From May 25th, 2018, the EU’s General Data Protection Regulations (GDPR) came into effect.

As part of our commitment to transparency, we’ve updated our software solution in preparation for the new data protection laws. We encourage you to read the GDPR Splynx compliancy document in full and contact us if you have any questions.

Splynx is a management software for Internet Service Providers (ISP in the following text). It means that our company doesn’t work directly with the data of individuals.

However, our clients operate in the B2C market and use our software to store their customers’ data. In this situation, Splynx s.r.o. works as a solution provider. The areas and conditions described below are when Splynx software works with the data of individuals and how our software complies with GDPR.

1. Storing personal information

1.1. Storing data of individuals in general

Splynx software is installed on the premises of an ISP company. In this case. all data is physically stored in the office or datacenter of our client. This means that our client is in charge of the physical security aspects of the server where the software runs.

Basic information that is stored in a Splynx database about customers is not sensitive. Data such as a customer’s address, phone number, passport/ID number, or bank account are requested by ISP based on the customer’s agreement. For example, the ISP cannot provide services without contacting the customer and cannot receive payments if it does not have the customer’s bank details. Technical information regarding a customer’s data tariff plan and a customer’s IP/MAC address is needed by the ISP to provide the service itself. There is no additional confirmation needed by the ISP from the customer to store this data.

1.2. Customer’s information

The information that is stored by default in Splynx software about a customer is as follows.

ISP administrators can create additional fields and store information about customers in these fields. If these fields feature sensitive data, the ISP company should gain permission from the customer to use this data. Splynx is not responsible for gaining this permission. This is the total responsibility of the ISP company.

1.3. Communication

Splynx software automatically sends emails and SMS to ISP customers in certain situations – when an invoice is created, when payment is received or when an invoice is overdue, and the service is put on hold. These emails are sent to end customers by the ISP because they are needed to provide the service and operate its business, and as such, the leading service agreement covers them. No additional confirmation from customers is needed in this instance.

Splynx does not provide a newsletter or similar service. If an ISP wishes to send promotional emails or SMS, they should obtain further confirmation from customers, and this confirmation should be stored in the newsletter/promotions platform.

Splynx stores all emails sent to customers. Splynx also stores replies from customers in the Tickets section. Tickets can be displayed to customers or hidden and available only for administrators.

1.4. Passwords

Splynx stores all passwords in an SQL database in an encrypted format. Any field that is defined as a password is automatically encrypted before saving to the database. The passwords are not displayed in logs or API calls. All customers’ passwords are by default hidden to administrators. Customers can reset the passwords to their portals using the email reset form.

1.5. IP addresses

IP addresses and MAC addresses are essential for an ISP company to access the internet. IP addresses are stored in the Splynx database in section IPAM – IP address management. IP address and MAC address are unique and can be assigned to one customer simultaneously.

1.6. Logs of sessions

Splynx stores information about IP sessions. The system stores a combination of IP addresses, the start session date time, and the end session date time. This allows an ISP company to find out quickly which customers were using an IP address in a certain period of time.

2. Administrative access to Splynx software

2.1. Access to the system

Our software operates with two different access portals. The first is for administrative access, and the second is for customer access.

Administrative access allows the administrators of an ISP company to manage and work with customers’ information. An ISP can give administrative access to its employees or third parties (resellers.) When a third party receives access to Splynx software, administrative access can be limited. The third-party will only be able to view and work with customers who have a contractual relationship with the third party.

The customer portal allows the customer to log in to an ISP system and view information about their services, invoices, payments, payment methods, statistics of internet usage, and to check the duration and cost of telephone calls

2.2. Access levels, roles, and permissions

Access roles – To achieve more granularity and tighten the security of user accounts, Splynx billing software supports access roles. The software allows an ISP administrator to assign permissions by providing predefined “roles” to choose from. These roles and their licenses are fully customizable at the administrator level. By selecting one of the predefined roles (Super administrator Administrator, Customer creator, Financial manager, Manager, New Role) during user account creation, the billing system applies the relevant permission settings for that role.

Permissions – while the roles are predefined levels of permissions, the Permissions themselves define which parts of the system can be displayed to or edited by the administrator.

2.3. Logs of operations

Every single action of the administrator in Splynx is tracked. View, Edit, Save, Delete, Rename, Change – anything an administrator does in the system is always saved in logs. All information is located in Administration → Logs → Operations. A search by customer, administrator, or action is available in this section.

3. Technology description

3.1. SSL communication

Our platform is web-based. Administrators and customers access it via web browsers. Preferred communication is HTTPS. Our team helps to set up the SSL communication on ISP

3.2. Two-factor authentication

Splynx software supports two-factor authentication. This configuration security feature enables system administrators to customize Splynx software tools by setting Google authenticator or similar software.

3.3. Encryption of passwords

The passwords of administrators, customers, PPPoE logins, routers, etc. are all encrypted in the SQL database with the server’s key. Passwords are not sent in plaintext in any client-server communication (HTTP, HTTPS, API, Exports)

3.4. Remote backups

Splynx s.r.o. provides a remote backup service to its clients. This means that a client’s server connects to our cloud storage once every 6 hours and pushes the changes from the database and application. All data from our clients and their customers are transferred over an OVPN encrypted tunnel. Data is transferred via Burb protocol which is also encrypted. The data is stored in the server in an encrypted format. You can read more about our backup platform here.

4. Splynx support access

4.1. Administrative access

We have our own proprietary software solution that our company uses for license management backup management and which allows our employees to access clients’ servers, provide assistance, resolve issues and restore data in the case of failure. 

When the system is installed, our clients can request remote support. Splynx has a tool – splynx-remote-support – and when this tool is installed, the client’s Splynx server establishes an OVPN encrypted tunnel to our cloud platform. This allows us to access the client’s server on a private IP address.

When our employees access the web administration of a client’s Splynx server, they use the administrator’s name, “splynx-remote-support”. They also use the password that is generated once every day. To access the client’s server, our administrator must also enter a one-time code that is created every 30 seconds. This strict authentication allows us to ensure that when one of our employees leaves the company and gets removed from the authentication system, they will not access a client’s servers.

4.2. SSH remote access

Similar to administrative access is our SSH access. We connect to a client’s servers via a private IP address of the OVPN tunnel. Our support people connect to the client’s servers with Public Keys and no password. The key is created based on the private key of the authentication server once every day. The Sudo password is also changed once per day.

4.3. Splynx internal sub-system logs

All access by our employees to a client’s servers is logged. We store information about web access and SSH access. In addition, we also store the history of commands that are run on the server, and web actions are stored in each Splynx server under “Administration → Logs → Operations”.