The General Data Protection Regulation (GDPR) is a comprehensive set of regulations made by the European Union that dictates what companies like TeamWave must do in order to properly protect our customers data. Even though we are not a European company, we have many customers in the EU and we fully comply with these regulations. This document explains in simple terms what we're doing in order to ensure compliance.
Note: The full GDPR regulations are extremely long and complicated. This isn't meant to be a comprehensive list of every single thing we do to protect your data, but rather it's a simple summary so that you can have a good idea of the protections we have in place. Please feel free to reach out to us if you have questions about specific items that aren't addressed here.
GDPR is a significant regulation that covers many different topics. We will address each of the key points below. This information is targeted at our customers, but we extend these protections to anyone who visits our website, uses our software, or otherwise interacts with us in any way.
How GDPR applies to TeamWave
GDPR defines three parties:
- Data subject - This is the person about whom data is being stored and used. Anyone that you enter into your CRM (i.e. your customer) is a data subject.
- Data controller - This is the person or company that is using the data that's being stored. You (our customer, and a user of TeamWave) are a data controller.
- Data processor - These are companies that create tools to actually store and take advantage of the data. We (TeamWave) are a data processor.
The data controller and processor both have different responsibilities to ensure that we are acting legally and ethically. This document explains what we do to comply with GDPR as a processor, but you should keep in mind that you also have responsibilities to the people who's information you put in the CRM.
Technical Security
Our customers entrust us with very important data for their businesses. Keeping your data secure and private is of the utmost importance, and so we are careful to follow industry best practices. A lot goes into online security, but here are some of the main things we do that might interest you:
- Our servers are hosted by Amazon Web Services. They are the largest and likely the most sophisticated hosting company in the world, and they have extensive physical and digital security in place. You can read about their GDPR compliance here.
- We use encryption at all levels of our software. All connections to our website are encrypted (i.e. we encrypt “in transit”), our live database is encrypted (i.e. we encrypt 'at rest') and all of our data backups are encrypted.
- Our main servers are in Amazon's US-East data center. We also keep encrypted backups of data in other locations within the USA. Even though GDPR is a European regulation, it does not require that data be hosted physically within the EU.
- We regularly perform external vulnerability scans and application penetration tests to monitor the status of our security efforts.
Technical Security
Our customers entrust us with very important data for their businesses. Keeping your data secure and private is of the utmost importance, and so we are careful to follow industry best practices. A lot goes into online security, but here are some of the main things we do that might interest you:
- Our servers are hosted by Amazon Web Services. They are the largest and likely the most sophisticated hosting company in the world, and they have extensive physical and digital security in place. You can read about their GDPR compliance here.
- We use encryption at all levels of our software. All connections to our website are encrypted (i.e. we encrypt “in transit”), our live database is encrypted (i.e. we encrypt 'at rest') and all of our data backups are encrypted.
- Our main servers are in Amazon's US-East data center. We also keep encrypted backups of data in other locations within the USA. Even though GDPR is a European regulation, it does not require that data be hosted physically within the EU.
- We regularly perform external vulnerability scans and application penetration tests to monitor the status of our security efforts.
Policy Security
In addition to making sure that our software is as secure as possible, we also have strict internal policies to ensure that no one at TeamWave does anything to jeopardize your data privacy. These include:
- We have strict policies around when a TeamWave employee can access a customer's data. We only allow this if a customer asks for our help or we're fixing a technical bug. We have monitoring and extensive activity logging in place on all employees to ensure that no one abuses this.
- We never sell our customers' data to any third parties. The data you enter in your CRM is owned entirely by you.
- We only collect data about you that we actually need.
- We have mapped out all of the ways data can enter and leave our system. We do use some third party service providers for things like our internal email hosting and phone system, and we have confirmed that all of our vendors are GDPR compliant.
- We practice “privacy by design”. What this means is that everything we build considers privacy as a core feature and not as an afterthought. Shuhaib Shariff, the co-founder and CEO, is our designated Data Protection Officer (DPO) responsible for ensuring that privacy and security are built in to everything we do as well as full GDPR compliance.
- GDPR requires that we have a contract with our customers which specifies things like how we process data, that we will assist you in your GDPR obligations to your customers, etc. In our case, this contract is our standard Terms of Service which applies to all of our customers. You can read the details here.
Data breach notification plan
We work hard to keep our software secure so that there are no data breaches, but in the event that there is a data breach, we will notify any of our customers who may have been impacted, and provide them with the appropriate information so that they can also comply with their responsibilities as a data controller.
Lawful basis for processing
GDPR requires that we establish that our data processing is legally justified. The following reason applies to us:
...processing is necessary for the purposes of the legitimate interests pursued by the controller…
Our interpretation of this is that you, as the controller, have legitimate business interests in using an integrated software suite and we're assisting you in pursuing those interests. Keep in mind that this only applies so long as the controller (you) respects the individual rights of the data subjects.
How does GDPR affect TeamWave customers?
We have outlined a number of actions you should consider, however you must implement your own due diligence and comply with regulations on how you collect and use personal data.
- Review all personal data, existing privacy policies and put the necessary processes in place.
- Appoint a dedicated team and communicate the importance of GDPR with everyone involved in the organization.
- Put in place a procedure to respond to data subject requests for access, rectification, objection, restriction, portability, and deletion (right to be forgotten).
- Implement appropriate security measures and processes to respond to any security breaches.
- Ensure a record is stored for all necessary data, consent forms, privacy policies and procedures, training materials, and data transfer agreements.
Your responsibilities
As explained above, we are in the role of data processor and you are the data controller. If you enter your customers' information into our software, you can be confident that we are handling GDPR compliance for the data processing side, but you are still responsible for being compliant as a data controller. If you're concerned that you aren't in compliance, we encourage you to research this topic in more detail, but a good starting point is to ensure that you honor the individual rights laid out in the GDPR regulations to your customers.
Revisiting GDPR compliance regularly
As part of our commitment to remaining GDPR compliant and respecting the privacy of our users, we will revisit this document at least once per year to ensure that all of the information is accurate and up-to-date.