Personal information protection

In addition to its own compliance with the Personal Information Protection Act, NAVER Cloud Platform is striving to help its customers comply with the GDPR applicable for their own business activities.

  • NAVER Cloud Platform complies with all relevant laws and international standards related to the protection of personal information.

    NAVER Cloud Platform thoroughly complies with personal information protection laws inside and outside of Korea, such as the Personal Information Protection Act and the Act on Promotion of Information and Communications Network Utilization and Information Protection, etc., and the Cloud Computing Development and User Protection Act.

    In addition, infrastructure, application, and personal information protection specialists continuously perform risk management activities to comply with the standards for technical and administrative protection of personal information. We receive inspections for our compliance with personal information regulations through 10 strict domestic and international security certifications including ISMS-P, CSAP, ISO 27018, SOC 1/2/3, MTCS, etc.

    privacy1

    We actively support customers' compliance with personal information protection laws.

    NAVER Cloud Platform provides various security guides so that customers can comply with personal information protection laws in the areas of customer responsibility according to the shared responsibility on cloud model.
    1. Through the Compliance Guide, you can understand your role as a customer and check security services suitable for regulatory requirements.
    2. Through the security white paper and security guide, you can check the details of security settings to comply with the standards for technical and administrative protection of personal information.
    3. We provide the cloud environment security audit guide for customers' own secure cloud operation and protection of personal information.

    The customer's data belongs to the customer, not NAVER Cloud Platform.

    The customer data saved and uploaded to NAVER Cloud Platform's infrastructure services belongs to the customer, and NAVER Cloud Platform does not access it without the customer's consent.
    The customer can also utilize various security services provided by NAVER Cloud Platform to control data through means such as personal information encryption and access control.

    privacy2

    NAVER Cloud Platform's various security services can safely protect the personal information of its customers in the cloud environment.

    CategoryService nameDescription
    Access controlNACLNetwork Access Control List (NACL) is a subnet-level firewall that can restrict unauthorized access by limiting access permission for personal information processing system with IP address, etc.
    ACGAccess Control Group (ACG) is a server-level firewall that can restrict unauthorized access by limiting access permission for personal information processing system with IP address, etc.
    Secure ZoneIt is a service that provides a physical network separation between the service zone and the personal information processing system zone.
    Security MonitoringIt is a service that can prevent illegal access and infringement incidents through communication networks.
    Access log
    forgery prevention
    Resource ManagerAs a service for the integrated management of all resources in NAVER Cloud Platform, you can check the creation and change logs for each created resource.
    Cloud Activity TracerIt provides various information on account activity logs within NAVER Cloud Platform.
    Personal information encryptionKMSKey Management Service (KMS) provides a wide range of convenient features that can thoroughly and safely protect encryption keys.
    HSMHardware Security Module (HSM) provides the most secure means of encryption key protection. You can easily use the feature that satisfies most of the requirements for data encryption.
    SSL VPNYou can build a virtual private network in the SSL method for encrypted tunneling communication when accessing the company's internal network from outside.
    IPsec VPNWhen sending and receiving personal information and authentication information between external customer network and NAVER Cloud Platform network, you can safely communicate through encrypted tunneling communication.
    Certificate ManagerIt provides a feature to register certificates to be used in linked services and manage them in integration.
    Malware preventionSecurity MonitoringIt provides an anti-virus software that can prevent and respond to malware.
  • NAVER Cloud Platform's efforts for GDPR compliance

    General Data Protection Regulation (GDPR) is a personal information protection law amended to protect personal information of data subjects in the European Union. NAVER Cloud Platform does its best to thoroughly examine related items internally for its own GDPR compliance, prove GDPR compliance, and resolve threats for the protection of customers' personal information.


    GDPR compatible Privacy Notice update

    We have revised the Privacy Notice (Personal Information Handling Policy) in order to comply with the GDPR, such as providing relevant information to the information owners, in order to ensure fair and transparent customer information handling. We will continue to update the Privacy Notice in the future to ensure transparency in the processing of personal information.


    If customer information is handled in compliance with the GDPR and NAVER CLOUD PLATFORM, a Data Processing Addendum (DPA) will be provided using the agreed contractual agreement. The customer is the controller of their personal information, and the NAVER CLOUD PLATFORM is designated as the customer data processor. The DPA includes the EU Model Clauses. Customers who wish to transfer their personal information from the European Economic Area (EEA) to countries outside the EU can receive the same high level of privacy protection as in the EEA environment through the NAVER CLOUD PLATFORM.


    Privacy by Design and Privacy by Default

    Even before the GDPR came into effect, we were working on personal information protection for services and products before the design phases and have been focused on developing security technologies. This is a principle that we abide by. In addition, we regularly inspect and monitor our products and services to ensure that they do not infringe on the privacy rights of our customers.


    Reliable Regulation Reviews with Leading Law Firms

    In line with the GDPR regulation, which stipulates stricter requirements for personal information processing, we received reliable legal advice for compliance through a leading Korean law firm and a local EU law firm to secure the legality of processing customer personal information and ensure maximum rights.


    Certification Acquisition

    In order to protect customer privacy and comply with the GDPR, the NAVER CLOUD PLATFORM, as a processor, is investing in the highest level of security to ensure that appropriate technology and organizational measures are implemented.
    We are internationally certified in ISO/IEC 27001 Information Security Management for systematic and continuous security management, ISO/IEC 27017 Security Controls for Cloud Security, and ISO/IEC 27018 Protection of Personally Identifiable Information. Also, we are certified in Service Organization Control (SOC) 1, 2 and 3 for an international level of compliance in internal control audits, and we are also certified in PCI Security Standard Council (PCI DSS) for international data security standards for secure payment information protection. As the first Korean cloud service provider to obtain CSA STAR Certification, it has been verified that our cloud service security management activities are being effectively performed. Going forward, NAVER Cloud Platform will continue to seek certification to verify its security and privacy level and to support customers.

    Support GDPR Compliance
    for Customers

    Encryption

    • Ensures confidentiality through the encryption of personal information and data
    • E.g. Key Management Service, SSL VPN, IPsec VPN, and Data Teleporter

    Monitoring and Logging

    • Provides an overview of cloud assets and ensures integrity and availability through security monitoring and logs
    • E.g. Basic Security, Security Monitoring, App Safer, File Safer, Web Security Checker, System Security Checker, App Security Checker, and Cloud Log Analytics

    Access Control

    • Allows only authorized administrators, users, and applications to access NCP resources
    • E.g. ACG, Secure Zone, CAPTCHA, API Gateway, and Sub Account

    Availability and Resilience

    • Ensures the ability to continue processing and recover in a timely manner
    • E.g. Backup, Multi Zone, Global Region, Monitoring, Web service Monitoring System, and Network Traffic Monitoring

    Encryption

    • Ensures confidentiality through the encryption of personal information and data
    • E.g. Key Management Service, SSL VPN, IPsec VPN, and Data Teleporter

    Access Control

    • Allows only authorized administrators, users, and applications to access NCP resources
    • E.g. ACG, Secure Zone, CAPTCHA, API Gateway, and Sub Account

    Monitoring and Logging

    • Provides an overview of cloud assets and ensures integrity and availability through security monitoring and logs
    • E.g. Basic Security, Security Monitoring, App Safer, File Safer, Web Security Checker, System Security Checker, App Security Checker, and Cloud Log Analytics

    Availability and Resilience

    • Ensures the ability to continue processing and recover in a timely manner
    • E.g. Backup, Multi Zone, Global Region, Monitoring, Web service Monitoring System, and Network Traffic Monitoring
  • First CSP in Korea to acquire CBPR certification

    The Cross-Border Privacy Rules is an international privacy certification intended to ensure free and secure transfer of personal information between Asia-Pacific Economic Cooperation member countries, and NAVER Cloud Platform is the first CSP company in Korea to acquire CBPR certification. To confirm its compliance with the privacy management system required by APEC, NAVER Cloud Platform has been certified with its compliance with the control items outlined based on the 9 principles of privacy by an accredited institution, and it continues its efforts to protect the privacy of its customers.


    Global Certification System

    It is an internationally recognized certification system operated and applied by APEC member countries and companies, which is not limited to domestic certification. By complying with the Privacy Framework established by APEC, NAVER Cloud Platform has been validated to have a secure privacy protection system that meets global standards.


    Legislation of CBPR certification

    If any of the APEC member countries approves or legislates CBPR as a recognized certification system in their country, then there are direct legislative benefits. For example, CBPR certified members such as Japan and Singapore have recognized CBPR as an equivalent protection system to their national privacy guidelines and have reflected it in their laws.


    Benefits of CBPR

    As a common global certification standard, CBPR helps ensure that companies have the proper level of protection in place. This can save you time and money when entering into APEC member countries or signing partnerships by proving your privacy standards and thus increasing your credibility.