Today, it is impossible to ignore the protection of personal data when you are a company that uses the Internet. Our users deserve to have their information in a safe place, especially when it comes to health data!
We are often asked what happens to the data collected by our app and our sensor. This data is useful for us to deliver reliable reports and solid information for doctors to develop their diagnoses. How and where do we keep them, who has access to them and what measures are taken to ensure their security? Here are some answers to these questions.
Data hosting: what are we talking about?
First of all, what data exactly?
Sunrise collects several types of data at different places in your user experience. Here is a list of them:
- Identification data: last name, first name, email, date of birth, country
- Physical data: age, height, weight, neck circumference
- Answers to the sleep questionnaire
- Answers to questions related to the test night
- Raw data collected by the Sunrise sensor from your chin. These are processed by the Sunrise algorithm to provide reliable results at the end of the test night.
The user's data are collected and processed for optimal Application use and to measure the user’s sleep parameters. The user's data may also be processed for the purpose of scientific research (anonymized data), improvement of Sunrise's products (anonymized data) and for commercial purposes (e.g. promotional codes).
What is hosting?
When you collect information, you need space to store it! These data storage spaces are called "servers", it is from there that the company will draw the information necessary to provide the service that they offer.
Some companies host their data themselves; this is called "self-hosting". In our case, we chose to use a "hosting company", a company specialized in data storage.
Hosting companies provide companies with private servers on which to store their data. Companies have free access to this data remotely through a "Cloud" (via Internet). Private servers are maintained by the hosting company but the hosting company does not have access to them. A bit like a landlord renting his apartment to a tenant.
There are many quality hosting providers recognized worldwide: Google (the “Google Cloud Platform”), Microsoft (“Azure”) or even Amazon (“Amazon Web Service”) to name only the biggest ones.
Our choice was based on the following criteria: reliability, the host's years of experience, the geographical location of its servers and the “health data host certification”. Because yes, between classical personal data and health data, there are some small nuances!
What did we choose for Sunrise?
For starters, we ruled out the idea of hosting our data ourselves from the start. Why? As previously mentioned, the role of the hosting company is to manage and maintain the servers, which is a job in itself. To face the numerous risks of cyber attacks, to ensure optimal security and to stay up to date with the regulations, it is better to have a hosting company focused 100% on data protection!
So we decided to entrust our data to Google's services, "Google Cloud Platform". How did we end up with this choice?
A globally recognized host :
In terms of quality and security, Google Cloud has already proven its worth to the largest companies: Airbus, Total, Orange and even Ubisoft trust it. Google Cloud takes advantage of the same advanced security tools as Google for data protection. It is an exceptionally qualitative and trusted host.
Servers in Europe :
It was important for us to choose a host whose servers are located in Europe so that they can be governed by the GDPR and not by third-party jurisdictions that are less careful about data privacy. Google Cloud has servers in Europe: personal data is stored on servers in Belgium and the Netherlands. Data is replicated on several secondary servers, also located in the EU, to avoid data loss in the event of a server failure.
Certified “Health data host” :
Google Cloud is a health data host! This certification provided in France by the French Ministry of Health and Solidarity and the Digital Health Agency (Agence du Numérique en Santé) ensures that the framework complies with a certain level of security. Hosting companies wishing to be certified must implement a detailed list of measures and be validated by an accredited certification body during an audit. This is done for Google Cloud which now appears in the list of Health Data Hosts on the ANS 's website
France, a safe and reliable country of reference :
By complying with French standards, we have chosen to align ourselves with one of the most reliable countries for the secure transfer of personal data. The CNIL, Commission Nationale de l'Informatique et des Libertés, is responsible in France for regulating personal data. It is one of the oldest entities with this role in Europe: it was created in 1978.
In addition to being subject to the GDPR, France is a member of the French-speaking Association of Personal Data Protection Authorities (Association francophone des autorités de protection des données personnelles -AFAPDP), which brings together 20 States, demonstrating its willingness to be involved with the international community on these issues.
What happens to your data, in practical terms?
Between the website, the Sunrise app and the sensor that analyzes your mandibular movements during your test night, data is collected from multiple places and reaches separate servers. And because a picture is worth 1000 words, we preferred to draw you a diagram to explain the flow of data through the Sunrise system.
Recently, Sunrise added another security level with CMEK integration. CMEK stands for Customer-managed encryption keys and provides the customer the whole control on their data.
a ajouté un niveau de sécurité supplémentaire en soumettant l'accès aux fichiers de données à des CMEK (Customer-managed encryption keys). Il s'agit de clés de chiffrement gérées par le client, qui lui permettent d'obtenir le contrôle total de ses données.
And what other measures?
Like any company collecting and processing data on European territory, Sunrise is subject to the GDPR, the General Data Protection Regulation that came into effect in 2018. It is a regulation that frames the processing of personal data on the European Union's territory.
In this regulation, we find the obligation to carry out a "data protection impact assessment" (Art. 35 of the GDPR) when the processing of data may result in a risk to the rights and freedoms of the individuals concerned This impact analysis, or DPIA, was conducted by Sunrise in March 2021. François, QA/RA Manager at Sunrise, tells us more about DPIA in this article.