We sat down with Julien Champseix and Arthur Poirier at Brevo to discuss all things data security — from following regulations to preventing cyberattacks, and sharing our own approach to global data security. In the first of our three-part Conversations with the Experts, we take a closer look at what data privacy means for consumers.
Meet our data security experts
Julien is Chief Information Security Officer at Brevo. Since starting his position one year ago, Julien has overseen Brevo’s ISO 27001:2013 certification and continues to reinforce the company’s data security framework.
Arthur is Brevo’s Legal Manager and Data Protection Officer, ensuring GDPR compliance at Brevo as well as supporting clients’ conformity.
Consumers’ data privacy has never been more of a concern than in today’s world. Let’s start off with a question we often get asked by clients: Where and how does Brevo store users’ data?
Julien: At Brevo, our data storage strategy is what’s called hybrid, meaning we have both on-premise servers and cloud-based servers. The majority of our on-premise servers are located in France, but we also have on-premise servers in Germany to cater to clients in that market.
As for our cloud-based servers, we use Google Cloud Platform and store our data exclusively in Belgium. Keeping our data on cloud-based servers in the EU is a priority for us because it allows for better transparency across the chain of data processing. We also encrypt all our data before storing it on cloud-based servers. That gives us another layer of security in the case of a breach and is also part of our obligations as an ISO 27001:2013-certified company.
Can you tell us a bit more about the physical security measures of Brevo’s data centers? Who has access to the servers?
Julien: Only a select number of Brevo employees have access to our data centers. While technicians can physically access data centers for maintenance, they have no way to digitally access the servers. For example, they can change a disk or add a cable as needed, but even then we take extra measures during maintenance work to prevent a breach, such as temporarily disabling ports on the network equipment.
Backing up data
What’s the process for backing up user data? Do you store users’ data even after they’ve closed their account?
Julien: We’ve developed our own internal encrypted backup procedure across multiple data centers. Basically, a client’s encrypted data will first be stored at the data center nearest to them. This gives them with the fastest recovery time in case of an incident. It’s then backed up at a second data center, further away.
Finally, a backup of clients’ encrypted data is stored on our cloud-based servers. So even if something were to happen at the first two data centers, we’d still be able to recover it.
Arthur: In compliance with the GDPR, we delete all personal data associated with closed or obsolete accounts within 100 days. We’re also bound by French law requiring French hosting providers to keep some data at the disposal of French authorities for a year.
Does that mean that you could recover lost data if a user accidentally deleted it?
Julien: We’ve had a few clients in the past who accidentally deleted data that’s essential to their businesses, and in these cases we work with the Customer Experience team to get everything up and running again for the clients.
That said, this kind of situation is rare. We work hard to make our our platform easy to use and point people in the right direction when they need help. This helps us avoid having to recover individual clients’ data in the first place.
Protecting your own data
What can users do to protect themselves against cybersecurity threats?
Julien: In today’s world, data breaches and cyberattacks are becoming more and more common. What’s most important for us at Brevo is that the damage doesn’t reach our clients. That’s why we do everything we can to keep our applications and servers secure and our employees aware of threats.
As a user, having a complex password is the best way to keep your account totally secure. Brevo requires a password of at least eight characters. Beyond that, we strongly recommend using upper and lowercase letters, numbers, and special characters. Password rotation is also super important — ideally, every three months.
We also give users the option to use multi-factor authentication at login, which we also highly recommend. That’s when you need a code from a physical device, like a cellphone or laptop, as well as your username and password, to log in. It takes a bit more time, but adds an extra layer of protection to your account.
Arthur: Under the GDPR, individuals have rights when it comes to their personal data. The most common of these is what’s called ‘the right to object’, which is basically the right to unsubscribe from any specific use of your data, like receiving newsletters or automated emails. Brevo natively allows for all individuals to exercise their right to object to receiving electronic communications through the ‘Unsubscribe’ button included in all emails.
You also have the right to correct the personal information an organization has about you, the right to download a copy of your data, the right to know how an organization processes your data, and the right to have your personal data deleted.
Navigating data security as a consumer
For consumers today, navigating the digital economy and preserving data privacy may feel like an unclear chore. Amidst news of data leaks and ever-evolving best practices and regulations, the role of consumers in protecting their own privacy is hardly straightforward.
At the same time, individuals and consumers have rights when it comes to their personal data and are becoming increasingly concerned with data security, pushing businesses to reinforce their cybersecurity strategies and become transparent about how they process data.
In Part II of our Conversations with the Experts, we discuss what data privacy means for small businesses and measures you can take to improve your business’ security.