ActiveCollab & the General Data Protection Regulation

· product ·

WORK
Updated: Jun 26,2018

1. What is the GDPR

The General Data Protection Regulation (GDPR) is a new law establishing protections for the personal data of EU residents. The main goal of GDPR is to establish a standard for all organizations in the region when it comes to data privacy. Organizations (regardless of the organization’s global location) are required to develop certain procedures and safeguards that will regulate collecting, maintaining and using personal data of EU residents. In preparation for the GDPR, ActiveCollab has established a comprehensive compliance program and is committed to partnering with its customers and vendors to help them in their GDPR compliance efforts.

2. Why we welcome GDPR at ActiveCollab

Privacy and safety of your data has always been a top priority for us. We are always aiming to raise the bar when it comes to delivering the best service possible, so we are constantly improving our product and website, so they are in compliance with GDPR and other relevant laws. We are looking forward to the impact GDPR is likely to have.

3. What is ActiveCollab doing to comply with GDPR

Information we hold

We’ve performed extensive data mapping, which means we’ve identified all the personal data we process, their location, the way they are stored, used, deleted and archived. We’ve also identified who they are shared with and in which ways. We use a log management system so no employee can access data without authorization. This basically means we’ve performed a thorough analysis of all the data we store. All our employees have gone through applicable GDPR guidance trainings issued by regulatory authorities and we all keep learning about privacy by design and default. Maintaining the confidentiality and security of data is one of our ongoing priorities here at ActiveCollab. ActiveCollab’s data and information are hosted on servers in USA, Canada and France. We wrote more about data security in our Security Policy here. We extend our GDPR readiness by making sure all our third-party processors* located in US are also GDPR compliant.

Communicating privacy information

We are currently re-evaluating all of our processes, procedures, and complete documentation. We are updating all our processes so they are in compliance with GDPR. We are also updating our Privacy Policy, Security Policy and Terms of Service. This also means we will never automatically process your information without your consent.

Lawful basis means we need to have a legal reason to use your data. This reason has to comply with GDPR’s accountability requirements. It can be in accordance with our Terms of Service - which means we can use your data when we want to, for example, send you a bill, as defined in our contract; it can be your consent (you opted in) with notice - we told you what you were opting into; and it can be what GDPR calls legitimate interest (e.g. you are our customer, and we want to send you new products or functionalities related to what you currently have). If there is a legitimate interest, you always have a right to object further processing of your personal information.

Breach management

Your data matters. And GDPR is not only about data privacy, but also data protection. That’s why we’ve established and are implementing specific procedures designed to detect, report and investigate a personal data breach. In case of a data breach, we will promptly notify the regulators on our systems, our customers and end-users.

4. What does this mean for you and your data?

The GDPR defines personal data as any information that can be used to directly or indirectly identify a person, such as a name, photograph, email address, or even an IP address.

We collect data and information only when absolutely necessary. The best thing is - we need so little. Data minimisation is our primary goal here. When you sign up for a free trial, we store only your email address to give you access to our tool.

Every connection to your cloud account is SSL only. Non-encrypted communication is not allowed. We also follow all best HTTPS security practices. We wrote more about encryption here.

It’s important that you’re aware how much control you have over your data. At any moment you have the right to:

  • Ask to see which information we store about you
  • Ask for a change in your information
  • Ask for deletion of your information
  • Restrict processing of your personal information
  • Ask us to transfer (export) your data in a machine-readable (commonly used) format.

5. ActiveCollab GDPR Roadmap

We welcome the arrival of GDPR and view the regulations as raising the bar for data protection, security, and compliance. We are closely analyzing the requirements of the GDPR and are working to make enhancements to our product, contracts, and documentation. We’re approaching this process with our engineering, product, security and legal teams, to implement the necessary procedures and practices.

Organizational

  • Data mapping and gap analysis - Done
  • Update T&C - In progress
  • Data breach report compile - In progress
  • First training on GDPR compliance - In progress
  • Periodic evaluation for organisational and technical measures - To be implemented

Policy

  • Revise internal documents and policies - In progress
  • Risk Assessment in accordance with ISO 31000 - Done
  • Security incident response templates - In progress
  • Regulate internal access to personal data - In progress
  • Handling data responses to users - In progress

Technical

  • Restrict access to servers from public locations - Done
  • Use HTTPS for pages that handle sensitive information - Done
  • Review and categorize currently stored data - Done
  • Resolve security issues and implement recommendations - Done
  • Anonymize IP addresses - In progress
  • Revise stored data - In progress
  • Unified platform access for company accounts - To be implemented
  • Establishing Logging Policy - Done
  • Anonymize data for staging - To be implemented

Product

  • Implement user opt-in mechanism - In progress
  • Log the consent - In progress
  • General consent request - In progress
  • Allow user revoke the right of using his data - In progress
  • Re-ask the user for consent if necessary - In progress
  • Add multi-factor authentication - In progress
  • Data export tool - In progress
  • Keep data a limited time after contract termination - In progress
  • Obtain consent for previous collected data - To be implemented
  • Expose/delete info for users - To be implemented
  • Platform audit logs / update - To be implemented

6. Find out more

We wholeheartedly encourage you to review our Privacy Policy and Terms of Service pages. If at any moment you need more answers, you can contact us via privacy@activecollab.com.

*Our third-party processors: Help Scout, Stripe, FastSpring, Crisp, Google Analytics, Google Adwords, Mailchimp, Facebook Ads Manager, Mautic, Promoter

Related Articles
Try Active Collab

Make Real Work Happen! with ActiveCollab

Get two weeks of ActiveCollab absolutely free, without any limitations.

No credit card required · Unsubscribe at any time

Sending...

Great, your account has been created!

You will be redirected to your new account in couple of seconds.

Great, you're almost there!

We've succesfully created your trial, but there's already an account associated with this email. To enter, you first need to sign in and then you can access the account we just created.

Sorry, we could not create an account for you at this moment. Please try again with another email address.

If the issue still persists, please let us know by sending email to support@activecollab.com