EU Data Protection
We value your trust and work hard to protect your information
When you use our services you entrust us with your valuable information. We have made it a priority to protect your data and to provide you with choices about controlling it. We understand that there are particular concerns from companies in the EU about how we use and protect your data, so we put this page together as a guide to answer some of the most common questions you may have.
Security and data center location
Partnify’s primary data and servers are hosted at Microsoft’s Azure data center (located in the USA). We currently don’t have plans to add servers in the EU (GDPR does not require physical servers in the EU).
All access to the Partnify interface is secured over SSL (HTTPS), ensuring the information is encrypted. Our SSL configurations are regularly and automatically scanned to ensure we can quickly remediate any vulnerabilities discovered, such as Heartbleed. Additionally, we provide both TLS and HTTPS connections to the Partnify SMTP and API services, ensuring emails sent to the service are encrypted. Account passwords are encrypted in thePartnify database, preventing even our own staff from viewing them. We offer a method to recycle API keys at anytime in thePartnify interface.
We comply with the EU-U.S. Privacy Shield Framework and Swiss-U.S. Privacy Shield Framework with respect to the transfer of personal data from the EEA or Switzerland, to our servers which are located In the US.
These frameworks were designed to provide companies on both sides of the Atlantic with a mechanism to comply with data protection requirements when transferring personal data from the EEA and Switzerland to the United States.
Using the EU US Privacy Shield Framework for data transfers from the EU to the US was approved on July 12, 2016 for the EU and on July 8, 2017 for the EEA. It was approved for transfer from Switzerland to the US on January 12, 2017. You can view our current certification here: XXXXXXX
We are preparing for the EU General Data Protection Regulation (GDPR)
What is GDPR?
In 2016, the European Commission approved and adopted the new General Data Protection Regulation (GDPR). GDPR is a significant change in data protection regulation in the EU and replaces the existing legal framework (the Data Protection Directive and the various member state laws). It will come into effect on May 25, 2018.
Why is GDPR important?
GDPR adds some new requirements regarding how companies should protect individuals’ data that they process. It also raises the stakes for compliance by increasing enforcement and imposing greater fines for breaches. We are following the developments about GDPR and are taking the necessary steps to become compliant.
Does GDPR require that my information be stored in the EU?
No. Under GDPR a company is allowed to transfer personal data outside of the EU provided that it puts in place a mechanism, approved under GDPR, to make sure that personal data is adequately protected even when it is transferred outside of the EU. We have certified under the EU-U.S. and Swiss-U.S. Privacy Shield frameworks to satisfy this requirement (more detail in the Privacy Shield tab), and also offer a Data Processing Addendum (DPA) to all customer who require it (see below information about cross border data transfers).
Who are your sub-processors?
We share certain information with companies that may be considered our “sub-processors” under GDPR. This information is limited to the following:
We use Intercom and as help desk software to communicate with our customers. Sometimes these communications includes the personal information of your customers’ information.
We use Siteground, Microsoft Azure and SendGrid to process our emails. These companies host the data on physical and cloud servers that we pay for.
For a detailed list of sub-processors and to sign up for updates when we start using a new sub-processors, view the sub-processor tab.
How do you manage access to my information (DSR requests)
As of now our intention is to service DSR requests (such as delete and export) manually. If you have an account with us, you may access, correct, or request that we delete your personal data by contacting us at email@example.com.
This request can include personal data of other individuals, like your employees or customers that you have provided to us and who have requested this of you. We will respond to these requests within 14 days or less, which is well within the GDPR requirement of 30 days.
What happens when the UK leaves the EU?
We chose the UK as a reasonable location for GDPR enforcement, and will reassess in 2019 before Brexit takes effect. The UK is hoping for a unique status under GDPR and are working towards it. For the time being the UK has declared it will be GDPR compliant and its new data protection bill is in line with GDPR.
What has Partnify done to comply with GDPR?
We have implemented and are implementing changes
Our compliance, data protection, and information security teams are working to prepare our services for GDPR. We reviewed our data processing activities, and are making any changes that are needed in advance of the GDPR effective date.
We have addressed cross border data transfers
Like the Data Protection Directive that is presently in effect, GDPR includes provisions on international data transfer mechanisms. In order to comply with these provisions we have certified under the EU-U.S. and Swiss-U.S. Privacy Shield frameworks, a mechanism that had been approved for cross border transfer of personal data under the Directive and expected to apply under GDPR as well.
We have also worked with legal counsel to create a standard Data Processing Addendum (DPA), which meets with GDPR requirements for agreements between Data Controllers (you) and Data Processors (us). This outlines in detail our current security practices. To receive and sign a copy of our DPA, please visit the Data Processing Addendum tab on this page.
We are here for you
We are working with our customers to answer any questions and address any concerns regarding how we protect their personal data and gearing up for GDPR. If you have any questions, please don’t hesitate to contact us at firstname.lastname@example.org
List of sub-processors
We share certain information with companies that may be considered our “sub-processors” under GDPR. Below is a list of these companies.
|Microsoft Azure||Cloud infrastructure hosting|