Security FAQs

Frequently asked customer inquiries about security are provided as FAQs.

Frequently asked questions about GDPR are provided as FAQs.

What is the GDPR?
The General Data Protection Regulation (GDPR) is a new European Union privacy law that took effect on May 25th, 2018. GDPR replaced the EU Data Protection Directive (also known as Directive 95/46/EC) and is a strong privacy law for the EU that applies a universally binding data protection law to each EU member state.
Who must comply with the GDPR?
(1) All companies in the EU handling personal information, and (2) Organizations that provide products or services to EU information entities or monitor activities within the EU if they handle personal information, even if they are not established in the EU. In other words, the GDPR is applicable not only for companies in Europe but also for companies all over the world.
What is the difference between the GDPR and the previous EU Directive?
The previous Directive was a recommended level of regulation while GDPR is a binding law that applies equally to all member states. The GDPR includes new content, such as the designation of a data protection officer (DPO), recording and maintenance of personal information handling history, conducting privacy impact assessments, and strengthening company responsibilities, such as by designating representatives across regions, restrictions on information handling, rights to move information, and the rights of the data subjects.
How is the NAVER CLOUD PLATFORM prepared for the GDPR?
Prior to GDPR, NAVER Cloud Platform put security and privacy protection first, and had invested heavily in compliance with Korean and overseas laws and its own policies and technologies. Not only that, we have been focused on security and privacy protection even before the GDPR came into effect and have maintained compliance with various Korean and international standards.
On top of that, we have already reviewed our processes for handling personal information and conducted a separated review for GDPR requirements. Data handling contracts that comply with GDPR regulations are also provided to our customers and are automatically applied to their services.
In order to protect customer privacy based on the GDPR, the NAVER CLOUD PLATFORM, as a processor, is investing in the highest level of security to ensure that appropriate technology and organizational measures are implemented. To show our dedication to this principle, we have obtained ISO/IEC 27001, 27017, 27018 certification, SOC(Service Organization Control) 1, 2 and 3 certifications, and PCI DSS (PCI Security Standard Council) certification. Based on these efforts, we are also the first Korean cloud service provider to obtain CSA STAR Certification.
What services does NAVER CLOUD PLATFORM provide to help your customers comply with the GDPR?
The customer is the controller of the third-party personal information contained in the customer business assets on the NCP and must implement appropriate technical and administrative measures to ensure the level of security.
(1) Pseudonymization and encryption of personal information;
(2) Ability to guarantee the continuing confidentiality, integrity, availability, and resilience of processing systems and services;
(3) Ability to restore availability and access of personal information in a timely manner in the event of a physical or technical event;
(4) Regular testing and evaluation of technical and managerial effectiveness to ensure information security;
NCP offers the following specific features and services to help customers meet these GDPR requirements:
O encryption (to ensure confidentiality through the encryption of personal information and data)
E.g. Key Management Service, SSL VPN, IPSec VPN, and Data Teleporter
O monitoring and logging (to provide an overview of NCP assets and ensure integrity and availability through security monitoring and logs)
E.g. Basic Security, Security Monitoring, App Safer, Site Safer, File Safer, Web Security Checker, System Security Checker, App Security Checker, and Cloud Log Analytics
What can customers do to prepare for the GDPR?
There are three stages you can consider to strategically prepare for the GDPR, depending on whether the GDPR is applicable to you and the time it takes to meet the GDPR compliance standards.
Checking the personal information handling process to confirm that it should meet GDPR requirements => If the GDPR is applicable to you, immediately start implementing the GDPR with the ones you apply first => You can consider the procedures for the changes, such as budget and manpower required to perform changes in the internal polices or technical measures (e.g. getting a new process for information handling or collecting evidence).
Here are some key factors that can help you meet GDPR compliance:
O Compliance Scope: All organizations established in the EU. Also, organizations established outside of the EU can fall under the scope of the GDPR, depending on their activities.
O Key Principles: Understanding the six principles of personal information handling and the six standards to ensure secure handling are required, and you must comply with the responsibility to provide this in a document.
O Data Subject Rights: Identifying the flow of privacy data from the business is required and appropriate policy or technological measures must be implemented to exercise information rights, such as data movement rights, and opposing rights.
O Controller and Processor: Most of the GDPR is stipulations of obligations, so it is important to identify roles and understand the rules that must be fulfilled for each entity. We are obligated to comply with designated DPOs, designated representatives, records of personal information handling history, privacy impact assessments, data protection by design and by default, personal information infringement reports and notifications.
O Migration of Personal Information outside the EU: The GDPR permits transfer to other countries if the appropriate level of protection of personal information is ensured. There is a need to understand the detailed rules for relocation outside of the EU and choose the appropriate mechanism.
Is the NAVER CLOUD PLATFORM controller in the GDPR or is it a processor?
The NAVER CLOUD PLATFORM is a controller and also the processor in the GDPR.
O Controller NAVER CLOUD PLATFORM: The NAVER CLOUD PLATFORM acts as a controller when collecting personal information about the customer account and payment information for the service, and determining the purpose and method of processing personal information collected to support customer inquiries and operations.
O Processor NAVER CLOUD PLATFORM: When customers and partners use this service to process personal information included in customer and partner business content, the NAVER CLOUD PLATFORM will act as a processor. Customers and partners can use NAVER CLOUD PLATFORM products and services to process personal information included in their content. In this case, the customer and partner can act as controllers or processors, and the NAVER CLOUD PLATFORM acts as a processor or subprocessor. The NAVER CLOUD PLATFORM provides a Data Processing Addendum (DPA) for the GDPR that reflects its role and commitment as a processor.
Does the NAVER CLOUD PLATFORM provide a GDPR-compliant Data Processing Addendum (DPA)?
All customers who process personal information using cloud services must enter into data processing agreements with cloud service providers to comply with the GDPR. NAVER CLOUD PLATFORM provides GDPR-compliant DPAs to customers. We guarantee the following:
O NAVER CLOUD PLATFORM processes customer data only in accordance with the customer agreement.
O NAVER CLOUD PLATFORM applies robust and flexible technological and administrative safeguards for the use of NAVER CLOUD PLATFORM products and services.
O NAVER CLOUD PLATFORM notifies customers without any undue delays in the event of a privacy breach.
O NAVER CLOUD PLATFORM provides a copy of the certification of privacy and security standards upon the customer's request.
How does the GDPR affect the relationship between customers and the NAVER CLOUD PLATFORM?
Cloud service providers typically offer services in the form of IaaS, PaaS, and SaaS. In such an environment, security and regulatory compliance is a shared responsibility between cloud service providers and customers. This shared model has the added benefit of not only operating infrastructure, but also fewer security and compliance burdens.
The same is true of the regulatory environment of the GDPR. The NAVER CLOUD PLATFORM is a processor or subprocessor and is responsible for protecting the underlying infrastructure supporting the cloud - hardware, software, network, and physical facilities. The customer is a controller or processor and is responsible for all personal data handling included in the content stored on the NAVER CLOUD PLATFORM.