Article III: What is ActiveCollab doing to comply with GDPR
INFORMATION WE HOLD
We’ve performed extensive data mapping, which means we’ve identified all the personal data we process, their location, the way they are stored, used, deleted and archived. We’ve also identified who they are shared with and in which ways. We use a log management system so no employee can access data without authorization. This basically means we’ve performed a thorough analysis of all the data we store. All our employees have gone through applicable GDPR guidance trainings issued by regulatory authorities and we all keep learning about privacy by design and default. Maintaining the confidentiality and security of data is one of our ongoing priorities here at ActiveCollab. ActiveCollab’s data and information are hosted on servers in USA, Canada and France. We wrote more about data security in our Security Policy here. We extend our GDPR readiness by making sure all our third-party processors* located in US are also GDPR compliant.
COMMUNICATING PRIVACY INFORMATION
We are currently re-evaluating all of our processes, procedures, and complete documentation. We are updating all our processes so they are in compliance with GDPR. We are also updating our Privacy Policy, Security Policy and Terms of Service. This also means we will never automatically process your information without your consent.
LAWFUL BASIS FOR PROCESSING PERSONAL DATA AND CONSENT
Lawful basis means we need to have a legal reason to use your data. This reason has to comply with GDPR’s accountability requirements. It can be in accordance with our Terms of Service - which means we can use your data when we want to, for example, send you a bill, as defined in our contract; it can be your consent (you opted in) with notice - we told you what you were opting into; and it can be what GDPR calls legitimate interest (e.g. you are our customer, and we want to send you new products or functionalities related to what you currently have). If there is a legitimate interest, you always have a right to object further processing of your personal information.
BREACH MANAGEMENT
Your data matters. And GDPR is not only about data privacy, but also data protection. That’s why we’ve established and are implementing specific procedures designed to detect, report and investigate a personal data breach. In case of a data breach, we will promptly notify the regulators on our systems, our customers and end-users.