GDPR related notes

Piler enterprise enables you to ensure the completeness of your company email archives. It features several functions to comply with GDPR.

Efficient, fast full text search

You can efficiently provide the requested information to third parties, and you can provide timestamped proof of email access history.

Retention periods

Many documents that possibly contain personal data might need to be stored in an auditable manner and protected from deletion and manipulation in accordance with local, federal or industry specific statutory periods. The data subject’s right to erasure according to GDPR may often seem to contradict the retention obligation. Piler enterprise provides features for erasure and storage management that help companies to comply with retention or erasure as applicable. You are therefore able to erase data that has been archived in an auditable manner in accordance with the GDPR and prove it has been carried out.

• if the delete feature is turned on, then an auditor user may remove a message if it contains sensitive personal data. Based on your settings approval of a data officer can be enforced.
• if the purging feature is enabled, then the purging utility periodically removes aged messages from the archive
• the legal hold feature can be used to prevent removing a user’s emails even if some of those emails are aged and marked for deletion

Security best practices

The encryption methods employed by Piler enterprise protect the archived data, and the options provided by the permissions feature enable you to reduce the number of people authorized to consult the data to a minimum, in compliance with GDPR. A cryptographic signature that can be added to exported emails ensures that exported emails remain protected from tampering, even outside of the archive.

Piler enterprise uses the following measures to protect your data:

• using TLS encryption during the smtp transaction
• the piler-smtp daemon supports smtp acl lists to limit access to who can send emails to the archive
• pilerimport supports both pop3 and imap over TLS
• all stored emails are encrypted using a 256 bit long key using the AES algorithm

Strict access control

• the GUI supports 2 factor authentication using the Google Authenticator application
• support for Single Sign-On (SSO)
• the GUI uses strict access control to limit users to see only their own emails (users with auditor role are able to see any email)

Automated audit log

Piler enterprise features an audit log that provides you with seamless and detailed log of the activities within the archiving system.

• the piler daemons syslog the smtp client address, the recipients of the email, the smtp commands in the transaction, message-id of the email, number of attachments
• the GUI syslogs all login attempts with username, IP-address and timestamp
• the GUI writes an audit log for each user action, eg. user search for something, user viewed an email, etc. Such a log consist of the username, timestamp, IP-address and the performed action

Note: To comply with GDPR, there may be further technical and organizational security measures that the user and/or their service provider needs to perform in a specific workflow organization, in addition to the corresponding use and configuration of Piler enterprise.