Tuxis B.V. Sensible Use Policy
VERSION 2018-05-01

Our Sensible Use Policy sets out what specific products are designed for. ‘Sensible’, refers to the wisest use of the service. This lets you determine whether additional measures need to be taken to secure your data so that you can meet GDPR guidelines.

When reading this policy it is important to understand that it refers to the systems we manage. Settings and configurations that you may change yourself are not covered by this policy.

The following applies to all services:

  • The Tuxis policies used to manage these services can be found here: https://www.tuxis.nl/en/policies
  • Unless otherwise stated, data is on equipment owned by Tuxis;
  • Unless otherwise stated, data is exchanged internally across infrastructure managed by Tuxis;
  • Equipment is in Security Class 4 data centres;
  • Data is stored in the Netherlands.

Explanation of the items:

  • Purpose: Here is a description of what we consider the product suitable for;
  • Types of personal data: The types of personal data the security is designed for;
  • Security: The way data can be secured. This does not mean that it is also secured in this way by default;
  • Updates: The way updates are performed;
  • Note: An explanation.

SaaS: FilesOnline.eu

Purpose: 
Storing and using files for daily use. 
Synchronizing this data with devices.

Types of personal data:
With client-side encryption: All types of data. Without client-side encryption: All types of data, other than personal data .

Security:

  • Each instance runs on its own VPS;
  • Connections between client and FilesOnline.eu are secured by SSL;
  • Data can be stored in encrypted form (setting);
  • 2FO can be enabled (setting);
  • Version management is on by default (setting);
  • Recycle bin is on by default (setting). Files are deleted after a maximum of 180 days;
  • Logging of activities (create, modify, delete) (setting);
  • Brute force security can be switched on by the customer;
  • User-defined password policy (minimum number of characters, prohibited generic passwords, required upper and lower case letters, required digits, required special characters);
  • List of devices with access to files;
  • Data is stored in triplicate across multiple data centres;
  • Data is backed up once (Purpose: disaster recovery);
  • Files that are synchronized to a device must be secured on/by the device.

Updates:
Updating of the OS, services and software is performed automatically.

SaaS: Kerio Connect

Purpose: 
Saving and synchronizing email, calendars, contacts, tasks and notes for daily use.
Synchronizing this data with devices.

Types of personal data:
Name and contact data, IP addresses and other personally identifiable information other than legal documents and personal data.

Security:

  • Each instance runs on its own VPS;
  • Connections between the client and the service can be secured by forcing the use of SSL (setting);
  • Passwords can be saved in heavily secured SHA format (setting).
  • Recycle bin is on by default. Retention can be set per domain and per user.
  • Automatic clearing of items older than a configurable number of days for the following folders: recycling bin, spam/junk, sent items;
  • Automatic clearing of all items older than a configurable number of days, with the exception of contacts and notes;
  • Logging of all activities (creating, modifying, move, deleting, receiving and sending) (setting);
  • Log retention (setting);
  • Brute force security;
  • Enforceable password policy (minimum 8 characters, minimum 3 types of characters such as lowercase, uppercase, numbers, special characters, and may not contain any parts of the account information);
  • List of devices that have access to the data;
  • Extensive filtering possible;
  • Data is stored in triplicate across multiple data centres;
  • Data is backed up once (Purpose: disaster recovery);
  • Files that are synchronized to a device must be secured on/by the device.

Updates:
Updating of the OS, services and software is performed automatically.

SaaS: Kerio Operator

Purpose: 
For use as a telephony platform for VOIP.

Types of personal data:
Phone calls (audio), phone numbers, IP addresses.

Security:

  • Each instance runs on its own VPS;
  • Connections between the client and the service can be secured by forcing the use of SSL (setting);
  • Logging of all activities (origin of phone number, number called, time, duration, IP address, account name) (setting);
  • Log retention (setting);
  • Phone call recording (setting);
  • Brute force security;
  • Data is stored in triplicate across multiple data centres;
  • Data is backed up once (Purpose: disaster recovery);

Updates:
Updating of the OS, services and software is performed automatically.

Shared web hosting

Purpose: 
Hosting content.

Types of personal data:
Name and contact data, IP addresses and other personally identifiable information other than legal documents and personal data.

Security:

  • Every customer has his own vhost;
  • Processes in that vhost are executed on behalf of the customer’s user;
  • Connections between the client and the service can be secured by forcing the use of SSL (can be requested);
  • Connections from the client for FTP data are secured by SFTP;
  • Connections between client and phpMyadmin are secured by SSL;
  • Data is stored in triplicate across multiple data centres;
  • Data is backed up once (Purpose: disaster recovery);

Updates:
Updating of the OS, services and software is performed manually in accordance with the fixed maintenance schedule.

Note:
The above relates to the hosting platform itself. In your website you determine which data can actually be stored. It is also up to you to make sure that your website is fully up to date.

VPS

Purpose: 
To have virtual hardware (CPU, memory, storage) available

Types of personal data:
All types of data

Security:

  • The separation of virtual hardware is controlled by the hypervisor (hardware emulator);
  • Data is saved in triplicate
  • Data is backed up once (Purpose: disaster recovery) across multiple data centres

Updates:
Updating of the OS, services and software is performed manually in accordance with the fixed maintenance schedule.

Note:
The above relates to the platform on which the VPS is running. You determine which operating system, functionalities and security are applied to the VPS.

daDup.eu

Purpose: 
To store data

Types of personal data:
With client-side encryption: All types of data. Without client-side encryption: All types of data, other than personal data. 

Security:

  • Connections between the client and daDup.eu can be secured by the use of SSL;
  • Verification is done by means of access key and secret key;
  • Data is saved in triplicate;
  • No data is backed up;

Updates:
Updating of this services is performed manually in accordance with the fixed maintenance schedule.

Diskbayonline.nl

Purpose: 
The colocation of a hard disk and making it available in a VPS

Types of personal data:
All types of data

Security:

  • The separation of virtual hardware is controlled by the hypervisor (hardware emulator);

Updates:
Updating of the OS, services and software is performed manually in accordance with the fixed maintenance schedule.

Note:
The above refers to the platform on which the VPS is running and your disk is installed. You determine which operating system, functionalities and security are applied to the VPS.

Private Cloud/Private Cluster

Purpose: 
To have a hypervisor available;

Types of personal data:
All types of data

Security:

  • The separation of virtual hardware is controlled by the hypervisor (hardware emulator);
  • Connections between client and administration console are forced to be secured by SSL;
  • Data is in triplicate stored unless otherwise agreed;

Updates:
Updating of the OS, services and software is performed manually in accordance with the fixed maintenance schedule.

Note:
The above relates to the platform on which the hypervisor is running. You determine which operating system, functionalities and security is running on that hypervisor.