Implications of the GDPR on OneSpan Authentication Server

The security and privacy requirements related to the processing and storage of personal data regulated in the GDPR impact OneSpan Authentication Server, its components, and side products.

To comply with the GDPR, OneSpan Authentication Server, its components, and side products fulfill the following requirements:

Personal data is encrypted when in transit and when at rest (see Automatic encryption of data at rest and in transit).
Personal data can be deleted upon request (see Erasure of personal data in OneSpan Authentication Server).
Personal data can be exported in a structured and common, machine-readable format (see Data portability).

Types of personal data in OneSpan Authentication Server

OneSpan Authentication Server stores or processes personal user data in the following locations:

User database
Audit database
Audit log files
Diagnostic log files (if tracing is enabled in OneSpan Authentication Server)

Table: Personal data in OneSpan Authentication Server (Overview) provides an overview of the type of personal data and the location in OneSpan Authentication Server, where personal data is stored and/or processed.

Table: Personal data in OneSpan Authentication Server (Overview)
Personal data	User database	Audit database	Audit log files	Diagnostic log files
User ID	✓	✓	✓	✓
Authenticator serial number	✓	✓	✓	✓
User name	✓	✓	✓	✓
Description	✓	✓	✓	✓
Phone number	✓	✓	✓	✓
Mobile phone number	✓	✓	✓	✓
E-mail address	✓	✓	✓	✓
Authentication behavior	✓	✓	✓	✓
Computer name (Digipass Authentication for Windows Logon)	✓	✓	✓	✓
IP address		✓	✓	✓

Implications of the GDPR on OneSpan Authentication Server

Types of personal data in OneSpan Authentication Server

Log in

Two-step verification is required