I am a Zivver admin
Configure and manage Zivver
Zivver data access, retention, and deletion
In privacy laws, such as the GDPR access control and data retention are important requirements. Typically, personal data cannot be processed or shared without a reason. Zivver helps organizations to comply with the requirements in GDPR for data access and deletion, and with country-specific regulations. Examples include the UK NCSC, Dutch NTA 7516.
In the Zivver platform, senders of a message are in control of to whom and how long data are accessible. In addition, organizational controls exist that can affect data access and retention.
What are the consequences?
- For the access of data by users.
- For the access of data by admins.
- For the storage of data by Zivver.
Data access control options
In Zivver, there are functions that affect the access to data by stakeholders. Some of these functions are available to senders. Others are available to admins of the organization.
Access control measures
Measures that make sure that accounts cannot access the data. These measures are for users, for whom access to the data is not necessary or desirable. For a large majority of GDPR-related operations, this measure is relevant. If access is revoked for all recipients, Zivver automatically triggers a data deletion measure.
Data deletion measures
Measures that make sure that data is inaccessible. These types of measures involve every stakeholder. That means that the recipients with whom the data was shared cannot access this data in Zivver after this measure. The message is inaccessible because Zivver discarded the encryption key. The metadata, including the subject and recipients remain accessible. These kinds of measures are only for specific situations. For example, when sensitive information was accidentally shared with the wrong person.
Access control options for senders
In Zivver client software, senders of messages and files have these options to modify data access and retention:
Set expiration period
Senders of a secure message can set an expiration period. The sender has these alternatives after the expiration period:
- Only recipients lose access. This is an access control measure.
- Everyone including the sender loses access. This is a data deletion measure.
With the first option, senders can also ‘unrevoke’ access for recipients. With the second option, it is not possible because the message is permanently inaccessible. The message is permanently inaccessible because the decryption keys are discarded. Thus, the message remain encrypted. With this feature, users can comply with the data retention policy of their organization. Users can set the expiration period directly from their Zivver-enabled client.
Direct access revocation
For every sent message, senders of a secure message can immediately revoke access to that message. That feature is useful when the sender makes a mistake. For example, the sender entered a wrong mail address.
The sender has these alternatives.
- Only recipients lose access.
This is an access control measure.
- Everyone including the sender loses access.
This is a data deletion measure.
With the first option, senders can also ‘unrevoke’ access for recipients. With the second option, it is not possible because the message is inaccessible. For this feature, Zivver deliberately does not let users revoke access for a recipient. Users can only do this for a message. The reason is that they can select the wrong recipient because of the stressful situation. Users can remove a specific recipient from a conversation with a separate option. This option is Remove a participant. Users can directly revoke access from their Zivver client.
For more information on Direct access revocation for administrators, refer to Message revocation in the Zivver WebApp administrator manual.
Remove a participant
When users send a message in Zivver, they start a conversation with the addressed recipients, participants. The owner of this conversation, the initial sender of the initial message, can remove individual participants from a conversation. This is an access control measure. But this is possible only if that participant did not send a reply to the initial conversation. If users must block information in that scenario, they can use Direct Access Revocation.
Users can also delete a conversation. In this case, they actually remove themselves as participants from the conversation. This is an access control measure. Other participants still can read and access the conversation.
Access control options for admins
In addition to the user controls, admins have these options.
Set default expiration period
Admins can set the default expiration period for user messages. This expiration period is for every message sent, unless a user overrides. Similarly to the user option, an admin can configure that only recipients lose access. This is an access control measure. Or that the sender also cannot access the information from that point onwards. This is a data deletion measure. Do user action via ‘impersonation’: In Zivver, admins have the option to grant specific users access to other users’ accounts, including themselves. The delegated user has access to all the user options described above.
You can use this feature to revoke access to a message on behalf of a user. This is useful if the user cannot correct themselves or in case of malicious sharing of sensitive information.
Disable a user account
Admins can disable every user account, either manually or via synchronization with a directory service such as Active Directory (with SCIM 2).
When an account is disabled, the login by the specific user is disabled, but nothing changes on a data level. This is an access control measure).
Delete a user account
An admin can also delete a user account. This also means that the user is removed from all the conversations in which they participated. This is an access control measure.
Note: Zivver automatically triggers a data deletion measure if all the users lose access to a specific conversation. But if you delete a user account, you do NOT automatically delete the messages that the user sent.
Delete the organization
This option deletes all the user accounts and their underlying data from Zivver. This is an access control measure.
Overview of data access and data retention measures in Zivver
User actions Type Set expiration period - Disable access by recipients Access control measure Set expiration period - Disable access by everyone Data deletion measure Direct access revocation - Disable access by recipients Access control measure Direct access revocation - Disable access by everyone Data deletion measure Remove a participant Access control measure Delete a conversation Access control measure Admin actions Type Set default expiration period - Disable access by recipients Access control measure Set default expiration period - Disable access by everyone Data deletion measure Disable a user account Access control measure Delete a user account Access control measure Delete an organization account Access control measure
What happens when data is deleted
Zivver offers two types of data deletion.
- Hard delete
- Soft delete
These are the differences and their implications.
This type physically deletes the messages and files of the user(s). Specifically, this operation removes these artifacts from the Zivver system.
- All the encryption and decryption keys.
- The messages and all the files.
Hard delete overwrites these objects with empty objects. This is to make sure that no information stays on the low- level hardware. This type is the default setting of Zivver.
This type does not immediately delete the messages and the files of the users. The deletion occurs after a set period, for example 365 days. After this period, a hard delete occurs. During that period, organizations can still access the data in Zivver. They can see, for example, what actual data was shared in case of a suspected data leak. After a soft delete, an individual user does not see the data. Contact your Zivver account manager if you want to enable the soft-delete option.
For admins, Zivver data is available through FTP, or with the impersonation procedure until the data is hard deleted.
Zivver holds incremental backups with encrypted data for disaster recovery for 28 days. Thus, after the information was really deleted, during that period, you can still access your data in case of a data leak. But this involves significant manual work from Zivver support engineers and the involvement of the admins of your organization.