Strong relationships with our customers and partners are essential. A critical part of these relationships is establishing trust and confidence, which is why privacy has always been a priority. With the General Data Protection Regulation (GDPR) that came into effect on May 25th, we would like to share an update on our work to comply with new regulations. We will provide an overview of the upcoming product and operational changes that expand our privacy framework.
What is GDPR?
The GDPR (General Data Protection Regulation) is a new EU Regulation which replaced the 1995 EU Data Protection Directive (DPD) to significantly enhance the protection of the personal data of EU citizens and increase the obligations on organizations who collect or process personal data. It came into force on 25th May 2018. The regulation is based on many of the 1995 Directive’s requirements for data privacy and security but includes several new outlines to strengthen the rights of data subjects and add more severe penalties for violations. The full text of the GDPR can be found here.
Why is GDPR important?
GDPR affects any business that collects data in or from Europe, regardless of whether they’re based in Europe or not. GDPR requires businesses to give individuals greater visibility into and control over the data they provide to those businesses.
The aim of the GDPR is to modernize old privacy laws in order to ensure that the protection of personal data remains a fundamental right for EU citizens. Significant fines of up to €20,000,000 or 4% of global annual turnover, whichever is greater, may be levied on organizations who fail to meet their obligations with respect to handling data under the GDPR.
How FluentPro prepared to GDPR
To prepare for GDPR, we have undertaken some research and changes, both small and large ones. You can read about those changes below.
FluentPro continues to make data security our priority and below are some details on specific security measures related to GDPR that we have in place:
- FluentPro services and data are hosted in SOC I-, SOC II – and ISO-accredited data centers
- Access control (authentication and authorization, role-based access control models)
- Single sign-on support
- Two-factor authentication for server access
- Strong data encryption in transit and at rest
- Continuous network and security monitoring
- Vulnerability management
- Internal IT security (keycard access and biometrics, surveillance camera monitoring)
- Information security aspects of Business Continuity Management (encrypted data backups, geo-redundant storage replication)
More details are available on our Security page.
We have reviewed all our vendors to ensure they are adhering to GDPR and signed Data Processing Agreements with them.
International data transfers
To comply with EU data protection laws around international data transfer, we self-certified under the EU-US Privacy Shield Framework and the Swiss-US Privacy Shield Framework. The EU-US Privacy Shield is a framework negotiated and agreed by the European Commission and U.S. Department of Commerce as a lawful way of transferring personal data. You can find more information about our commitment to the EU-US Privacy Shield Framework and the Swiss-US Privacy Shield Framework in our Privacy Shield Policy. Our active participation in the EU-US Privacy Shield Framework and the Swiss-US Privacy Shield Framework can be viewed on their website located here.
Data Processing Agreement
We understand that our customers, and in particular, our European customers, will require that, where FluentPro is a processor of EU personal data, we execute additional terms that meet GDPR obligations with respect to the processing of that EU personal data. We offer our customers a Data Processing Agreement, governing the relationship between the customer (acting as a data controller) and FluentPro (acting as a data processor). The agreement shares our privacy commitments and sets out the terms for FluentPro and our customers to meet GDPR requirements. We sign the agreement with all our customers upon request. Please contact us at firstname.lastname@example.org to request a Data Processing Agreement.
The FluentPro DPA is an extension of our Master Service Agreement and reflects our compliance with GDPR requirements as applicable to our products and services. Just as with our standard Master Service Agreement, we’re unable to make any changes to our DPA on a customer-by-customer basis.
International data center
We are aware that part of our customers with EU users or EU affiliates would prefer that their data be hosted in the EU. Currently we have EU data center for some of our products and are planning to offer European data storage solutions for all our products in the future. We will be providing updates on exact timing and data storage solutions as this progresses.
On premise software option
If your organization has strict security compliance guidelines that require hosting data behind your own corporate firewall, you can choose our option for on-premise software installation under certain customer plans and packages. On-premise software resides on a dedicated server that is maintained by your organization and puts control over your data in your hands.
Ongoing process changes
We are continuously working to improve our processes related to customer support, products development, and customer data protection. Much of this will be in the format of internal documentation, training and processes as required by GDPR.