DevOps Code ClearCase, DevOps Code ClearCase MultiSite, DevOps Code ClearCase - Cadence Integration Considerations for GDPR Readiness

For PID(s): 5724-G29, 5724-G37

Notice:

This document is intended to help you in your preparations for European Union General Data Protection Regulation (GDPR) readiness.

It provides information about features of DevOps Code ClearCase® that you can configure, and aspects of the product's use, that you should consider to help your organization with GDPR readiness. This information is not an exhaustive list, due to the many ways that clients can choose and configure features, and the large variety of ways that the product can be used in itself and with third-party applications and systems.

Clients are responsible for ensuring their own compliance with various laws and regulations, including the European Union General Data Protection Regulation (GDPR). Clients are solely responsible for obtaining advice of competent legal counsel as to the identification and interpretation of any relevant laws and regulations that may affect the clients' business and any actions the clients may need to take to comply with such laws and regulations.

The products, services, and other capabilities described herein are not suitable for all client situations and may have restricted availability. IBM does not provide legal, accounting, or auditing advice or represent or warrant that its services or products will ensure that clients are in compliance with any law or regulation.

Table of Contents

  1. GDPR
  2. Product Configuration for GDPR
  3. Data Life Cycle
  4. Data Collection
  5. Data Storage
  6. Data Access
  7. Data Processing
  8. Data Deletion
  9. Data Monitoring
  10. Responding to Data Subject Rights

GDPR

General Data Protection Regulation (GDPR) has been adopted by the European Union ("EU") and applies from May 25, 2018.

Why is GDPR important?

GDPR establishes a stronger data protection regulatory framework for processing of personal data of individuals. GDPR brings:
  • New and enhanced rights for individuals
  • Widened definition of personal data
  • New obligations for processors
  • Potential for significant financial penalties for non-compliance
  • Compulsory data breach notification
Read more about GDPR:

Product Configuration for GDPR

The following sections provide considerations for configuring ClearCase® to help your organization with GDPR readiness.

ClearCase stores file data as generated by its users, often in the form of computer program source code or text documents. ClearCase may also store metadata (user account identifiers, time stamps, and similar) recording the history of changes to stored files/documents.

Review the ClearCase security considerations topic in the product documentation to learn how to deploy ClearCase securely.

A ClearCase local client deployment (dynamic and snapshot views, VOB servers, and ClearCase Remote Client (CCRC) WAN server) should be operated inside a local area network protected by firewalls. The service ports used by CCRC WAN server can be opened up to access from beyond the firewalls.

Data Life Cycle

This offering processes the Types of Personal Data listed below:
  • Authentication credentials (such as operating system or integration products' username and password)
  • Technically Identifiable Personal Information (such as device IDs, usage based identifiers, static IP address, language settings, etc. - when linked to an individual)

This offering is not designed to process any Special Categories of Personal Data.

The processing activities with regard to personal data within this offering include:
  • Receipt of data from Data Subjects and/or third parties
  • Computer processing of data, including data transmission, data retrieval, data access, and network access to allow data transfer if required.
  • Storage and associated deletion of data

Technical support for this offering is provided by HCL Technologies, Ltd.

This offering may integrate with the following IBM offerings, which may process personal data content:
  • IBM® HTTP Server
  • Microsoft Visual Studio 2017, 2019, and 2022
  • Rational Application Developer for WebSphere Software
  • Rational Build Forge
  • Rational Build Forge Enterprise Edition
  • Rational Build Forge Enterprise Plus Edition
  • Rational Build Forge Standard Edition
  • Rational® ClearQuest®
  • Rational Collaborative Lifecycle Management Solution
  • Rational License Key Server
  • Rational Method compose
  • Rational Modeling Extension for Microsoft .NET
  • Rational Rhapsody
  • Rational Software Architect
  • Rational Software Architect Extension for Communications Applications
  • Rational Software Architect RealTime Edition
  • Rational Software Architect for WebSphere Software
  • Rational Software Modeler
  • Rational Systems Developer
  • Rational Team Concert
  • WebSphere Application Server Developer Tools for Eclipse
  • WebSphere Application Server for Developers - Tools Edition for Eclipse
This offering may integrate with the following third party products, which may process personal data content:
  • Atlassian Jira
  • Cadence Design Framework II
  • Cadence Virtuoso
  • Microsoft Visual Studio

What is the end-to-end process through which personal data go through when using our offering?

A user's locale (language setting) is not stored in the ClearCase system. It is used only while the user is active to select appropriate translated messages and code pages.

Usernames and passwords are stored when the administrator has enabled change management integrations. See below.

Event records in ClearCase VOBs store user identities and timestamps as metadata associated with file versions and other metadata stored as part of the repository's change history.

Technical data identifying computer systems and/or users may be logged as part of normal system operation or as part of additional logging/tracing when diagnosing a problem or analyzing a system for improvements. This data may include, for example, IP address, protocols used and other settings related to the communication mechanism, such as browser levels and settings.

Personal data used for online contact with IBM

ClearCase clients can submit online comments/feedback/requests to contact IBM about product topics in a variety of ways, primarily the comment areas of the following, as applicable:Typically, only the client name and email address are used, to enable personal replies for the subject of the contact, and the use of personal data conforms to the IBM Online Privacy Statement https://www.ibm.com/privacy.

Data Collection

This offering collects the Types of Personal Data listed below:
  • Authentication credentials (such as operating system or integration products' username and password)
  • Technically Identifiable Personal Information (such as device IDs, usage based identifiers, static IP address, language settings, etc. - when linked to an individual)

Data Storage

How can the client control the storage of personal data?
  • Storage of account data
    • Usernames and passwords are stored for integrations with change management systems, such as the Change Management Integration (CMI). When change management is enabled for a ClearCase deployment, ClearCase stores each user's access credentials for the configured change management system. The username and password are stored in their account's home directory. Passwords are encrypted with a fixed private key.
  • Storage of client Data
    • ClearCase stores client-provided data in versioned object base (VOB) repositories and in views. Data in views is usually transient and eventually either moved into a VOB for long-term storage/reuse or destroyed by the end user when no longer required. Data in VOBs is stored indefinitely, typically shared among the authorized users of the system during the life of the project using the VOB repository. When all data stored in the VOB are no longer required, the VOB may be retired and deleted from storage.
  • Storage in backups
    • ClearCase does not provide its own backup mechanisms. Clients should establish their own backup procedures.
  • Storage in archives
    • ClearCase does not provide an archive mechanism.

Data Access

How can the client control access to personal data?

To protect access to stored usernames/passwords, each user can use operating system protections to control access to their home directory's files, allowing access only from the user's account.

To limit access to client-created data, the administrator can establish access controls in the ClearCase VOB repositories. Refer to details in the "Authorization" section of the security considerations document linked above.

ClearCase records a user identity for each modification to the VOB database. These records can be reviewed as described in the "Auditing" section of the security considerations document linked above.

Access to servers

A ClearCase administrator can limit which operating system accounts have access to log into the VOB and view servers. The account owning the VOB storage files needs access, but most other accounts do not. For more details on planning your server environment, see Administering DevOps Code ClearCase in the product documentation.

Data Processing

How can the client control processing of personal data?
  • Encryption in motion
    • The ClearCase Remote Client (CCRC) WAN server can be configured to use TLS/SSL protection for its communication with its clients: ClearTeam Explorer, rcleartool, and CMAPI applications. Refer to details in the "Encryption" section of the security considerations document linked above.
    • The ClearCase local client environment, deployed within a LAN, does not use encryption for network communications. Host-based IPsec can be configured to encrypt traffic if required.
    • ClearCase MultiSite does not use encryption when shipping packets with the default configuration. The administrator can configure an encrypted network (such as a VPN) between sites, or implement custom packet encryption. See details in technote 347503.
  • Encryption at rest
    • ClearCase does not encrypt its view or VOB storage. However, operating-system or storage-based encryption is supported. Refer to details in the "Encryption" section of the security considerations document linked above.

Data Deletion

How can the client control the deletion of personal data?
  • Stored account deletion
    • An end user may delete their stored username/password used for change management integrations using the cmiregister or crmregister commands.
  • Client Data deletion
    • Technical data in ClearCase log files is retained for two weeks in the default configuration. ClearCase scheduled jobs rotate the log files and trim the log history according to the defined schedule. This schedule can be modified with the 'cleartool schedule' subcommand.
    • CCRC WAN server logs are stored in the WebSphere Application Server (WAS) profile's system logs, and are managed by WAS.
    • Trace data are retained indefinitely. The ClearCase administrator should delete trace files after completing the troubleshooting activities.
    • Removal of users from the operating system will prevent the user from accessing ClearCase repositories. It will not remove the users' data (e.g. name) from active or historical events as there is an ongoing need from an operational/audit perspective to maintain this data. Client data stored in ClearCase VOB repositories is generally expected to be retained for the lifetime of the related projects using the repository. Some data can be removed from the repository via ClearCase operations, with the potential of damaging historical software baselines and limiting the ability to recreate older software builds.

    For more details on the ClearCase VOB repositories, see Administering DevOps Code ClearCase in the product documentation.

    As part of your deployment you should review the period for which ClearCase data is archived, backups are stored and logs are maintained to determine if they are reasonable based on your operational needs.

  • Account Data deletion
    • Because ClearCase is based on user accounts from the operating system, the administrator or user must manage the accounts outside of ClearCase. Refer to your operating system documentation.
How can the client control the deletion of personal data?
  • Client Data deletion

Data Monitoring

How could the client monitor the processing of personal data?

A CCRC WAN server logs successful and unsuccessful logon events in the WebSphere Application Server's system log. This log is not encrypted.

ClearCase log files are not encrypted.

If log files need to be archived for operational/audit requirements then consideration should be given to encrypting any archived logs.

Stored usernames and passwords for integrations will be used when needed to access a change management system. Refer to such systems' notices about monitoring the use of usernames/passwords.

ClearCase local clients use the operating system identity of a user account, and thus do not track attempts to access an account. Refer to the operating system documentation about account tracking.

CCRC WAN server trace files and process memory images (dumped during process abort/"core dump") may contain user account information. Server systems should be configured to put process dumps in a secured location.

Responding to Data Subject Rights

Does the offering facilitate being able to meet data subject rights?

The Personal Data stored and processed by the product falls under the following categories:
  • Basic Personal Data (e.g. usernames and passwords used for authentication and Name/ID to show ownership of an event)
  • Technically Identifiable Personal Information (such as device IDs, usage based identifiers, static IP address, language settings, etc. - when linked to an individual)

In addition, because the product provides a repository for storing files generated by client users, such files may include personal data.

The retention of files stored in the repository is intrinsic to the operation of a configuration management system. Removal of data, modification of historical data and the sharing of this data outside your organization is likely to be contrary to your organization's policies.

ClearCase does provide mechanisms to delete some types of VOB repository data, including versioned files through 'rmver' and 'rmelem' operations, but doing so may destroy the integrity of the project data (such as software source code) managed through a VOB. An end user may modify or remove their stored username/password used for integrations with change management systems by using ClearCase crmregister or cmiregister commands.

Because ClearCase references user accounts from the operating system, it is not possible to remove an account solely from ClearCase. The administrator or user must manage the accounts using the operating system's mechanisms. Refer to your operating system documentation.

On premises product managed by the client, please review links provided in earlier sections for configuration information.