Toto Holding Group Uses Virtru Private Keystore for GDPR Compliance and Data Sovereignty

The Result

• Fortify security and breach readiness by hosting its own encryption keys on premise with Virtru Private Keystore, separately from the data.
• Meet GDPR compliance and regulatory requirements, safeguarding personally identifiable information and protecting individual privacy.
• Ensure confidentiality of NDA-related communications via Microsoft 365, assuring clients that their sensitive information remains secure both in motion and at rest.
• Automate data protection for email workflows and inbound communications such as inbound CVs and resumes sent to HR, and anonymous feedback sent to its business ethics inbox.
• Ensure brand consistency and a seamless recipient experience by customizing encrypted emails with the Toto Holding logo and branding.
• Streamline and centralize data governance by efficiently managing encrypted and unencrypted mail in one place, supporting data sovereignty requirements.

Toto Holding Group is a global construction, energy, engineering, and design organization. Its business units manage large infrastructure contracts, oversee multi-million-euro projects, and spearhead renewable energy innovation. Toto Holding Group partners with many internal and external stakeholders, including government customers, so it’s essential to ensure shared sensitive information remains protected.

Adding a Layer of Security to Microsoft 365

Headquartered in Italy, Toto Holding is focused on maintaining compliance with the EU’s General Data Protection Regulation (GDPR), which requires organizations to implement and maintain security practices to protect personal data. Alfonso Razzi, CIO of Toto Holding Group, wanted a solution that would equip Toto to maintain confidentiality and strengthen its compliance with GDPR.

“Because so much information is exchanged through email, we thought it was really worth investing time on a project to acquire an additional layer of security to supplement our GDPR compliance,” Razzi said.

Toto uses Virtru’s Microsoft 365 data encryption to protect sensitive data shared via email. Toto has deployed Virtru’s data protection to employees who need to share sensitive information as part of their job — including HR, the procurement team, and the entire executive team.

Because of Toto’s global footprint in construction and energy, it works with many external stakeholders, often government organizations. “When we have to build a new motorway, we interact with the local authority managing motorways,” Razzi said. “We need to exchange contracts, designs, things like that. At the same time, we also interact with other third parties, usually providers, with which we have established contracts that define products, services, and level of quality for our projects.”

“In some situations, we also have to communicate highly confidential details that pertain to our third parties,” Razzi continued. “Like any corporate organization, we have non-disclosure agreements (NDAs) in place. Because we have Virtru, it increases our level of comfort in exchanging information under those NDAs.” Razzi explained that NDAs almost serve as their own, more specialized, form of compliance that needs to be met with strong security and confidentiality.

To further build trust, Toto has added its own custom branding to outgoing Virtru emails. “Today, there are a lot of strange emails going back and forth: A lot of spam, a lot of phishing emails,” Razzi said. “If someone receives an email with our corporate logo, the level of trust is higher, and therefore they are more open to following the process of accessing encrypted content.”

Strengthening Breach Readiness with Split-Knowledge Key Management

Virtru encryption is part of Toto Holding Group’s breach preparedness strategy. “In case of a data breach, because the emails are encrypted, the fraudulent actors trying to access our corporate data would have a far more difficult path before accessing encrypted confidential and private information,“ Razzi said. “So, this really increases our level of resiliency, as well as the level of protection for our overall set of corporate data.”

Toto Holding Group uses Virtru Private Keystore to manage its own encryption keys on-premise, separately from the data stored and shared via Microsoft 365. Because the keys are stored independently of the data, according to a split-knowledge architecture, this adds an additional layer of protection and confidentiality to Toto’s data.

“We want to make sure no other parties can access our email content,” said Razzi. “So, by having the keys managed on premise, we believe it adds an additional level of security and control.”

An additional benefit of Virtru’s architecture is that it doesn’t disrupt the flow of mail into and out of the organization. Some email encryption providers store encrypted messages separately from unencrypted messages, but Virtru allows organizations and their employees to manage encrypted and unencrypted email in a single location, increasing visibility and efficiency for IT teams and end users alike.

“We have found in Virtru one specific element, which, from my point of view, is the key selling point: The ability to keep all email in the same bucket, on the same email server,” said Razzi. “From a data governance standpoint, you have one single location where you are keeping all your data. This is much more effective than having two different boxes. This is also an easier path from a compliance and a technical maintenance perspective.”

Automating Seamless Experiences

In addition to using Virtru’s email and file encryption for Microsoft 365, Toto Holding Group also uses Virtru’s Data Protection Gateway to automate encryption for specific workflows.

Toto automatically encrypts incoming messages to the HR team’s inbox in order to protect the personal data in those emails and attachments. “If someone is willing to offer a spontaneous application by sending a CV to the HR email address, usually they’re disclosing some personal information,” said Razzi. “We are obligated as an organization to try to protect such disclosures.”

Toto also has a business ethics email address where anyone can submit a complaint or report anonymously. Toto helps protect that anonymity by automatically encrypting emails to that address, strengthening trust and ensuring people feel comfortable submitting information confidentially.

By safeguarding individuals’ private, personal information, Toto Holding Group builds trust with its internal and external stakeholders and demonstrates a commitment to security.

For more information on how Virtru can help you achieve your secure data sharing objectives, please contact us today.

About Toto Holding Group

Toto Holding Group has 40 years of expertise in the field of complex infrastructure works, both for roads and railways. The Group is now a large and widely diversified organization, present in the market of motorway concessions, road and rail construction, renewable energy, and engineering design.

Toto Holding Group Uses Virtru Private Keystore for GDPR Compliance and Data Sovereignty

Download Case Study