Have more questions? Need answers? Review the below article we’ve created for more information on privacy and security frequently asked questions.

1. What is GDPR?

Answer: The General Data Protection Regulation (GDPR) is a European privacy law that became enforceable on May 25, 2018. The GDPR replaced the EU Data Protection Directive, also known as Directive 95/46/EC, and intended to harmonize data protection laws throughout the European Union (EU) by applying a single data protection law that is binding throughout each member state.

2. What is personal data?

Answer: Personal data is any information relating to an identified or identifiable natural person, such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural, or social identity of that natural person. Note: under some local legislations the definition of personal data could cover other types of information and “personal data” is not equal to “customer data”. Customer data is a broader notion that typically includes transactional data and any other data processed through Ingram Micro’s products.

3. Are cookies considered personal data and are they subject to the requirements of GDPR?

Answer: Cookies can be considered personal data. The GDPR explicitly states that online identifiers, even if they are pseudonymized or if they do not directly identify an individual, will be considered personal data if there is potential for an individual to be identified or singled out. In addition, cookies can also be regulated by other European or local laws and regulations. For more information visit our Cookie Policy.

4. What is a data subject?

Answer: Data subject is any identified or identifiable natural person. An identifiable natural person is one who can be identified, directly or indirectly, by reference to any personal data. Note: under some local legislations the definition of data subject could cover legal persons as well.

5. What is considered processing of personal data?

Answer: Processing means any operation or set of operations which is performed on personal data or on sets of personal data, whether by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.

6. What is considered personal data transfer?

Answer: Data transfer is the act of transferring any personal data from one location to another through some communication method. Note: under some legal frameworks, the simple access to personal data hosted on a server in one location such as within the territory of the European Economic Area, from another location for example outside the European Economic Area can be considered a data transfer. Personal data transfer may be subject to specific legal requirements depending on the jurisdiction.

7. Can we transfer data from the European Union to other locations and to which locations?

Answer: Transfers of personal data from the European Union to a location outside the European Economic Area are allowed under the European legal framework if the specific legal conditions for such transfers are complied with.

8. What is a Data Processing Agreement (DPA)?

Answer: A data processing agreement (DPA) is a legally binding document to be entered into between the controller and the processor or between the processor and its sub-processor. It regulates the scope of the data processing – such as the purpose, types of data, types of data subjects etc. – as well as the relationship between the controller and the processor and their rights and obligation with regards to the processing of personal data. Essentially, a DPA is a form of assurance that the processor or sub-processor performs their obligations and shall ensure the protection of personal data. In some jurisdictions the execution of a DPA between controllers and their processor or between the processor and its sub-processors, is a legal requirement. We offer a GDPR-compliant and industry standard Data Processing Agreement.

9. Who owns the personal data processed using Ingram Micro services?

Answer: As a customer, you maintain ownership of the personal data you upload into Ingram Micro products. Therefore, you select what personal data can be processed, stored, and hosted through Ingram Micro products. We do not access or use your personal data for any purpose other than what is agreed upon with you in advance, except in each case as necessary to comply with the applicable laws or a binding order of a governmental body.

10. Who controls personal data?

Answer: As a customer, you control your data. We offer industry standard security features to protect and encrypt your data in transit and at rest which are appropriate to the risks presented by the processing of your data, taking into account the state of the art, the costs of implementation, the nature, scope, context and purposes of the processing of your data, the nature of the data as well as the risk and severity for the rights and freedoms of natural persons. You manage your data and the access to your data, and access to Ingram Micro services and resources through identity and access policy based on users, groups, permissions, and credentials that you control.

11. Where is my data stored?

Answer: Ingram Micro data is stored in our Ingram Micro Data Centre and/or through a Cloud Service Provider infrastructure with highly reliable servers that guarantee optimal uptime, and data security for all our customers and data (including order, asset, and tiers information within the platform).

12. I am an Ingram Micro Cloud customer. What is the role of the customer in securing their data in the Cloud?

Answer: When evaluating the security of a cloud solution, it is important for you to understand and distinguish between the security of the cloud, and your security in the cloud. Security of the cloud encompasses the security measures that Ingram Micro implements and operates. Ingram Micro is responsible for security of the cloud. Security in the cloud encompasses the security measures that you, as a data controller, implement and operate, related to the Ingram Micro products you use. You are responsible for your security in the cloud and responsible for receiving awareness education and training with regular updates as relevant for your business role.

13. I am an Ingram Micro Cloud customer. What is a shared responsibility model?

Answer: Security and data protection compliance is a shared responsibility between Ingram Micro and each customer. The shared responsibility model is a useful approach to illustrate the different responsibilities of Ingram Micro (as a data processor or sub-processor) and customers (as either data controllers or data processors) under the applicable data protection laws. Under the shared responsibility model, for example, Ingram Micro is responsible for the security of the cloud, while the customer is responsible for security in the cloud. Shared model configuration depends on the Ingram Micro cloud services that customers elect to use and how those services are integrated into customers’ IT environments. Depending on this configuration, the responsibility of the provider (processor or sub-processor) or the customer (controller), may vary.

14. What steps does Ingram Micro take to protect personal data?

Answer: At Ingram Micro, our highest priority is securing our customers’ data, and we implement rigorous contractual, technical, and organizational measures to protect the confidentiality, integrity, and availability of the information regardless of the region where the customer is located and the origin of the data. More information on the specific contractual, technical, and organizational measures implemented by Ingram Micro is available at Cyber Security Program Overview.

15. What if there is a security breach?

Answer: Ingram Micro has a security incident monitoring and data breach notification process in place and will notify customers of breaches of Ingram Micro’s security shield without undue delay and in accordance with the Ingram Micro DPA or in accordance with applicable laws and regulations.

16. Who should I contact if I have any questions about data protection, security, or privacy?

Answer: We recommend customers with questions regarding Ingram Micro’s data protection and security practices contact their account manager or submit a request via Contact Us.

17. Do you have a formal and documented security program that undergoes continuous improvement?

Answer: Ingram Micro has an Information Security Policy which describes all the security programs maintained across the organization. The information security policy shall be reviewed by the CISO on an annual basis. Ingram Micro has adopted the NIST Cybersecurity Framework (CSF) as our official cybersecurity framework. More information can be found via our Cyber Security Program Overview.

18. Are information security roles and responsibilities clearly defined and communicated to the employees?

Answer: Ingram Micro has clearly defined roles and responsibilities related to cybersecurity and privacy. The information security policies shall be communicated to all associates on an annual basis as part of mandatory annual training.

19. Is security awareness training provided to employees of Ingram Micro?

Answer: All users shall participate in annual information security, privacy, compliance, and awareness training and complete such training by the deadline established by the CISO. Specialized training for developers is offered annually to developers.

20. List all the Compliance programs implemented by Ingram Micro.

Answer: Ingram Micro implements controls to comply with the following compliance programs: Payment Card Industry (PCI) Data Security Standard (DSS), Sarbanes Oxley Act (SOX), ISO 27001:2013. For more information visit Compliance, Regulations, Standards and Certifications.

21. Does Ingram Micro have a Privacy program?

Answer: Ingram Micro stores personal data only in approved company applications. Personal Data should only be collected and processed for lawful and legitimate business purposes. Sharing personal data with third parties requires CISO approval. For more information visit our Ingram Micro Global Data Protection and Privacy Program Overview and/or Privacy Statement.

22. Does Ingram Micro have a formal data classification which documents data access, labelling, and disposal requirements?

Answer: Company information should be classified correctly, protected, and securely distributed. We mark documents with their data classification: Highly Confidential, Confidential, and Public. We protect information based on its classification. We retain data based on our records retention schedule. Users must comply with Payment Card Industry (“PCI”) standards for processing, storing, and transmitting credit card data.

23. Does Ingram Micro use a Password Management system?

Answer: Ingram Micro does have a password management system. Requirements for passwords are defined and enforced across the organization. Users are prohibited from sharing their password with others. Remote access requires multifactor authentication.

24. Does Ingram Micro have an incident response plan? Please describe.

Answer: Ingram Micro has an established process for security incident response and a trained team. Response and recovery plans for incidents and disasters is established, managed, and tested. The incident response plan includes an investigation task to determine root cause and, where possible, attribution. Communication protocols have been established and are embedded in the incident response plan. See What if there is a Security Breach.

25. Do you have a vulnerability management system?

Answer: All the assets are scanned for vulnerabilities monthly. Vulnerabilities are remediated based on internal and industry standards.

26. Is there an acceptable use policy for information and associated assets?

Answer: We define acceptable uses of our data and assets. Associates are not to use company assets or time to access or distribute offensive material. Company assets should be protected from theft. All associates are responsible for ensuring that IM assets and non-public IM information are not left unprotected when they are not in use at personal and public workspaces. Theft or loss of company assets must be reported and investigated. All users must comply with laws, regulations, and compliance programs regarding the use of data, network, and computer systems.

27. Do you have an access control policy?

Answer: Associates should have the least privileges necessary to perform their job function. When approved associates (or contract personnel) may be provided with access (including, when appropriate, administrative access) to Ingram Micro asset for the purposes of complying with our policies, to support their duties and responsibilities, or to perform an audit.

28. Do you periodically review access to information assets?

Answer: We periodically review access to ensure associates have the appropriate level of access for their position and responsibilities We disable/delete access or IDs when they are no longer needed. Assets (physical devices, software, software-as-a-service, cloud infrastructure, internally developed applications, and tools, etc.) must be inventoried and kept up to date. Company Assets (including Company networks) are provided for business use. We define acceptable uses of our data and assets.

29. Is there a process to review and/or monitor information security incidents or events?

Answer: Users of Ingram Micro technology services are subject to monitoring on any Ingram Micro asset, system, or network where allowed by law. The information security department centrally collects and analyzes logs for anomalous behavior (security event). Security events are analyzed, correlated (from multiple sources), and potential impacts determined. The Security Operations Center (SOC) is responsible for leveraging the anomalies, events, and security continuous monitoring to detect and react to threats.