Phone icon +45 45 34 44 00
Book meeting

Documentation

5. Choice of Architecture

When designing the architecture of your application, you must identify the personal data collected and define a process and lifecycle for each of them. The choice of storage method (local storage, server, cloud service) is a critical decision that must be adapted to both your needs and your technical knowledge. Registration and execution of a privacy impact assessment (PIA) can help you make the right choice.

Review of Data and Process Lifecycle, from Collection to Deletion

  • Sketch and describe how the product generally works before starting your project, with a diagram of data flows and a detailed description of the processes performed.

  • When data is only stored on the user’s device (local storage) or remains within networks controlled by the user (e.g., Wi-Fi or other local networks), the main focus is data security. Users must be able to determine the storage period and deletion of their data.

  • When data is sent via online services, you must choose between hosting the data yourself or using a service provider, depending on your security knowledge and the desired service quality. Recognized cloud solutions can offer higher security levels, but they also introduce new risks that must be managed. Recommendations for companies planning to use cloud services can help you in this decision process.

If You Use External Hosting

  • Choose a service provider that guarantees appropriate security and confidentiality measures and sufficient transparency.

  • Make sure you know the geographical location of servers. You may be required to transfer data outside the EU/EEA. While data can move freely within the EU/EEA, transfers outside this area require ensuring an adequate level of data protection. CNIL offers an online map showing different levels of data protection in countries around the world.

  • If you need to host health data, make sure the provider is certified or approved for this activity.

  • Other important aspects to be aware of:

    • Existence of an accessible security policy;
    • Physical security measures at the hosting site;
    • Encryption of data and other mechanisms ensuring the provider does not have access to entrusted data;
    • Management of updates, rights management, personnel authentication, and security in connection with application development;
    • Easy and flexible reversibility/portability of data in a structured and commonly used format, which can be requested at any time.

Need a penetration test?

Contact us for a no-obligation conversation about your security needs.

Contact us