GDPR and Updates to our Terms and Policies

On May 25, 2018 the European Union’s General Data Protection Regulation (GDPR) takes effect in all countries in the European Economic Area (EEA).

Norway, where Runbox is located, is part of the EEA and is implementing these regulations through its own legislation.

We welcome these new regulations as they greatly strengthen the rights of the individual to digital privacy and security, which we always have promoted and supported.

What is the GDPR?

The GDPR is a set of regulations declaring that the individual should have control over their personal data by specifying how such data may be collected, processed, and stored.

The regulations require that businesses and organizations integrate this right into their business practices through policies, procedures, and technologies that safeguard the users’ privacy.

Important principles are that personal data are processed lawfully, for legitimate purposes, and with explicit consent from the user. This means that your personal data can only be collected with your permission.

The regulation also sets forth a number of rights on the part of users of digital services:

  • The right to transparency about how data is processed.
  • The right to access and information about collected data.
  • The right to rectify stored data.
  • The right to erase data (“right to be forgotten”).
  • The right to restriction of processing.
  • The right to data portability.

GDPR also recognizes the term “privacy by design”, which means that privacy shall be considered in all circumstances when personal data is processed or stored. By also introducing “privacy by default”, GDPR states that appropriate measures must be implemented to ensure that personal data collected is only used for the specific purpose for which the consent is given.

How does Runbox implement the GDPR?

At Runbox we believe that the privacy and security of your data is essential, and that it’s important for you to be aware of your rights and your options when it comes to your personal data.

Runbox has therefore been working on the implementation of the GDPR throughout our organization and our services over the past three years.

The activities that implement the GDPR in Runbox can be divided into 3 main areas:

  • Internal policies and procedures
  • Partners and contractors
  • Protection of users’ rights

The first two areas include documentation of information security management and internal policies and procedures, as well as data processing and confidentiality agreements with our partners, contractors, and staff.

The third area relates directly to you as a Runbox user, and includes the terms and policies that govern your use of our services, how we aim to inform and educate our users about privacy, and how we are implementing tools and utilities that safeguard your privacy rights.

Runbox’ main areas of GDPR implementationRunbox' GDPR Implementation

Revised Terms of Service and Privacy Policy

As part of our GDPR implementation the Runbox Terms of Service and Privacy Policy have been revised:

While the Terms of Service has only been updated with minor changes, the Privacy Policy has been restructured and amended. It provides a comprehensive overview of the policies that govern your privacy as a Runbox user, and describes in an accessible way the types of data Runbox collects in order to responsibly and reliably operate an email service.

It also lays out how user data are processed and stored, how they are being protected, and what rights you have as a user of our services.

It’s important to us that you are informed about your rights and your options with regards to your privacy. We ask that you review the revised terms and policies by May 25, 2018 when they take effect, and invite you to contact us with any questions or concerns.

Continue Reading →

Our path to GDPR compliance — and how it will strengthen the protection of your personal data

Runbox has been focusing on privacy and information security from day one, and have paid attention to the strict Norwegian legislation concerning the processing of personal data ever since.

Norway is a member of European Economic Area (EEA) and as such has to implement certain EU regulations, even if Norway is not a member of the European Union (EU). When the European Parliament and the Council decided new legislation for the protection of personal data, that legislation also applied in Norway and has to be implemented by May 25, 2018.

The legislation, titled General Data Protection Regulation (GDPR), contains rules for how personal data should be processed. Using the terms of GDPR, this includes how, when, and under which conditions, personal data

  • can be collected, processed and stored, which demands explicit consent, and explicit stated purpose;
  • shall be rectified;
  • shall be deleted (right to be forgotten);
  • shall be released to the person that owns the data (right to portability);
  • could be transferred to third parties for processing, where a Data Processing Agreement (DPA) is mandatory;
  • could be transferred to processors outside EEA.

At Runbox we have followed the development of this new EU legislation from the very beginning, and as early as 2014 we initiated a project in order to become GDPR compliant.

As a first step we started developing a planning document which includes detailed plans for making our information security management complete and consistent. The document laid out a number of activities which are now outlined in 15 sub-projects, of which some are completed, and others are in process of being completed.

However, information security is a continuous effort and the sub-projects will give rise to additional activities far beyond the GDPR framework.

We will keep you updated.

Continue Reading →

Runbox is leaving the Facebook platform

#DeleteFacebook
#DeleteFacebook

At Runbox we work conscientiously every day to ensure that we act in accordance with our Company Values, and as an extension of these, our Terms of Service and Privacy Policy.

We have carefully implemented these policies in order to protect our users’ privacy as outlined in our Privacy Commitment, and we are currently working hard to obtain compliancy with the forthcoming General Data Protection Regulation introduced by the EU.

This also means that we are conscious about how Runbox interacts with other Internet services such as social media networks. Therefore we have been disappointed by the recent revelations about the privacy intrusions and unethical practices by Facebook.

As a consequence we have decided to remove the Runbox page from the Facebook platform.

Continue Reading →

Account Access Controls

It’s been a few months now since we launched the new authentication service that made Runbox Two-Factor Authentication possible.

Watching over your account

Behind the scenes the authentication service has been working to protect your account from unauthorised access. One of the ways it does this is by analysing the pattern of successful and failed logins for your account.

Using a set of rules it determines if a particular IP address should be allowed to access the service or whether it should be blocked from further attempts. It also determines which IP addresses should be treated with less caution as they are your legitimate IP address.

Obviously we can’t say too much about the rules used as this could compromise the effectiveness of this system, and we are always improving the rule set to take in to account new scenarios that we encounter

Giving you more information

The design of the authentication service allows us to share with you the IPs that try to access your account, and whether that access was successful or not. This can help you in troubleshooting problems you may encounter when setting up devices with your Runbox account, but it can also alert you to attempts at unauthorised access.

You can find this information on the “Access Control” tab at Account > Account Security.

Blocked IP addresses

We have also implemented new features on the “Access Control” page that show you the IPs that are blocked for your account. You can then decide if they should be permanently blocked or removed from the blocked list.

Giving you more control

In addition you can now also block IPs yourself or add allowed IPs that should always have access to your account when the correct username, password (and 2FA where applicable) credentials are supplied. This is done via the “Manage IPs” section.

 

A list of IP addresses you have allowed and denied yourself is visible at the bottom of the page in the Access Control List, and from there you can mange this IP addresses.

It’s also possible for Main account holders to set up rules for the Sub-account accounts they have control of.

We hope you find these new features useful, and if you need any help with them please see our help page about Access Control.

 

Continue Reading →

New Account Security features launched

We are excited to announce the launch of a new Account Security interface with Two-Factor Authentication (2FA) for Runbox.

This completes more than a year of development, and we are quite proud of the result. The new features will significantly improve the security of your Runbox account when you activate them.

Account Security features

The new Account Security interface includes 4 main features: Two-Factor Authentication, Manage Services, App Passwords, and Last Logins.

Used separately or in combination, these features add extra layers of security to your Runbox account.

Two-Factor Authentication

Two-Factor Authentication (2FA) is a log in procedure where an additional piece of information is required in addition to your username and account password.

This additional factor is a code that can only be used once, or for a limited period of time.

Two-Factor Authentication
Runbox Two-Factor Authentication

Runbox 2FA currently supports Timed One-Time Passwords (TOTP) and One-Time Passwords (OTP) as additional factors. We are planning to expand this with Yubikey or U2F support.

Manage Services

The new Account Security interface lets you disable various services such as IMAP, POP, and SMTP. These are the services you use when using an email app/program to access your mail.

By disabling services you are not using, you prevent attempts at unauthorized access to your account via those services.

App Passwords

You can also set up unique passwords for each of your apps or devices, giving you complete control over the access to your account.

If you then happen to lose a device you can simply delete the corresponding app password, effectively disabling access from that device.

Last Logins

This section shows a list of the most recent login attempts to your account from each service such as web, IMAP, POP, and SMTP.

If you suspect that there have been unauthorized login attempts to your account, you can review this list and take appropriate action.

How to set up Account Security features

To get started, just go to the Account Security screen to set up 2FA and the other security features.

We encourage you to review our Account Security help page for details about the new functionality first. This will ensure that you understand how 2FA works and prevent you from getting locked out of your account.

We welcome any questions or feedback you might have, either as comments to this blog post or via our contact form or support system.

Continue Reading →