EU Data Protection & GDPR

Last revised on May 24, 2018, effective as of May 25, 2018

For the purpose of this guide “Stuffix”, “we”, “us”, or “our” refers to Stuffix Inc., the provider of the Helprace website and services, (collectively referred to as the “Helprace Service.”).

Overview

Customer trust is a priority for Stuffix. We know that customer data is important to our customers’ values and operations. That is why we keep data private and safe.

Stuffix helps customers maintain control of their privacy and data security in a number of ways:

  • Data Security: We offer compliance with the highest security standards, such as encryption of data in transfer over public networks, auditing standards (SOC 2, ISO 27001, ISO 27018), Distributed Denial of Service (“DDoS”) mitigations, and a team monitoring our systems 24/7.

  • Disclosure of Customer Service Data: We only disclose Service Data to third parties where disclosure is necessary to provide our services or as required to respond to lawful requests from law enforcement authorities.

  • Trust: We have developed security protections and control processes to help our customers ensure a secure environment for their data. Independent third-party experts have confirmed our adherence to high industry standards.

  • Data Hosting Locality: Customers who subscribe to the Complete plan have the ability to select the region (from the available Stuffix region options) where the data center which hosts their Service Data is located.

  • Access Management: Stuffix offers an advanced set of access features to help customers effectively protect their data. We do not access or use customer content or customer generated content for any purpose other than providing, maintaining and improving the Helprace Service and as otherwise required by law.

What is Service Data?

Service Data is any information, including personal information, which is stored in or transmitted via the Helprace Service, by, or on behalf of, our customers and their end users.

Who owns and controls Service Data?

From a privacy perspective, the customer is the controller of Service Data, and Stuffix is a processor. This means that throughout the time that a customer subscribes to the Helprace Service, the customer retains ownership of and control over Service Data in their account.

How does Stuffix use Service Data?

We use Service Data to operate and improve the Helprace Service, help customers access and use the Helprace Service, respond to customer inquiries, and send communication related to the Helprace Service.

What steps does Stuffix take to secure Service Data?

Data security is a priority at Stuffix. We combine enterprise-class security features with comprehensive audits of our applications, systems, and networks to ensure customer and business data is protected.

For example, Stuffix servers are hosted at Tier IV or III+, SSAE-16, PCI DSS, or ISO 27001 compliant facilities. We engage third-party security experts to perform detailed penetration tests on a periodic basis, with a support team is on call 24/7 to respond to security alerts and events.

Where will Service Data be stored?

Stuffix has data centers in two main regions: United States and the European Union. Service Data may be stored in any region. Customers subscribed to the Complete plan can select the region in which data centers that host certain Service Data are located. Please see the Regional Data Hosting Policy for additional information.

How does Stuffix Respond to Information Requests?

We recognize that privacy and data security issues is a top priority for our customers. Stuffix does not disclose Service Data except as necessary to provide its services to its customers and comply with the law as detailed in our Privacy Policy.

How does Stuffix respond to legal requests for Service Data?

In certain situations, we may be required to disclose data (including personal information) in response to lawful requests by law enforcement authorities, including to meet national security or legal requirements. We may disclose data (including personal information) to respond to subpoenas, court orders, or legal process, or to establish or exercise our legal rights or defend against legal claims. We may also share such information with relevant law enforcement agencies or public authorities if we believe it to be necessary in order to investigate, prevent, or take action regarding illegal activities, suspected fraud, situations involving potential threats to the physical safety of any person, violations of our Terms of Service, or as otherwise required by law.

EU Directive

The EU Data Protection Directive (also known as “Directive 95/46/EC“) addresses the processing of personal information and the free movement of such data. Broadly, this Directive sets out a number of data protection principles and requirements which must be adhered to when personal information is processed.

Directive 95/46/EC established the Article 29 Working Party (“WP29”), which is comprised of representatives from the data protection authorities of all the EU Member States as well as from the European Commission. WP29 works to harmonize the application of data protection rules throughout the EU and also advises the EU Commission on the adequacy of data protection standards in non-EU countries.

How does the EU Directive apply to customers?

Stuffix customers that collect and store personal information are considered data controllers under Directive 95/46/EC. Data controllers bear the primary responsibility for ensuring that their processing of personal information is compliant with relevant EU data protection law, including Directive 95/46/EC and the GDPR as of May 25, 2018.

What is a Data Processing Agreement (“DPA”)?

Stuffix offers customers a Data Processing Agreement (“DPA”), governing the relationship between the customer (acting as a data controller) and Stuffix (acting as a data processor). The DPA facilitates Stuffix’s customers’ compliance with their obligations under EU data protection law and has been updated to confirm our compliance with the GDPR as and from May 25, 2018.

Does Service Data hosted in the EU ever leave that region?

Stuffix customers who subscribe to the Complete plan have the ability to select the region (from the available Stuffix region options) where the data center which hosts their Service Data is located. Please see our Regional Data Hosting Policy for further details. Otherwise, Stuffix may utilize any of its global data centers to host Service Data.

GDPR

What is GDPR?

The General Data Protection Regulation (GDPR), is a European privacy law approved by the European Commission in 2016 and will go into effect May 25th 2018. The GDPR will replace a prior European Union privacy directive known as Directive 95/46/EC which has been the basis of European data protection law since 1995. The GDPR is an attempt to strengthen, and modernize EU data protection law and enhance individual rights and freedoms, consistent with the European understanding of privacy as a fundamental human right. The GDPR regulates how individuals and organizations may obtain, use, store, and remove personal information. Simply put, it’s giving EU citizens and residents control over their personal information while simplifying the regulatory environment for international business that takes place in the EU.

The Data Protection Principles include requirements such as:

  • personal information collected must be processed in a fair, legal, and transparent way and should only be used in a way that a person would reasonably expect.

  • personal information should only be collected to fulfill a specific purpose and it should only be used for that purpose. Organizations must specify why they need the personal information when they collect it.

  • personal information should be held no longer than necessary to fulfill its purpose.

  • Individuals covered by the GDPR have the right to access their own personal information. They can request a copy of their data, and that their data be updated, deleted, restricted, or moved to another organization without hindrance.

Why is it important?

GDPR adds on a number of requirements regarding how companies should protect individuals’ personal information that they collect and process. This translates to heightened enforcement and greater fines for breach. At Stuffix we prioritize the protection of your data and we already have solid security and privacy practices in place which go beyond the requirements of this new regulation.

Stuffix GDPR Compliance

Below is an overview of how Stuffix meets the new regulation requirements. You can also find instructions on how to follow a particular GDPR requirement as well.

Transparency and Accountability


Purpose of the GDPR Obligation

Ensure transparent communication with data subjects regarding the processing of their personal information. Ensure data subjects are notified of their rights under the GDPR.

Features/Functionality Compliant with the GDPR Obligations That Affect You

Helprace’s Terms of Service and Privacy Policy offers a transparent notice to its customers.

Exceptions to the GDPR Obligation

A data controller is exempt from these obligations if it cannot identify which personal information in its possession relates to the relevant data subject (i.e., if personal information is anonymized and cannot be re-identified).

Access and Rectification


Purpose of the GDPR Obligation

Allow data subjects to require a data controller to rectify any errors in their personal information.

Features/Functionality Compliant with the GDPR Obligations That Affect You

Agents and Users have access to their profiles to rectify errors as detailed here for Agents and here for Users.

Exceptions to the GDPR Obligation

Giving this right to a data subject should not adversely affect a data controller’s intellectual property (i.e., giving access to a data subject should not require disclosure of trade secrets).

Right to be Forgotten


Purpose of the GDPR Obligation

Provide data subjects with the right to delete their personal information if the continued processing is not justified. (e.g., you may need to delete your customer’s personal information to comply with your GDPR obligations).

Features/Functionality Compliant with the GDPR Obligations That Affect You

We give customers the option to delete profiles, tickets, images, and attachments that may contain personal information in active Helprace accounts.

Exceptions to the GDPR Obligation

A company is not required to delete data, except when one of the following reasons is present:

  • The personal information is no longer needed in relation to the purposes for which it was collected or otherwise processed.

  • The data subject withdraws consent, and there are no other legal grounds for processing.

  • The data subject objects to processing, and there are no overriding legitimate grounds for processing.

  • The personal information has been unlawfully processed.

  • The personal information has to be erased for compliance with a legal obligation.

  • The personal information has been collected in relation to the offer of information society services to a minor under 16 years old.

Restriction Processing


Purpose of the GDPR Obligation

Provide data subjects the right to limit the purposes for which the data controller can process personal information. (e.g., a customer has filed a complaint or lawsuit against you, and it is your policy to stop processing while the complaint or lawsuit is pending).

Features/Functionality Compliant with the GDPR Obligations That Affect You

Helprace gives its customers the ability to temporary restrict access to end-user profiles (which include personal data) by deleting and later restoring them.

Exceptions to the GDPR Obligation

The requirement to restrict processing generally applies under the same circumstances as the right to be forgotten and/or:

  • The accuracy of the personal data is contested (and only for as long as it takes to verify that accuracy).

  • The processing is unlawful, and the data subject requests restriction (and the data subject is not exercising the right to be forgotten).

  • The data controller no longer needs the personal data for the original purpose but still requires it to establish, exercise, or defend a legal right.

  • Verification of overriding grounds are pending (in the context of a deletion request).

Data Portability


Purpose of the GDPR Obligation

Provide data subjects with the right to transfer their personal information between data controllers. (e.g., your customer requests you to export and provide them with all associated personal information that you store).

Features/Functionality Compliant with the GDPR Obligations That Affect You

Agents and End-Users can export their data using the Helprace API.

Exceptions to the GDPR Obligation

Inferred and derived personal information (e.g., a credit score or health assessment) are not included because they are not “provided by the data subject.”

Data controllers are not obligated to retain personal information simply for the purposes of providing a copy of the personal information pursuant to a potential data subject request.

Objection to Processing


Purpose of the GDPR Obligation

Provide data subjects with the right to transfer their personal information between controllers.

Features/Functionality Compliant with the GDPR Obligations That Affect You

We have documented and implemented internal mechanisms to:

  • Cease processing personal information based upon specific data subject requests, confirmed instructions by Helprace’s customer in its capacity of data controller, and the particular reasoning for objecting to processing.

  • Cease processing for direct marketing purposes upon request.

  • Cease processing of personal information for scientific, historical, or statistical purposes.

Exceptions to the GDPR Obligation

Data controller must cease processing upon request unless:

  • The data controller demonstrates compelling legitimate grounds for processing that override the interests, rights, and freedoms of the data subject.

  • The data controller requires the data in order to establish, exercise, or defend legal rights.

  • Processing for scientific, historical, or statistical purposes is carried out for reasons of public interest.

Data Processing Addendum

We offer a data processing amendment (DPA) for our customers who collect data from customers or end-users in the EU. Our DPA offers contractual terms that meet GDPR requirements and that reflect our data privacy and security commitments to our customers. Our DPA is a part of our Terms of Service and is effective starting on May 25th, 2018. There will be no action needed on the part of current Stuffix customers.

In order to guarantee no terms are imposed on us beyond what is reflected in our DPA and Terms of Service, we cannot agree to sign customers’ DPAs. As a small team we are unable to make individual changes to our DPA since we do not have a legal team on staff. Any changes to the standard DPA would require legal counsel and a lot of back and forth discussion that would be cost-prohibitive for us.

If you have any questions or concerns please let us know.

Training and Awareness

We’ve formed a core privacy team of leaders from each area of Stuffix. They are our project managers who will ensure all the requirements of GDPR are covered from Marketing to Engineering to People operations. The team is responsible for developing the Stuffix GDPR awareness training program and validating that everyone at Stuffix understands and kept up to date on the current regulation.

Consent

We’ve updated our Cookie Policy to provide you with complete transparency into what is being set when you visit our site and how it’s being used. Our cookie policy page also has steps you can take in order to control how your browser handles cookies.

Data Inventory

We have reviewed and identified all the areas of Stuffix where we are collecting and processing customer data; categorizing and taking inventory of everything from cookies to help desk conversations. Using this matrix we have validated our legal basis for collecting and processing personal information and double checked that we are apply the appropriate security and privacy safeguards across our entire infrastructure and software ecosystem. Our Privacy Policy describes what we are doing with the data we collect and how we manage consent.

Updates to Our Third Party Vendor Contracts

We have DPAs in place with our vendors who offer a signed version, while others are taking the same approach as us and having the DPA be automatically accepted as part of the Terms of Service on May 25th.

Clear and Concise Terms of Service and Privacy Policy

Here at Stuffix we practice transparency internally and we believe that transparency extends to our customers. With our updated Terms of Service and Privacy Policy we describe what personal information we collect and process; why and how we use it; who we share it with and how long we store it for. We made an effort to keep the language in our Terms of Service and Privacy Policy as clear as possible, making sure to describe how we respect and protect your personal information. We hope you find it concise, transparent, and easy to follow.

Risk Assessment (data protection impact assessments)

Having a managed data protection impact assessment (DPIA) process is a requirement for GPDR. A DPIA process is simply a way to help us identify and minimize the data protection risks of a project. The Stuffix engineering team has always undergone security and privacy due diligence when making tooling and implementation decisions, so this requirement is an easy one for us. Any time we introduce a change to the way we handle personal information, we spend time discussing the potential impact on Stuffix customers and possible privacy and security risks to personal information. If risk is identified, no matter how small, our product and engineering teams collaborate on a solution that will mitigate such data privacy and security risks to anyone who interacts with Stuffix offerings. We will continue to execute this risk assessment process as we grow and expand Stuffix.

Breach Management

We already have a breach management and communication plan in place to support the requirements of HIPAA. We have updated this existing process to comply with the GDPR regulations concerning the escalation process and requirements for notifying data subjects.

We Are Here for You

We are working with our customers to answer any questions and address any concerns regarding how we protect their personal information as we get ready for GDPR. If you have any questions, please don’t hesitate to contact us.