FAQ: AppNeta Data and GDPR Compliance
by May 24, 2018

Filed under: Industry Insights, Product News

With the upcoming enforcement of the European Union General Data Protection Regulation (GDPR), we here at AppNeta want to share the steps we have taken to protect our customers and their data.

In general, GDPR wants you to:

  • Collect as little information as is necessary, keep it for as short amount of time as is necessary and share it with as few people as is necessary.
  • Be transparent about what data will be used for, explain the use in clear and simple terms and only use it for the stated purpose.
  • Allow the individual to choose what data to share, to retrieve all of their data, to correct it, and to permanently delete it.
  • Keep data secure, and notify the individual and the authorities as soon as possible in the case of a security breach or data leak.

AppNeta provides a considerable amount of insight into your organization’s application performance and the experience of your end users. To provide this insight we are collecting a few different sources of information:

Application Usage

In order to identify the applications in use on your network, we perform Deep Packet Inspection (DPI) analysis of network traffic and support secure remote packet capture. This form of instrumentation is likely to contain the IP addresses and hostnames of users on your network and potentially the usernames of users logged into those computers if you have enabled that capability.

Network Delivery

Now that you know what applications are in use, the next step is to ensure that the end-to-end network that delivers that application is performing well. This is where AppNeta’s patented TruPath technology actively measures the end-to-end performance over any network. This form of instrumentation will collect the IP addresses of the application hosts and the network devices traversed.

End User Experience

Modern web applications are complex, and the best method of ensuring the application is performing well is to interact with the application like a real user. To do this all AppNeta Monitoring Points run Google Chrome and can execute multi-step transactions to ensure proper operation and performance. This form of instrumentation performs only the steps explicitly defined in the script, and best practice is to never use real user information in monitoring.

In order to collect and process personal data, you need a lawful basis for doing so. The complete list can be found in article 6 paragraph 1 of the regulation. In most cases this will either be through the explicit consent of the person, to fulfill a contract with the person, due to a legal obligation (e.g. accounting laws) or because you have a legitimate interest for which the data is necessary. All AppNeta customers have to have active subscription or trial contracts to collect this monitoring data.

Data Processors

AppNeta offers both Public and Private Cloud hosted offerings. For the purpose of GDPR, AppNeta Public Cloud deployments maintain the data collected in two sub-processors:

  • Amazon Web Services (AWS) is our primary provider, maintaining all Delivery, Experience and short-term Usage data.
  • Google Big Query is used for long-term Usage data.

Logs and Error Reporting

Like all SaaS services the web servers running the AppNeta Performance Manager generate web server access logs. These are crucial in analyzing application traffic, debugging problems, and defending against security attacks. Information within these logs includes IP address, user agent, HTTP referrer, etc. which are collected and stored as they occur. Application clickstream data is also collected for alerting and debugging of problems, but will usually collect personal data such as the IP address and user ID of the user. These logs are retained for 1 month to aid in optimizing performance and user experience.

Data Security

GDPR provides a few options to protect the information of EU users, including pseudo-anonymization and encryption. We believe that good data security should apply to all users. We have taken the incremental steps of ensuring that all personally identifiable information is encrypted at all states of its life cycle. These best practices are performed for all users, not just EU users.

All AppNeta customers will be receiving the AppNeta Data Protection Agreement in the coming days, but rest assured that the proper steps have been taken to ensure the security of all users data  Alternatively, the text of the AppNeta Data Protection Agreement can be viewed here.