal data cannot be processed or shared without a reason. Zivver helps organizations to comply with the requirements in GDPR for data access and deletion, and with country-specific regulations. Examples include the UK NCSC, Dutch NTA 7516.

Retention is relevant for both the content of messages as well as for audit trails generated within Zivver. This article first explains the standard retention period for audit trails and then details the granular options for configuring retention of message content.

Retention of audit trails

The audit trails in the audit and communication log of the administrator panel are retained for six years. This aligns with international standards such as HIPAA. This means that any event in these logs is deleted six years after it was originally created. It can then no longer be viewed in the administrator panel. This period is not configurable and is the same for all Zivver customers. Please contact your account manager if you have binding legal obligations to retain logs for longer than six years.

Data access control options

In Zivver, there are functions that affect the access to data by stakeholders. Some of these functions are available to senders. Others are available to admins of the organization. Senders of a message are in control of to whom and how long data are accessible. In addition, organizational controls exist that can affect data access and retention.

What are the consequences?

  • For the access of data by users.
  • For the access of data by admins.
  • For the storage of data by Zivver.

Function types

Access control measures
Measures that make sure that accounts cannot access the data. These measures are for users, for whom access to the data is not necessary or desirable. For a large majority of GDPR-related operations, this measure is relevant. If access is revoked for all recipients, Zivver automatically triggers a data deletion measure.

Data deletion measures
Measures that make sure that data is inaccessible. These types of measures involve every stakeholder. That means that the recipients with whom the data was shared cannot access this data in Zivver after this measure. The message is inaccessible because Zivver discarded the encryption key. The metadata, including the subject and recipients remain accessible. These kinds of measures are only for specific situations. For example, when sensitive information was accidentally shared with the wrong person.

Access control options for senders

In Zivver client software, senders of messages and files have these options to modify data access and retention:

Set expiration period
Senders of a secure message can set an expiration period. The sender has these alternatives after the expiration period:

  • Only recipients lose access. This is an access control measure.
  • Everyone including the sender loses access. This is a data deletion measure.

With the first option, senders can also ‘unrevoke’ access for recipients. With the second option, it is not possible because the message is permanently inaccessible. The message is permanently inaccessible because the decryption keys are discarded. Thus, the message remain encrypted. With this feature, users can comply with the data retention policy of their organization. Users can set the expiration period directly from their Zivver-enabled client.

Direct access revocation
For every sent message, senders of a secure message can immediately revoke access to that message. That feature is useful when the sender makes a mistake. For example, the sender entered a wrong mail address.

The sender has these alternatives.

  • Only recipients lose access.
    This is an access control measure.
  • Everyone including the sender loses access.
    This is a data deletion measure.

With the first option, senders can also ‘unrevoke’ access for recipients. With the second option, it is not possible because the message is inaccessible. For this feature, Zivver deliberately does not let users revoke access for a recipient. Users can only do this for a message. The reason is that they can select the wrong recipient because of the stressful situation. Users can remove a specific recipient from a conversation with a separate option. This option is Remove a participant. Users can directly revoke access from their Zivver client.

For more information on Direct access revocation for administrators, refer to Message revocation in the Zivver WebApp administrator manual.

Remove a participant
When users send a message in Zivver, they start a conversation with the addressed recipients, participants. The owner of this conversation, the initial sender of the initial message, can remove individual participants from a conversation. This is an access control measure. But this is possible only if that participant did not send a reply to the initial conversation. If users must block information in that scenario, they can use Direct Access Revocation.

Delete conversation
Users can also delete a conversation. In this case, they actually remove themselves as participants from the conversation. This is an access control measure. Other participants still can read and access the conversation.

Access control options for admins

In addition to the user controls, admins have these options.

Set default expiration period
Admins can set the default expiration period for user messages. This expiration period is for every message sent, unless a user overrides. Similarly to the user option, an admin can configure that only recipients lose access. This is an access control measure. Or that the sender also cannot access the information from that point onwards. This is a data deletion measure. Do user action via ‘impersonation’: In Zivver, admins have the option to grant specific users access to other users’ accounts, including themselves. The delegated user has access to all the user options described above.

You can use this feature to revoke access to a message on behalf of a user. This is useful if the user cannot correct themselves or in case of malicious sharing of sensitive information.

Disable a user account
Admins can disable every user account, either manually or via synchronization with a directory service such as Active Directory (with SCIM 2).

When an account is disabled, the login by the specific user is disabled, but nothing changes on a data level. This is an access control measure).

Delete a user account
An admin can also delete a user account. This also means that the user is removed from all the conversations in which they participated. This is an access control measure.

Note: Zivver automatically triggers a data deletion measure if all the users lose access to a specific conversation. But if you delete a user account, you do NOT automatically delete the messages that the user sent.

Delete the organization
This option deletes all the user accounts and their underlying data from Zivver. This is an access control measure.

Overview of data access and data retention measures in Zivver

User actions Type
Set expiration period - Disable access by recipients Access control measure
Set expiration period - Disable access by everyone Data deletion measure
Direct access revocation - Disable access by recipients Access control measure
Direct access revocation - Disable access by everyone Data deletion measure
Remove a participant Access control measure
Delete a conversation Access control measure
Admin actions Type
Set default expiration period - Disable access by recipients Access control measure
Set default expiration period - Disable access by everyone Data deletion measure
Disable a user account Access control measure
Delete a user account Access control measure
Delete an organization account Access control measure

What happens when data is deleted

With hard delete, the messages and files of the user(s) are physically deleted. Specifically, this operation removes these artifacts from the Zivver system.

  • All the encryption and decryption keys.
  • The messages and all the files.

Hard delete overwrites these objects with empty objects. This is to make sure that no information stays on the low- level hardware.