Introduction
Maximised, a company registered in Sweden, provides the Responser service, a cloud-based SaaS platform to allow businesses to recover web-forms that have been abandoned.
We are committed to respecting the privacy and data protection rights of our customers and their use of the Responser platform. This document, therefore, sets out the Responser platform’s data protection compliance, to provide assurances to our customers and prospective customers that we take such compliance seriously and to address some of the common questions we are asked about, with regards to the protection of personal data.
As a Swedish business we are governed by the EU General Data Protection Regulation (“GDPR”). Throughout this document where we use the terms “GDPR” or “data protection”, we mean EU GDPR.
Throughout this statement, terms like “personal data”, “processing”, “data subject”, “data controller” and “data processor” have the same meaning as defined in GDPR.
This statement applies to any parts of the Responser service, where we would be considered by our customers as a Data Processor, according to the GDPR rules.
Our GDPR commitment to our customers
We are committed to ensuring our business, services and internal processes are GDPR compliant, that we continue to maintain that compliance and ensure it meets the full requirements of the law. We are also committed to safeguarding any personal data we process on behalf of our customers and apply the same compliance standards to our customers’ data, as we do our own.
Our services are compliant because:
- We check all our systems and processes to ensure they meet the requirements of GDPR, particularly in terms of ensuring appropriate technical and organizational measures are in place to ensure the security of our customers’ data at all times.
- We do not allow all members of staff to access customer data and what access is available, is limited to specific circumstances
- Our staff are trained in GDPR compliance and understand their responsibilities for managing the systems that process our customers’ personal data
- We have internal policies which set out the data protection responsibilities across the whole of our business
- Data is stored on servers within the EEA
- We only process data that is inputted into our systems by our customers. It is our customer’s responsibility to ensure it is lawful for them to process the data in the way our service allows
- We have implemented the appropriate contractual obligations required by Article 28 of the GDPR (in our terms of service and accompanying documentation)
- We only make use of sub-processors or other third-party processors for the purposes of delivering our services and running our business. We will always make sure such sub-processors are GDPR compliant and we have a data processing contract in place, requiring the same contractual controls as those covered in our own Data Processing Agreement (DPA)
- We ensure we always maintain this compliance
Our role as a Data Processor
When a customer’s data is placed on our platform, the customer is the Data Controller and Responser, the Data Processor. We only use the data our customer provides to us for the purposes of delivering the services and only as agreed in any terms and data processing agreements that have been signed.
We do not use our customer’s data in any way other than to provide the agreed services via the platform. We do not share any customer data with third parties unless required to do so by law. Where law enforcement or other authorized parties request access to the data we store on our servers, we follow strict internal policies for dealing with such requests. Furthermore, the third parties are required to demonstrate they have a lawful reason to access the data and under what authority.
What data is processed by our services?
This will depend on the customer’s requirements and their use of the platform, but typically login credentials (name, email address) for our customers and the data of their web form users. You can find out more about what data we process in our privacy policy.
Uploading customer data to our services
Data will be inputted into our service via a piece of code inserted into our customer’s web form, which allows us to track the use of the form.
Data location
Our customers’ data is stored on servers on providers DigitalOcean, Aiven and MongoDB.
Digital Ocean is SOC 1 Type II, SOC 2 Type II, SOC 3 Type II, ISO/IEC 27001:2013 and PCI-DSS certified. Aiven is certified with ISO 27001, certified Information Security and ISO 27701 certified Information Privacy Management Systems. They are also ISAE 3000 (SOC2) audited. Aiven offers a more secure environment that is PCI-DSS and HIPAA compliant. MongoDB's ISO/IEC 27001:2013 certification is a result of an independent third party audit.
Location of servers:
- AWS and MongoDB servers are AWS Europe (eu-north-1)
- Digital Ocean - Europe, Netherlands
- Aiven - Europe, Netherlands
Security
Our Managing Director has ultimate responsibility for ensuring appropriate information security standards are applied to the technology we use and the services we provide.
Only limited members of our staff have access to our customer’s data and no other third-party will have access. We do not share our customer’s data with any third-party unless required to do so by law.
Our technology
Responser’s platform is fully cloud based and does not rely on any physical hardware, but rather “serverless” functionality. As stated above by the respective hosting provider, the highest ISO and SOC II and SOC III standards of security measurements.
Maintaining security
Data encryption offers robust features to protect your data while in-transit (network), at-rest (storage), and in-use (memory, logs).
Credentials are done with single sign-on with GitHub or Google accounts. Our provider also supports multi-factor authentication (MFA) with various options including OTP authenticators, push notifications, FIDO2 (hardware security keys or biometrics), SMS, and e-mail.
Authentications to our databases uses mechanisms including SCRAM, x.509 certificates, LDAP, and passwordless authentication with AWS-IAM, furthermore provides Role-Based Access Control (RBAC) to manage all cloud resources, including deployments to MongoDB, Digital Ocean, Aiven and Amazon.
Suspicious network activity alerts are sent directly to our direct email addresses as well as alerts to our managing directors mobile number for fast response. Furthermore, our developers are trained in fast response and routinely check systems for vulnerabilities. Any potential incident will be addressed in accordance with our Data Breach Procedures documentation.
Any changes or updates to our own systems are done so, always, with data protection and privacy in mind and where appropriate, in discussion with our customers.
Examples of the kinds of security hardening implemented:
- Role-based Access Control
- TLS/SSL
- 2FA
- IP Blocking and IP- Filtering
Access to data by Responser employees
No Responser employee will need to access customer data, unless authorized by the customer (e.g. for support and troubleshooting purposes). There are strict security protocols in place to limit access to the database for maintenance purposes plus the databases themselves.
All employees, who may have access to the platform and the underlying databases are based within the EEA.
Service access
All access to the platform is via https Secure Socket Layer (SSL) connections ensuring access to the systems via a web browser is encrypted.
Accounts on our systems are accessible via platform login.
Continuity and backups
Backups are carried out on a 1-day rolling backup cycle and are stored in a secure location and encrypted. Only Responser has access to these backups.
In terms of disaster recovery, we make use of each provider’s disaster recovery testing program and make sure the data will be deployed from the latest backup. So, if there is a server outage we can easily migrate from the failing server or recover from the backups.
Responser employees
All Responser employees are trained and made aware of their responsibilities under GDPR. This includes their responsibilities with regards to access, security and processing of personal data made available by our customers from their use of the platform.
Physical security
Only our employees have access to our working offices. Our customers’ data are stored on servers only accessible from encrypted and highly secure environments with 2FA logins. Our servers are managed by pre-vetted suppliers of developments and only staff with proper credentials can access the servers physically.
Third-party processors
Responser makes use of a number of third-party processors or services for the purposes of processing the data as part of our service. Suppliers who process personal data on behalf of Responser have been identified and asked to provide details of their state of compliance with the GDPR and where appropriate agree to new contractual arrangements. Any new supplier will not be taken on unless we are satisfied that they comply with the new data protection regulations.
International Data Transfers & Third-Party Disclosures - where Responser stores and transfers personal information outside the EU, we have safeguarding measures in place to secure, encrypt and maintain the integrity of data. We carry out strict due diligence checks with all recipients of personal data to assess and verify that they have appropriate safeguards in place to protect the information, ensure enforceable data subject rights and have effective legal remedies for data subjects where applicable.
Changes to our approach
Should our approach to any aspect covered by this statement change we will make sure, where a customer’s data is impacted, we will notify our customers within a reasonable timeframe.
Data breaches
In the unlikely event of a breach occurring (as defined in the GDPR) we will notify you within 24 hours of the breach coming to our attention, and keep you informed of any updates.
How our own compliance with GDPR helps our customers
Our approach to our own compliance also helps our customers comply with their own GDPR compliance requirements. This statement should go some way to explain our approach to GDPR compliance. By using the Responser platform, customers can be assured their use is GDPR compliant.
However, our customers are reminded of their own GDPR duties and whilst we provide some information within the platform about how our customers’ users can exercise their rights, it is important that our customers apply GDPR compliance to their own processing activity, which will include the use of Responser as a Data Processor, considering carrying out their own Data Protection Impact Assessment (DPIA), updating their privacy policy, as well as ensuring overall compliance of the platform.
Data protection contact
Any questions, queries or requests for further information regarding our GDPR compliance should be sent to info@responser.com.
FAQ
What happens to customer data if they cancel their contract?
We would perform a secure deletion of the data and code from our servers. After 180 days the data will have expired from the backup files.
Is data on your servers encrypted at rest?
-Yes, data on all our sub-processors servers are encrypted at rest.
Do your services make use of any cookies or similar technology?
Yes, we collect necessary cookies for our services
How do you ensure our data is not accessible to other customers?
-We implement a role-based security system that ensures that each customer’s data is protected and use best practices of data protection in general.
Are you ISO27001 certified or compliant?
-No,Responser is not ISO Certified yet.
Are you SOC 2 or other security standards accredited?
-No,Responser is not SOC 2 accredited yet.
Are you Cloud Security Alliance (CSA) certified?
-No,Responser is not CSA Certified yet.
Have your services been audited according to any external standards?
-Our code is continuously audited by best practice code hygiene standards.
Have you carried out a Data Protection Impact Assessment (DPIA)?
Yes, we employed the services of a GDPR expert to consider the platform activities and produce a DPIA for us, as part of wider compliance work. He was happy that we have implemented appropriate measures to mitigate any risks.
Have you appointed a Data Protection Officer (DPO)?
Due to the nature of the platform’s processing activities, we are not required by GDPR to appoint a mandated DPO.
How do you ensure your employees understand their GDPR obligations?
As well as making sure all our employees receive up to date GDPR training, we also maintain an internal data protection policy which covers all aspects of GDPR as well as processes for dealing with specific circumstances, such as how to deal with data security, data breach, individuals’ rights, data retention, etc.
These policies set out our expectations of employees with regards to GDPR and security compliance, whether at the office or working remotely. They are reviewed regularly (along with training) to ensure they are up to date.
How do you ensure you meet the GDPR requirements regarding accountability and ensuring compliance?
As well as employee training and policies, we also observe all the accountability obligations required by GDPR. This means that, where applicable, we maintain:
- A register of our processing activities both as a Data Controller and a Data Processor (which includes our lawful basis for processing personal data)
- A register of our third-party processors and sub-processors and the due diligence/contractual checks
- A register of data breaches and individuals’ right requests
We also ensure that where required we document our legitimate interest assessments and any risks from our processing (i.e. we carry out Data Protection Impact Assessments). Furthermore, we ensure we meet the requirements of the latest regulatory codes and best practice.