WebTuna Software – position on GDPR
Background
The General Data Protection Regulation (GDPR) is an updated European privacy and data protection law that is in force from 25th May 2018 onwards. GDPR re-emphasises and reinforces existing data protection principles within the European Union (EU). GDPR also adds new rules that are designed to expand legal and privacy rights protections for EU citizens. WebTuna Software understands the importance of effectively using data to solve modern business challenges, but also respects the need to protect people’s data and to fully comply with data protection rules, especially when it comes to personal data and the rights of individual data subjects.
Enhanced data subject rights
- Consent – Consent must be specific, informed, freely given and an unambiguous indication of the data subject’s consent to the processing. Data subjects can withdraw consent at any time and must be able to do this as easily as it was to give consent.
- Right to erasure – Data subjects have the right to require a data controller to delete personal data where the data controller does not have legitimate grounds to retain the data.
- Data portability – Data subjects may request a copy of their personal data in a common digital format and have their personal data transferred directly between data controllers.
WebTuna Software and Application Performance
WebTuna Software is the company that owns, develops, maintains and operates the WebTuna performance monitoring service. Application Performance is a consultancy specialising in application software performance solutions. They are very closely related, and have the same owners and management team. Application Performance provides the sales and marketing expertise for WebTuna Software in addition to its other activities.
What is WebTuna
Customers who use the WebTuna service are typically companies who wish to monitor every web page interaction on their own websites, whether they are internal or external visitors, for the purpose of improving the performance of those websites.
They do this by adding small pieces of software on each web page, which collects information about the performance of each page as it is displayed. This includes the time taken to download the complete web page, a breakdown of the components, such as the images, scripts and style-sheets and the type of device, web browser, and approximate location that the web page is being displayed at.
All of this information is sent to a WebTuna service, where it can be analysed in detail by the customer.
Examples of WebTuna usage
Typically WebTuna is used in 2 situations.
- A public-facing website. In this situation, the subscribing company will be looking to understand the performance of the public website, and how it is used across the globe. The users of the website will typically be anonymous, as they are generally unauthenticated. WebTuna will collect information on how the website performs in different locations, on different devices, and browsers, allowing the subscribing company to understand how performance of their website is affected, with the goal being to improve the website performance and experience to all the users, wherever they are located.
- An internal website, for example SharePoint. In this situation, the main users of the website are company employees. And often in this case, the username and other information may be collected in addition to the IP-address. This allows the company to improve the performance and content of their system to the benefit of all employees, and the company. The company would typically have clauses within their contracts of employment permitting them to collect such data about their employees. When an employee leaves the organisation, no further data is collected, although what history is already present remains until it is purged out as described earlier.
In both cases, requests from a member of the public or an employee should be made to the subscribing company in regard to what data has been collected etc. We will provide every assistance to the subscribing company in meeting any such requests, should they request our assistance.
Personally Identifiable Information (PII) stored by WebTuna
By default, the only personally identifiable information that is collected by WebTuna is the IP-address for the connection that is being used by the user’s device. Depending on the design of the website / application, then three further fields, Path, Title, and Query Parameters, may also contain personal information. This is outside of the control of WebTuna Software. We recommend to our customers, and their website and application designers, that they do not include or pass PII data via these fields.
Customers, however, can extend this information. WebTuna allows them to provide small pieces of code to override a number of data elements that WebTuna collects. Those data elements are username, IP-address, session, and web server. Although they have specific names, and therefore recommendations to how they should be used, the customer may pass any data they wish to store in those data fields (subject to length), and it is outside of the control of WebTuna Software.
If the customer does not override these fields with data of their own, then WebTuna populates them with non-PII data, apart from IP-address as mentioned.
WebTuna attempts a reverse lookup using the IP-address to approximate the user’s geographic location, in order to allow the performance data to be represented on a geographical map. This technique may be reasonably accurate where a user has a direct internet connection with a fixed IP-address, or may be relatively inaccurate where the IP-address represents the location of the user’s ISP, or company’s internet proxy, for example.
Data Storage
WebTuna Services are currently run from a GDPR compliant data centre within the European Union, and all data remains stored within the EU.
WebTuna stores all data on website usage for up to 13 months from the time of capture, and is then purged from the system completely. Although backups of the WebTuna data are taken to allow us to recover the system from complex and unforeseen events, no backups are kept for longer than 13 months either.
WebTuna data is stored in multi-tenanted databases such that data for any individual or subscribing company is not isolated from any other.
Data Requests
For the purposes of data protection, and GDPR, WebTuna Software acts in the role of Data Processor, and our customers, the subscribers to the WebTuna services act as Data Controllers.
As such, requests under data protection regulations should be initially directed at the subscribing company, who will liaise with us appropriately.
We have reminded all our customers that, as WebTuna does collect PII, they need to make sure that they have included WebTuna under the arrangements they are making to comply with the GDPR requirements. We will support all our customers in complying with any associated data requests from users of their systems.
Who can see my WebTuna data?
The subscribing company controls who has access to the WebTuna data. Access to the User Interface (my.webtuna.com) is controlled via a password-protected login. One or more specified members of the subscribing company have ‘administrator’ access, which allows them to define who else has access to the data. They are responsible for the user maintenance on behalf of the customer, and can add, update, and remove any user.
In addition, a small number of employees of WebTuna Software Ltd, Application Performance Ltd, and their subcontractors, have access to the databases and systems that make up the WebTuna service, for operation, maintenance, licence compliance and product enhancement purposes. Data is only accessed when strictly necessary to investigate a problem, or perform a required upgrade etc, and is never divulged to anyone outside of that support team.
List of ALL data collected by WebTuna
The following table describes all the data collected by WebTuna on behalf of the customer for all sites containing the webtuna.js tag.
| Data Name | Use, and Description |
| Browser Family/Version/Mode | The browser name and version (plus compatibility mode in the case of IE), for example: IE 11.0 (7.0) |
| Device Family | The device family, for example: iPhone. |
| Client Name (ISP or Company | The client name derived from the client IP, for example: BT. |
| Client IP | The client IP-address received at the WebTuna collector, or the X-Forwarded-For address from an intermediate proxy, or the overridden clientIP field in the webtuna.js beacon, for example: 192.168.1.1. |
| Country / Continent | The country name and continent name derived from the client IP, for example: United Kingdom and Europe. |
| Domain/Host | The domain / host name within the page URL, for example: my.webtuna.com. |
| Operating System Family/Version | The operating system family and version, for example: Mac OS X 10.13. |
| Protocol (HTTP or HTTPS) | The protocol within the page URL, for example: http:. |
| Path (Part of the URL) | The path within of the page URL, for example: /. |
| Title (Page title) | The page title: for example: Blogs. |
| Query Parameters | The query parameters within the page URL, for example: ?type=page. |
| User | Either an auto-generated, random identifier or the overridden user field in the webtuna.js beacon. |
| Session | Either an auto-generated, random identifier or the overridden session field in the webtuna.js beacon. |
| Server | Either an empty string or the overridden server field in the webtuna.js beacon. |
| Referrer Host | The page referrer, for example: www.google.co.uk. |
| Request Type | The type of resource captured, for example: page. |
Users of my.webtuna.com
It should be noted that we use WebTuna to monitor my.webtuna.com i.e. WebTuna Software subscribes to the WebTuna service! This does not affect the majority of users to a company’s website, as they will not visit my.webtuna.com. But for those that do then WebTuna is both a data processor and a data controller.
We use the extensions described earlier to capture username, IP-address, session and web server. We use this information in accordance with the GDPR guidelines, primarily for us to maintain and enhance the product, in line with our normal roles as a data processor. However, with your consent, your information may also be passed on to Application Performance Ltd, in order to improve our service to you, as customers of ours.
For users of my.webtuna.com, we collect the following information in addition to all the data above.
| Data Name | Use, and Description |
| Username | Arbitrary name assigned to the user by the subscribing company’s WebTuna administrator. Used to log into the WebTuna service along with the password. |
| Password | One-way encrypted password. No one other than the user has access to the unencrypted password. A user may change their password at any time. It is recommended that the password is sufficiently strong and not easy to guess. |
| Name | First and last name of the user in order to identify them. |
| E-mail address | The email address for the user, used for alerts, reports and service updates. In addition, Application Performance may use this email address for marketing purposes, where consent has been given. |
| Company name | The organisation to which the user belongs. |
| Created date | Audit information. |
| Modified date | Audit information. |
| Last logged in date | Audit information. |
| Number of logins | Audit information. |