If you’re in the tech business—and even if you’re not—you’ve probably heard about GDPR. (In case you haven’t, we’ll explain the basics shortly.)
But what is it? And what does it mean for you as a Custify customer or reader?
Keep reading to find out.
What Is GDPR?
The General Data Protection Regulation (GDPR—Regulation (EU) 2016/679) is a comprehensive privacy and data-protection regulation in the European Union to strengthen the protection of “personal data” and the rights of the individual. It became applicable and binding on May 25th, 2018.
In short, it’s a single set of rules which governs the processing and monitoring of EU data. It identifies some responsibilities for companies, as well as penalties for non-compliance.
Companies are no longer allowed to use arcane language for their terms and conditions, and there are specific requirements for notifying customers of data breaches.
For more details on what the GDPR entails, check out the official GDPR website.
The regulations apply to organizations within the EU, as well as organizations outside the EU that do business in Europe.
Since we’re based in Romania, and many of our customers are in the EU, we’re subject to GDPR regulations.
Our Commitment - Custify is GDPR compliant
We’ve always been committed to high standards of data protection, information security, privacy, and transparency. (Which is one of the reasons we chose a data center in Germany, where data-protection standards have always been high.)
To make sure we’re protecting your data, we’ve revised our internal policies to meet the requirements of the GDPR.
We’ve also developed a robust plan to protect your data. We made the plan with an understanding and an appreciation of the GDPR.
Under the regulations, we’re called a “data processor.” That basically means that we have your data on our servers.
(Many of our customers are data processors as well. But for the purposes of this post, that doesn’t really matter.)
As you can be a processor or controller - depending on your business model - you have to sign a DPA with all your subprocessors. Custify provides a easy way to sign our DPA.
We provide easy to use API functions to handle ‘forget me-requests as well as ‘give me all data‘-requests. Both of these requests are built directly into the Custify API. So if your customers request those information, we’ll deal with it for you. It’s just one of the things we’re doing to help our own customers stay GDPR-compliant, too.
We also endeavour to ensure that personal data is not transferred to countries outside of the European Economic Area without adequate data protection. Besides that, we have also signed a DPA with all of our subprocessors.
Our GDPR Actions
We have published updated versions of our privacy policy and terms and conditions that incorporate our GDPR responsibilities and obligations. As you are also in request to sign a DPA with all the subprocesors that you have, and Custify is one of them, we have provided also an easy way to sign our DPA.
As you’ll see, they’re much more straightforward than pre-GDPR documents. We aren’t trying to hide anything. We want you to know what we’re doing with your data. (And we’re always happy to answer any other questions you might have about data collection and storage. Just shoot us an email.)
We’ll continue to update these documents when things change. And we’ll also keep your data safety at the top of our priority list.
Data Protection Addendum
In the course of providing the Custify service to our customers, Custify may process personal data on our customers’ behalf. GDPR applies to that data, too. To this end, we offer a data protection addendum.
If you want to know what happens with your customers’ data that ends up on our servers, give it a read. Any sub-processors that we might use (other companies that help us process your data) are listed there as well. If we decide to work with another sub-processor, we’ll add it to the list 30 days in advance, to give you a choice, as required by law.
What This Means for You
For the most part, you don’t have to worry about GDPR. We know our responsibilities under the regulations, and we’ll carry them out. The long and short of it is that we’ll protect your data to the absolute best of our abilities.
You just keep providing the best service you can for your customers.