Security and data privacy

AI-generated summary

Genesys Cloud maintains strict adherence to industry-standard security practices and requires AppFoundry partners to implement comparable protocols for applications interfacing with the platform. Organizations must comply with global privacy regulations, particularly GDPR, which establishes legal requirements for personal data handling and data subject rights protection. AppFoundry partners must implement specific security measures including encryption of all traffic using TLS 1.2 or later with AES 256 encryption and SHA-256 MAC, maintenance of app descriptor file domain control, provision of valid TLS certificates, authentication and authorization of all requests and stored data, and prevention of JWT and OAuth token exposure in headers or public repositories. Session cookies must include HttpOnly and Secure flags. For data privacy compliance, developers must identify and document the necessity for processing each personal data category, process only minimum required data that is adequate and accurate, implement mechanisms for data updates, and delete data once no longer needed. Legal counsel consultation is recommended for compliance concerns. Genesys Cloud implements comprehensive personal data protection through document retention schedules and multi-layered security measures including secure coding techniques, application testing, encryption, and access controls. The platform enables data subjects to exercise privacy rights by providing mechanisms for data access, portability in structured formats, rectification of inaccurate data, consent withdrawal, and deletion or processing cessation upon request. The system documents where personal data is processed within applications to efficiently handle individual requests. Genesys Cloud addresses geographical restrictions on data processing by identifying appropriate legal mechanisms for cross-border data transfers and communicating processing locations to customers and end users. The platform includes features to track and manage data subject consent, recording how and when consent was provided with mechanisms to remove it. Contractual terms distinguish between data controllers and processors, with Genesys Cloud functioning as a data processor that only processes personal data upon documented instructions from data controllers. AppFoundry partners must complete and submit a comprehensive Data Processing Addendum (DPA) package ensuring GDPR compliance (Regulation (EU) 2016/679) that includes company information, signature authorization, Data Protection Officer contact details, data processing descriptions, data security descriptions, and a subprocessor list. Partners should contact Data.Privacy@genesys.com for compliance documentation inquiries.

Series: AppFoundry

Previous suggested step: ISV Applications

Next suggested step: Billing and invoicing

Security guidelines

According to our security policy in the Genesys Cloud Resource Center, Genesys Cloud strictly adheres to the industry-standard practices, procedures, and application security measures. AppFoundry strongly recommends that our AppFoundry partners adhere to similar protocols for their applications interfacing with Genesys Cloud.

Privacy guidelines

Global privacy laws, particularly the General Data Protection Regulation (GDPR), have placed legal requirements on businesses that handle personal data, such as Personally Identifiable Information (PII). The GDPR came into effect in the spring of 2018. These regulations apply to organizations that perform software development for the applications or services that process the personal data of an individual. The data subject is an individual whose personal information is processed by the application. The developer must ensure that the application is compliant with privacy regulations and the rights of data subjects when processing personal data in the application. For any concerns about compliance with laws, consult your legal counsel.

Application security

AppFoundry Partners listed on AppFoundry must at least adhere to the following guidelines:

Use TLS to encrypt the traffic of all applications and integrations interfacing with Genesys Cloud.
Notes: The required TLS version is TLS version 1.2 or later. TLS version 1.2 using AES 256 encryption or later with SHA-256 MAC is recommended for use.
Maintain control of the domains where your app descriptor file is hosted and the domains specified as the baseURL or other URLs in the app descriptor file.
Provide valid TLS certificates for the domains where your app descriptor file is hosted and the domains specified as the baseURL or other URLs in the app descriptor file.
Authenticate and authorize all requests by the application.
Authenticate and authorize the data stored by your application and services.
Do not display JWT Tokens and OAuth Tokens, including referrer headers and public repositories, such as Bitbucket and GitHub.
Set the HttpOnly and Secure flags when sending set-cookie headers for session-related cookies.

Data privacy

Adhere to the principles of data protection

To adhere to the principles of data processing, perform the following:

Identify and document the need for processing each category of personal data. If you cannot identify the need for data processing, do not process the data. Once you have identified the need for processing the data, do not process it for any other reason except the identified need.
Process only the minimum personal data required for your needs, and ensure that the data is adequate for the need identified.
Ensure that the personal data is accurate. If the data is inaccurate, ensure that the required mechanisms are in place for data updating.
Process the personal data only for the required period. Once the data is no longer needed, delete it. Document retention schedules describe the processing of each category of personal data.

Make sure that personal data is secure

The security of personal data is considered along with the overall security of the application. You use secure coding techniques to reduce the possibility of an attacker compromising the application and personal data. You test the application at all levels and consider obtaining the services of professional ethical unauthorized users trying to compromise the application. You encrypt personal data wherever possible. You ensure that appropriate access controls are in place such that only the required persons who must access personal data have access to it.

Allow individuals to exercise their rights

When an application processes the personal data of a data subject, that individual has specific rights bestowed upon them by privacy regulations. To fulfill an individual’s request, document where the personal data is processed within the application so that the request can be dealt with efficiently.

Data subjects have the right to access their data. You ensure that mechanisms are in place to provide a copy of the personal information processed by the application. Data subjects also have the right to request that you transfer their data to another organization or data repository. If such a request is made, you transfer the data in a structured, commonly used format. The personal data processed by the application must be accurate and up-to-date. If the data is not accurate and up-to-date, a data subject can request that the data is rectified.

A data subject can withdraw their consent, oppose the processing of their data, or request it to be deleted. You must have mechanisms in place to enable the deletion of an individual’s data. Alternatively, a data subject can instead request that you stop processing personal data for a specified purpose. In this case, you do not delete the personal data but stop processing the data for the purpose identified.

Document the geographical location and accessibility of personal data

Privacy regulations set restrictions on where personal data is processed or mandate appropriate mechanisms for transferring data outside a specified country or region. If you are processing personal data outside a country or region where the data subject resides, you must identify the appropriate legal mechanism for transferring data to another country or region. Your customers must inform their customers and the users on where the data is being processed. You must pass this information on to your customers.

The organizations using your application must obtain data subject consent in an appropriate manner to make the processing of personal data lawful. Depending on the nature of how data subjects interact with your application, you can require a mechanism to obtain their consent. If so, you must record how and when that consent was provided. You must also have mechanisms in place to remove that consent.

Make sure that appropriate contractual terms are in place with your customers

Privacy regulations distinguish between organizations as data controllers and organizations as data processors. The data controllers are organizations that determine the purposes and methods of processing the personal data. The data processors are organizations that process personal data on behalf of the data controller. Mostly, you are a data processor, and your customer is the data controller. You must only process personal data on getting instructions from the data controller. You or your customer must create a legal document with those instructions. You ensure that you have signed the document.

Data processing addendum

Dear AppFoundry Partner,

In anticipation of the General Data Protection Regulation (GDPR), Genesys presents a DPA to our AppFoundry partners to govern the use of personal data as defined in the GDPR (Regulation (EU) 2016/679).

The partners are requested to complete and return a complete copy of the included Questionnaire and Data Processing Addendum as follows:

Questionnaire
Genesys Data Processing Addendum
Company information and signature block (Page 1)
- DPO contact (Page 3)
- Company information (Page 7)
Data processing description (Page 14)
Data security description (Page 15)
Subprocessor list (Page 16)

For any questions, contact Data.Privacy@genesys.com.

Regards,
Mario Moyron,
Chief Privacy Officer & EU Data Protection Officer
Genesys Telecommunications Laboratories, Inc.

[NEXT] Was this article helpful?

Get user feedback about articles.

Security and data privacy View summary