GDPR: the commitment of MegaMTA

• GDPR: the commitment of MegaMTA
• Data access, management and security
• Application and communications security
• Security in data processing
• Consent
• Temporal validity of the consent
• Tools for exercising the rights of data subjects

The GDPR grants new rights to users. Thanks to the compliance of the platform, MegaMTA is able to answer the questions of users who wish to exercise data rights.

• Right of rectification: any User can change their data at any time.
• Right to be forgotten: if a User wishes to exercise his right to be forgotten, he can give it directly by accessing the "Your Account" page.
• Right to portability: any User can export his information contained in the platform in .txt files.
• Right to access: through the "Your Account" page you can access the platform and view all the information that MegaMTA is in possession of.

Each MegaMTA User has the possibility to log in with the email address used to register and for each access a disposable access token is generated and sent by email to the User. All the data that the User uploads to the platform is saved in our systems, allowing the User to have full control in the management, research and access methods.

The MegaMTA architecture is, like the most modern "software as a service" applications. However, since the privacy and security of our users has always been our priority, we wanted to keep an encrypted database.

This solution allows us to have several advantages including a very high level of flexibility both in terms of data recovery.

Some basic rules have been defined in the platform which are considered adequate measures in the field of security and data processing:

• Encrypted transmission using SSL, both during access and when using the platform
• Access token saved in encrypted and non-reversible format (hash). None of the MegaMTA staff may know him
• The log-in pages adopt controls to prevent unauthorized access and "brute force" attacks
• Access via two-factor authentication system
• We make the detailed access log available to Users

Security is not limited to the use of the platform, but is also a requirement of the communications sent. MegaMTA uses the DKIM (DomainKeys Identified Mail) standard for sending messages. This is an authentication system that allows you to "certify" that the content of the message arrived at the recipient is that originally sent by the sender.

In this way the entire email is encrypted, using the TLS protocol, making it impossible to alter and unauthorized reading during transport until it reaches its destination.

In addition, all links contained in emails, including any redirections, are automatically checked by our systems to prevent spam, malicious use of the platform and theft of data (including personal data).

The data uploaded to the platform are kept and saved via backup, to be automatically deleted within 20 days of the User's request for cancellation.

MegaMTA has a dedicated privacy and compliance team, which oversees the organization's security and compliance with applicable laws. All the people who work for MegaMTA, and in particular those who may have access to User data, have received adequate training in terms of security and privacy and have clear provisions to be followed to safeguard confidentiality, integrity and availability. of the data.

All access is limited by a system of permissions by role and purpose of use, which allows us to ensure that only authorized persons can have access to data or servers. In addition, even authorized personnel cannot see Users' personal data without additional authorization, always linked to a specific and traceable request by the User or with prior authorization from the compliance team to verify non-compliant behavior. Roles and access are checked regularly.

The Regulation provides that the data controller (MegaMTA) must be able to demonstrate that the data subject has given his consent to the processing of his personal data. For us this has always been a priority and for this reason our users can find all the necessary tools, always updated, to better manage consent:

• Registration confirmation system (double opt-in) implemented as standard on our forms
• User's "Account History" page that is clear and includes all the elements necessary to demonstrate the consent of the interested party

The GDPR provides that it is the responsibility of the data controller (MegaMTA) and its managers to establish the data retention times and to ensure that this period is limited to the minimum necessary.

The Personal Data processed will be kept by MegaMTA until the User revokes the consent; However, the User is periodically asked automatically:

• To renew consent
• To update your data

In case the User revokes the consent, MegaMTA will no longer use the User's Personal Data

In order to allow the subjects involved in the processing to exercise their rights (access, cancellation, limitation to processing, portability) we have clearly and intuitively entered the functions within the "Your Account" area. Each User / recipient can directly exercise not only the right to cancellation (opt-out) but also to access:

• Know what data is processed through the platform
• Restrict their processing
• Request not to be tracked
• Personalize the content of communications
• Portability: export of personal information

In order to allow the subjects involved in the processing to exercise the right to cancel their personal data, the MegaMTA platform offers the "Unsubscribe for exercise of the right to be forgotten" function: through this function the interested party will be unsubscribed and all additional data will be deleted except for the email address, the registration date, the registration IP address and the device used for registration, as they can be used to demonstrate consent in the future.