General Data Protection Regulation


This note shows how Morro Data customers can use the Morro Data Service and be GDPR compliant.

As any EU IT Provider or Manager will by now know, “GDPR” stands for “General Data Protection Regulation” and it goes into effect on May 25th of this year. GDPR is designed to protect how personal information of EU (European Union) citizens is collected, stored, and shared.

A quick recap on what Morro Data is with respect to and in the context of GDPR. Morro Data provides file services through its CloudNAS product line that enables users to Store, Access, Share and Archive unstructured data files. Users access the system through a local on-premises CacheDrive that behaves just like a regular NAS or File Server. The files are kept in the cloud using 3rd party public object storage providers. The CloudNAS product manages device and file system configurations and management, as well as user permissions for which file shares can be accessed. Thus, the Moro Data CloudNAS File Services can be viewed as file management middleware that sits between users and the 3rd party object store. While Morro Data optionally bundles Cloud Object Storage with its plan subscriptions, we do not provide the object storage itself or manage our own data centers. By using or selecting GDPR compliant cloud storage and services, the Morro Data service and its customers can be GDPR compliant.

Within the definitions of GDPR. Morro Data is a data processor, our customers are the data controllers. Morro Data does not deal directly with personal information. Morro Data also markets and sells it product and services to business users or their managed service providers (MSP) only, we do not market or provide services directly to individuals and consumers.

To utilize Morro Data in a GDPR compliant way, we recommend for customers:

  • Morro Data Service
    • As the data controller, the customer will be responsible for managing their user information
    • Morro Data will only hold the Customer or MSP’s business information
  • Morro Data CloudNAS File Services utilizes 3rd party object storage. We bundle object storage with our Service plans or you can Bring your Own Storage
    • For simplest compliance, we recommend that for GDPR, customers use the option of storing your data in an Amazon region in the UK or EU utilizing your own account. This puts the data store under your full control and in a EU region. Amazon is GDPR compliant.
    • All our alternate Cloud Object Store partners intend to be GDPR compliant, and can be considered (Amazon AWS, Wasabi, Backblaze)
  • User Identity Management
    • Morro Data is compatible with and we recommend you use Microsoft Active Directory Identity Management to manage your user permissions and access to the File system
    • With Microsoft AD, customers directly control user identity and permissions on the system
  • Follow GDPR best practice in storing PII in file contents stored via Morro Data
    • Use Anonymization and Data minimization
  • Encryption
    • Within CloudNAS Data is encrypted at rest in cloud and in transit to cloud
    • Morro Data does not process the contents of files stored in CloudNAS
  • Audit
    • Morro Data provides an audit function that allows IT Managers to identify and review system access for compliance and retrospective breach investigation needs.

Morro will continue to make changes to our current Terms and Privacy Policy to align them with the GDPR and satisfy the required contracts between the controller and processor.

Morro Data is looking for Managed Service Provider partners to offer CloudNAS services in the EU and UK and be the business relationship interface with EU Customers. If you are interested in becoming a partner contact us.