Cartika Blog

GDPR Compliance

The recent regulation in the EU law entitled “General Data Protection Regulation,” (known as GDPR) is an extensive set of privacy regulations dictating the rights of EU citizens to understand what personal information is held by companies, what they use the information for, along with the ability to delete their personal information from companies databases. It is also a set of regulations which mandates how companies must adhere to the above rights of EU citizens, and also, in our case, some pretty explicit guidelines with how data services, which deliver, serve and/or store personal data need to be handled. Fortunately, for Cartika and our customers, we are a Canadian based organization, which has been required to operate under a similar Personal Information Protection and Electronics Document Act (known as PIPEDA), for a significant period of time. Between GDPR and more stringent PIPEDA requirements coming May 25th and June 1st 2018 respectively, Cartika was amply prepared to meet and exceed such requirements for all of our customers – both in how we handle and use customers personal information, as well as, with the data services we deliver to our customers and their respective environments.

As such, when we as Cartika, discuss privacy and compliance, we need to separate this discussion into 2 segments.

1) How we handle our customer’s personal data and how compliance is met with respect to our business and our direct relationships with customers. Having already operated under PIPEDA for years, with respect to the handling of customer’s personal data, we consider ourselves well ahead of the curve and have been, and continue to meet and exceed any privacy legislation which currently exists, including GDPR. However, GDPR has some specific requirements to allow users to view the personal data we have stored for each customer, the purpose for storing the data, the ability to download a copy of such data, and lastly, the ability to delete themselves from our systems completely. As much as this is possible and legal (where in Canada, for tax purposes, we are required to store 7 years of financial data and simply cannot just delete such data and even basic identifying data to remain compliant with the Canadian Tax laws), we have implemented a self-serve option within our accounts portal to facilitate every GDPR requirement. Here at Cartika, we have operated under the most stringent privacy legislation and policies which have ever existed for almost 20 years. We do not limit privacy protection based on customer’s geography and citizenship, instead, we provide the maximum level of privacy legislatively required anywhere in the world, to all of our customers by default. Customers from ANY country (and not just the EU), can now access their accounts portal (, navigate to accounts tab > overview – and as per screen capture below, can see a detailed list of their personal data, the purpose and usage for that data, download a copy of the report, and lastly, delete their data and profile from our systems completely. Please note, we cannot form a business relationship with a person or organization who does not provide basic personal information for the purposes of account management and billing, and as such, anyone requesting that their personal information be deleted from our systems must a) have an account in good standing with no open/unpaid invoices and b) must terminate any services we are providing.

GDPR compliant infrastructure management

2) How we provide compliance with infrastructure and managed services that customers have contracted to Cartika. All Cartika customers, with Proactive or higher levels of management, are completely covered with respect to GDPR/PIPEDA compliance in their respective environments. Managing firewalls, backup, and recovery, endpoint security and AV systems, our recently announced Big Data and Machine Learning based analytics, graphical display and notifications capabilities and our Access Management layers. Cartika customers and their environments, managed by Cartika, are fully GDPR and PIPEDA compliant as of today. It is a hard GDPR and PIPEDA requirement that organizations must also address the portions of GDPR and PIPEDA which relate to your own business and internal operations (similar to what I outlined in point #1 above). Cartika customers on pure IaaS, self-managed environments are “ready” from a GDPR & PIPEDA perspective, but, it’s the expectation that such customers are managing the technology required for compliance as well as handling personal data and related compliance requirements on systems themselves.

As a result of the above, Cartika is in the process of restructuring all of our offerings to meet the reality we and our customers are facing today and moving forward. Our offerings will be presented by service level (pure IaaS, Proactive Managed to cover GDPR/PIPEDA and other personal privacy protection laws which may arise in the future and advanced compliance for HIPAA & SOX/FISMA). Our pure IaaS offering allows customers to simply purchase resources from us, and manage their own environments and compliance. However, for customers who require a plug and play, managed offering that ensures compliance with GDPR & PIPEDA, our newly positioned proactive management offerings will accommodate this out of the box.

Cartika pricing for respective service levels will be rising here in the near future, however, as always, Cartika will include all of the above value to our existing customers, without altering the price of any existing service levels for any of our customers. It is our existing customers which have allowed us to build and grow this business, and have allowed us to build and develop the tools required to take us into the future. As a thank you, to ALL existing Cartika proactive or higher managed customers, your pricing for all existing services will remain the same and will be grandfathered for as long as those services are active. We will also work with such customers, on a case by case basis, and are absolutely willing to negotiate and meet in the middle between your existing rates, and our new rates for new services implementations you may be planning.

Lastly, and worth mentioning, I wanted to bring up the subject of our legacy shared hosting customers. These are services we have not offered for quite some time now. As these compliance requirements become more and more strict, and more and more countries introduce such requirements, it’s imperative we move our business and our offerings forward into the future. We simply are not able to provide compliance in shared environments moving forward (however Cartika customers can provide shared environments to their customers under our proactive management and remain compliant with GDPR and PIPEDA). Unlike most other organizations, we refuse to simply “Sell Off” our legacy shared hosting business, as without these customers, over all of these years, we simply would not be where we are today. We recognize that and want to thank our shared hosting customers for the years and years of being loyal customers. Cartika was always a more expensive provider for your shared hosting requirements. You did not choose us because we were cheaper than the next company. Our legacy shared hosting customers specifically chose to pay significantly more money to have their data and services with Cartika – recognizing the value we brought at our price point. For these customers, and as a THANK YOU from Cartika, I would ask you to come along with us into the future. We will ask you to pay a little more than you are today, but for that little more, you will be on your own proactively managed virtual environment, and off of shared hosting. You will have full compliance with GDPR, PIPEDA and any other privacy legislation which may arise in the future. As a THANK YOU from Cartika, this will cost you significantly less than any of our other customers are paying and much less than any future customer will be paying. After years of paying the premium to be a Cartika customer and receive our hosting services and support, your reward is to move with us into the future, and pay much less than anyone, anywhere else, for a plug and play, managed, isolated and compliant environment.