Data protection and GDPR
Updated: May 16, 2020
Data protection and GDPR
Obligations as a Leadoo customerLeadoo’s clients generally act as controllers for the personal data registers and data they are processing in Leadoo. The aim of the controller (client) is to define the purpose of the register, and the processor (Leadoo) is responsible for helping the client in the processing of information in an intended manner. Simply put, this means that the customer uses Leadoo for their intended purpose and Leadoo assists the customer in implementing this purpose. This means that we are also doing updates to the software so that this is going to be fast and easy. The controller (customer) is responsible for ensuring that data is processed technically and administratively in accordance with the requirements of the regulation. The regulation includes significant changes to how and when registers can be maintained. In addition, the controller must ensure that their own activities are transparent towards the data subject, the data is valid, and correct restrictions are applied to the use of personal data. It is particularly important to remove unnecessary information and to safeguard the data subject’s legislative rights. According to the regulation, the data subject has the right to ask for their registered data, to update it and, in certain circumstances, to demand it’s deleted. If you are a controller, we encourage you to review the content of the regulation. The European Data Protection Supervisor provides vast resources and up-to-date information on its website. We also encourage you to analyse your situation with the assistance of a lawyer, as the services or training they provide may give you instructions directed specifically at your organisation. The responsibility to take care of this is on the controller (client) so we strongly advise to put some effort in.
Leadoo compliance with GDPRWe are proud to say that we have put a tremendous amount of work to make sure that everything is in order in respect to the European Union’s General Data Protection Regulation (GDPR). We have put in enterprise-level effort to look after our data protection and privacy as we understand the importance of this matter. This way also our enterprise customers can rely on us to do our part in the data protection chain. Leadoo’s data protection mechanisms have been entrusted to the management of the entire company, as well as to a DPO (Christian da Costa) who is responsible for operations as part of the management team. The tech team has set up and implemented the changes required by the regulation. Their task is to implement the data protection processes and changes and make them part of the company’s overall functions and services.
GDPR in the Leadoo software
Automatic expiration of personal dataIn order to avoid storing old and unnecessary data, Leadoo will set an expiration date for personal data by default. Our customers can change the expiration date by request according to their business needs and regulatory requirements.
Stricter requirements for consentThe GDPR enforces even stricter requirements for consent when collecting the data. By using Leadoo and strictly required fields, everyone can be sure that the data that enters the system is collected with proper permissions.
Ability to manage personal dataThe GDPR gives more rights to individuals over their personal data. We at Leadoo provide possibility for our customers to find out what personal data is stored in their account and therefore fulfill requests coming from individuals. This includes the ability to by request print out a report on personal data by the individual, delete all related personal data etc.
Access to customer dataWhile we have always accessed customer data only purposefully and with the agreement of our customers, we have developed stricter controls on who can access the data inside the company.
Storing backupsStoring relevant backups is crucial to us for disaster recovery purposes. However, backups tend to hold information even after it is deleted from production systems. This is why we periodically run our backups through certain filters to ensure they contain only information we and our customers have permissions to store.
Data processing and subcontractorsOur objective is to provide the safest and highest quality service to our customers. Like many other SaaS services, we also use subcontractors and partners to provide our service. This means that our subcontractors also take part in the processing of personal data on a case-by-case basis. All our subcontractors go through an audit process, which ensures that they share our own tight security and privacy requirements. For more detailed answers, please contact our Data Protection Officer (Christian da Costa, [email protected]). Here are the partners used today:
|Name of controller||Categories of processing||Third countries data is transferred to||Safeguards||Agreements|
|Amazon Web Services||Storage and processing of all customer data||Servers in Ireland / US based company||Automatic wiping of data after customer defined time delay. Encryption throughout. More at https://leadoo.com/security/||DPA|
|Clearbit||OPTIONAL:Gathering company information from IP addresses to enrich the customer’s lead data||US||Only IP address, not considered as personal data, is sent over the wire to acquire company name||Signed SCC|
|Twilio||OPTIONAL: Handling of sending of messages through WhatsApp and Sendgrid Emails||US||Messages and emails in society in general are sent over unencrypted channels. As such as little as possible is included in these channels, but at the end the customer is able to send whatever they want to through these channels and are responsible for their own communication.||DPA|
|Zapier||OPTIONAL:Integrations to the customer’s own 3rd party systems such as CRMs, ATSs etc.||US||Only implemented on the request of the customer in order to integrate with their 3rd party system, in which case the customer is in charge of fulfilling their privacy and GDPR related duties for transferring data into a 3rd party system and Leadoo only works as a proxy.||DPA|
|Cyclr||OPTIONAL:Integrations to the customer’s own 3rd party systems such as CRMs, ATSs etc.||United Kingdom||Only implemented on the request of the customer to sync calendar data to Leadoo and possibly sending emails from customer’s own email box.||DPA|
|Cronofy||OPTIONAL:Calendar and email sending for calendar node in bot discussions||United Kingdom||Only implemented on the request of the customer to sync calendar data to Leadoo.||Non-public DPA (Privacy docs|
|Smart Bear Software Inc (Bugsnag)||App stability monitoring||US||Only implemented on the request of the customer to sync calendar data to Leadoo.||DPA|