At Botify, we have a diverse international customer base, and we’ve always prioritized data privacy. Botify does not need any personal information to provide our service and all of our operations in the EU are already compliant with GDPR regulations.
As Botify was designed to respect privacy, the new European law won’t affect our services and doesn’t require our customers to take action. There will be no changes in our services, and our customers won’t notice a thing.
Unraveling the Mystery of The Circleville Letters.pptx
The GDPR: What, Why and How Botify is Compliant by Design
1. Nathalie Geoffrin
VP Support & Services
Prior to joining Botify, Nathalie was R&D Manager in a software company
providing digital identities. As such, she built a strong sense of the
importance of personal data and associated security concerns. She joined
Botify, fascinated by processing data at a larger scale, and by transforming
raw data to provide relevant information to our customers.
The GDPR: What, Why and How
Botify is Compliant by Design
Follow us: @Botify - #BotifyWebinar
2. The New Standard in
Organic Search Analytics
Follow us: @Botify - #BotifyWebinar
4. Botify is GDPR-Compliant
by design.
Botify does not process any personal data, this is why
Botify is GDPR-Compliant by design.
Intro Takeaways
Follow us: @Botify - #BotifyWebinar
5. 1. Goal, Scope and Principles of GDPR
2. What kind of Data does Botify Process?
3. Why Botify is already Compliant
Webinar Agenda
Follow us: @Botify - #BotifyWebinar
6. Part #1
Goal, Scope and Principles of
GDPR
Follow us: @Botify - #BotifyWebinar
7. Goal of GDPR
Article 1
(1) This Regulation lays down rules relating to the
protection of natural persons with regard to the
processing of personal data and rules relating to
the free movement of personal data.
(2) This Regulation protects fundamental rights and
freedoms of natural persons and in particular their
right to the protection of personal data.
(3) The free movement of personal data within the
Union shall be neither restricted nor prohibited for
reasons connected with the protection of natural
persons with regard to the processing of personal
data.Follow us: @Botify - #BotifyWebinar
8. Scope of GDPR
(1) Scope is the ’personal data’ of EU residents
(2) ’personal data’ means any information relating to an
identified or identifiable natural person
(3) ‘processing’ means any operation or set of operations
which is performed on personal data or on sets of
personal data, whether or not by automated means,
such as collection, recording, organisation, structuring,
storage, adaptation or alteration, retrieval, consultation,
use, disclosure by transmission, dissemination or
otherwise making available, alignment or combination,
restriction, erasure or destruction (Article 4)
Follow us: @Botify - #BotifyWebinar
10. Part #2 What kind of Data does Botify
Process?
Follow us: @Botify - #BotifyWebinar
11. Botify crawls websites and does not request Personal Data
from Google Analytics.
Botify as “Processor”
Botify Analytics
Botify does not request Personal Data from Google Search
Console.
Botify processes your Log Files and does not request
Personal Data in the Log Files.
Botify Keywords
Botify Log Analyzer
Follow us: @Botify - #BotifyWebinar
12. A Log Line Example
Follow us: @Botify - #BotifyWebinar
13. Log Data we Request from Customers
- Date: Exact date of the request
- URL: The full URL with query parameters
- Referer: Page from which the connexion was made
- User-Agent: Browser or bot that issued the request
- HTTP Status Code: HTTP Status Code of the response (200, 301, 404, etc.)
- Domain associated with the URL
- Protocol: The protocol in which the file is provided (HTTP or HTTPS)
- Search Engine Crawler IP Address (googleBot, bingBot…): The bot IP for crawl lines (address of
the machine sending the crawl request).
Follow us: @Botify - #BotifyWebinar
14. No Personal IP are processed
Botify does not need, and does not use, any Individual IPs or Personal Data
for its processing.
If we receive an Personal IP Address, we keep it in the raw log files, and
discard it from the analysis.
We do not keep it in our product databases.
Follow us: @Botify - #BotifyWebinar
15. Processing Bot IP Addresses Only
For data accuracy, our customers can provide us with the search engines’ IP
Addresses (search engine IPs are public). Botify is interested in receiving Bot
IPs (not a Personal Data) to authenticate the Bots. It improves our dashboard
accuracy and value.
Read log line
(including IP)
Is it a bot line?
(based on User-
Agent)
Is it a real bot?
(based on bot IP)
Process line data,
remove IP
Compute
dashboard (no IP)
Provide
dashboard (no IP)
no
yes
Discard log line
no
yes
Follow us: @Botify - #BotifyWebinar
16. Part #3
Why is Botify Compliant
Follow us: @Botify - #BotifyWebinar
17. We do not need any Personal Data
● We ask clients to discard Personal IPs before sending log files to us
● We provide example scripts to help you out,
○ for CSV logs
○ and for JSON logs.
( https://www.botify.com/support/how-tos/ )
● The script:
○ removes any non-crawl and non-visit lines ('data minimisation');
○ and strips the IP address from any non-crawl line (no personal data
sent to Botify).
Follow us: @Botify - #BotifyWebinar
18. If you did not discard Personal IPs
If nevertheless we find some Personal IPs in your log files, we are
committed to remove this information before analyzing your data.
We only process the IP addresses with the
processing purpose “verify that the crawl
lines belong to expected crawl bots”
This processing takes place in the USA
under the US-EU Privacy Shield Agreement
We automatically remove IP addresses and
they are not available in any Botify reports.
We archive customer raw logs for a duration
of 6 months, in Europe, only in the purpose
of recomputing in case of any need.
No IP addresses stored
Crawl Lines = Crawl Bots US-EU Privacy Shield
Raw logs archived for 6 months
Follow us: @Botify - #BotifyWebinar
19. We commit to the
6 GDPR
Principles
Follow us: @Botify - #BotifyWebinar
20. Lawfulness, Fairness and Transparency
● We provide a Data Processing Agreement that you can download from
our website and that describes our processing and hosting providers.
● We created a Processing Register that describes:
● Our DPO: Charles Tenot, Global VP Finance and Operations
Hosting Services
Location
Processing
Activities,
processing
purpose
Security
Measures
Follow us: @Botify - #BotifyWebinar
21. Purpose Limitation
● We do not use Personal Data at any point in our process for any purpose
related to the individual. We do not obtain any information related to
physical persons from our processing.
● We only use the bot IP Addresses to improve the accuracy of bot traffic
information.
● We commit to limit the processing to the scope of the contract, and to
remove personal IP addresses, if provided.
No Use of Personal Data
Follow us: @Botify - #BotifyWebinar
22. Data Minimisation
● IP Addresses verification for bots is the very first step of our process.
● We discard the IP Addresses as early as possible in our processing.
● We do not store the IP Addresses in the app database, they are only
located in the raw logs you provided and in the archives.
IP Addresses are not Stored
Follow us: @Botify - #BotifyWebinar
23. Storage Limitation
● We only store the raw logs, for reprocessing purpose in case of error.
● We keep the raw logs for 2 weeks on your FTP server, then we archive
them for 6 months.
● These are default durations that you can ask us to reduce if you prefer.
● Storage and Archiving take place in the EU.
Raw Logs are kept 2 weeks and archived 6 months in the EU
Follow us: @Botify - #BotifyWebinar
24. Integrity and Confidentiality
● The airlock you uploaded the files to is a secure server.
● Log file transfer between the airlock you uploaded the files to and the app, and
between the airlock and the archiving server, are secure (ssh-based) transfers.
● Archiving server is a secure server.
● Access to Raw Log files is limited to dedicated Engineers, for integration, support
and engineering purposes. Awareness, training + contract.
● We will inform our customers as early as possible if any breach
or data loss occurred on your log files.
From Upload to Archive, Servers are Secure
25. ● We do not need Personal Data in any of our apps.
● The only Personal Data that may be processed by Botify are Personal
IP Addresses in Log Files if customers provide them.
● We provide sample scripts to help you send us logs without Personal IP
Addresses.
● If you send us Personal IP Addresses, we are GDPR-compliant anyway.
Summary
Follow us: @Botify - #BotifyWebinar
26. Let’s keep in
touch
Any questions? We are
here to help!
dpo@botify.com
Follow us: @Botify - #BotifyWebinar
27. GSC vs. Scraping: Go Beyond
Rankings
DON’T MISS OUR NEXT WEBINAR
www.botify.com/webinars
BOTIFY COMES TO YOU!
Follow us: @Botify - #BotifyWebinar
SaaStr Europa
June 14th - Paris
IRCE
June 5th -Chicago
SMX Paris
June 12th - Paris
SMX Advanced
June 11th - Seattle
passer dès que Thomas a lu le motto, il ne commente pas
Thank you for attending this webinar on GDPR at Botify. As you all know, GDPR is a regulation regarding data protection that was adopted 2 years ago by the EU and is enforced tomorrow May 25th 20-18. The goal of this webinar is to explain to you why Botify is compliant to this regulation.
Merci de participer à ce webinar au sujet du RGPD et de sa mise en oeuvre chez Botify. Comme vous le savez tous, le RGPD est un règlement européen concernant la protection des données qui a été adopté voici deux ans et qui entre en application demain, le 25 mai 2018. Le but de ce webinar est de vous expliquer en détail pourquoi Botify est conforme à ce règlement.
We don’t need any personal data in our platform, we don’t need personal data from our customers, we don’t use any personal data in any of our dashboards. All the dashboards that we provide are data dashboards with metrics regarding URLs or Keywords, not users.
have a global, European, law, and not national laws with national differences
improve protection of physical persons, and improve their rights
give a framework for security of personal data
simplify administrative work for multinational companies
1. Le présent règlement établit des règles relatives à la protection des personnes physiques à l'égard du traitement des données à caractère personnel et des règles relatives à la libre circulation de ces données.
2. Le présent règlement protège les libertés et droits fondamentaux des personnes physiques, et en particulier leur droit à la protection des données à caractère personnel.
3. La libre circulation des données à caractère personnel au sein de l'Union n'est ni limitée ni interdite pour des motifs liés à la protection des personnes physiques à l'égard du traitement des données à caractère personnel.
a- processed lawfully, fairly and in a transparent manner
=> inform the person about the processing that will be made, obtain consent, then processing must comply with what was described to the person when they gave their consent
b- collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes
=> purpose limitation: consent must be specific to a purpose and data cannot be later processed with another purpose
c- adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed
=> data minimisation, we don’t collect any unnecessary data
d- accurate and, where necessary, kept up to date
=> accuracy
e- kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed
=> storage limitation for a minimal duration
f- processed in a manner that ensures appropriate security of the personal data
=> integrity and confidentiality
The controller must be compliant with the 6 principles and must be able to demonstrate his compliance. And we are going to demonstrate our compliance to these 6 principles in this webinar.
a) traitées de manière licite, loyale et transparente
=> informer la personne du traitement qui va être effectué, obtenir son consentement. Le traitement doit respecter ce qui a été convenu au moment du consentement.
b) collectées pour des finalités déterminées, explicites et légitimes, et ne pas être traitées ultérieurement d'une manière incompatible avec ces finalités
=> limitation des finalités: le consentement doit être spécifique et les données ne doivent pas être réutilisées par la suite pour d’autres finalités
c) adéquates, pertinentes et limitées à ce qui est nécessaire au regard des finalités pour lesquelles elles sont traitées
=> minimisation des données, on ne collecte pas de données superflues.
d) exactes et, si nécessaire, tenues à jour
=> exactitude
e) conservées sous une forme permettant l'identification des personnes concernées pendant une durée n'excédant pas celle nécessaire
=> limitation de la conservation
f) traitées de façon à garantir une sécurité appropriée des données à caractère personnel
=> integrité et confidentialité
Enfin, le responsable du traitement est responsable du respect de ces 6 principes et doit être en mesure de démontrer qu’il les respecte, et c’est ce que nous allons faire pendant ce webinar.
a- inform the person about the processing that will be made, obtain consent, then processing must comply with what was described to the person when they gave their consent
b- purpose limitation: specified and explicit consent for the processing
c- data minimalisation
d- accuracy
e- storage limitation for a minimal duration
f- integrity and confidentiality
BA/BK : We receive aggregated data without any personal information.
There is no processing of IP addresses of human beings: we don’t need the data, and if we receive it, we do not use it. We use the visit lines of the logs to provide you with performance information about your URLs, not to provide specific information about “who the visitor is”.
Why do we like to receive the bot IP addresses in your log files? For data accuracy. There is a lot of crawl on the Internet, and some crawlers declare they are googlebot even if they are not. We use the bot IP address to make sure the it belongs to the search engine, to make sure the crawl log line really comes from google, or bing, etc. It allows us to authenticate the bots, to remove fake bot lines, and to provide accurate dashboards regarding number of URLs crawled or crawl volume.
Transition: usually, putting this in place is a 3-5 days work for your technical team. We understand it can be complicated for you, depending on your infrastructure and tooling.
As we said in the beginning, the data controller must be compliant with the 6 principles and must be able to demonstrate his compliance. Do let’s go through the principles again to confirm that, in case we receive any personal IP addresses, we are GDPR-compliant.
Comme on l’a dit au début, le responsable du respect de ces 6 principes et doit être en mesure de démontrer qu’il les respecte, donc parcourons-les à nouveau pour bien confirmer que, si nous recevons des adresses IP personnelles, nous sommes conformes à la RGPD.
We can sign your Data Processing Agreements, or we can provide one. We signed Data Processing Agreements with our hosting providers.
DPO - Data Protection Officer ensures that we apply the laws protecting individuals’ personal data.
DPO - Délégué à la Protection des Données.
If you send us Personal IP Addresses, we don’t have a use for them and we discard them as soon as possible.