At Gist, we are committed to maintaining the trust and confidence of our customers. We understand the importance of data protection and have taken extensive measures to be GDPR compliant. This guide aims to provide detailed insight into GDPR laws, their applicability, and how Gist adheres to these regulations.
Understanding GDPR
GDPR (General Data Protection Regulation) is a comprehensive data protection law that was enforced by the EU on May 25, 2018, replacing the 1995 EU Data Protection Directive (DPD). It enhances the protection of EU citizens' personal data and increases obligations for businesses that collect or process this data.
For the full text of the GDPR, click here.
How GDPR Affects Your Business
Whether your business is registered within or outside the EU, GDPR applies if you hold or process data of any EU citizen. It even extends to non-EU businesses that market their products to people in the EU or monitor their behavior.
How Gist complies with GDPR
At Gist, we have undertaken several measures to ensure your use of our platform aligns with GDPR compliance. Here's an expanded overview of the steps:
Consent: We've introduced a feature that allows you to add a consent checkbox to your forms and popups. This provides an explicit means for users to agree with your terms and privacy policy before subscribing. In addition to this, consent will be requested from visitors who leave their email in the chat messenger. We will keep a record of consent for each subscriber so that the timestamp and method of their subscription can be tracked.
Right to be forgotten: GDPR gives your subscribers the right to erasure, also known as the right to be forgotten. They can contact you and request the deletion of all their personal data from our systems. We've added an option within the Contacts page that allows you to select and delete users, ensuring all their personally identifiable data is removed.
Right to access and data portability: GDPR allows for individuals to request access to their personal data and to move it. Gist has made it possible for you to request an export of your own personally identifiable information or that of your customers. Moreover, you can also export your data as JSON files using our REST API, facilitating easier data portability.
Right to object: In accordance with GDPR, users have the right to object to the processing of their personal data. We've updated our Contacts deletion API to allow you to blacklist people from being tracked by our systems. This API call not only deletes the personal information but also prevents the information from being sent to any third-party services connected to Gist. It also blocks the person from being re-tracked and re-appearing in Gist.
Right to rectification: The GDPR allows individuals to have inaccurate personal data rectified or completed if it is incomplete. We've incorporated a feature that allows you to change or update your customer's personal information directly from within their profile page on Gist.
Data Processing Agreement: One of the GDPR's requirements is to have a comprehensive data processing agreement between data processors and data controllers. We've updated our data processing agreement with our customers, clearly detailing our commitments to privacy as a data processor and establishing the terms for Gist and our customers to meet all GDPR obligations. If you’re one of our customers who needs to sign a Data Processing Agreement with us, please fill out this form here.
Vendor compliance: A crucial part of GDPR compliance involves ensuring that any third-party vendors that handle personal data are also GDPR compliant. We've conducted thorough reviews of our vendors to ensure they meet these standards and have signed GDPR-ready data processing agreements with them.
New security measures: Protecting the personal data we handle is of utmost importance to us. We've made data security a top priority in our product development process. We have a dedicated security team responsible for ensuring that your customer data and your customer's personal data are kept safe. We regularly run data audits, vulnerability scans, penetration tests, and timely bug fixes to enhance our data security measures.
These proactive steps illustrate Gist's commitment to ensuring GDPR compliance and our dedication to maintaining the security and privacy of our user's data.
How You Can Be Compliant
To assist you in ensuring GDPR compliance, you can consider the following steps:
- Familiarize yourself with the GDPR requirements.
- Map out your data processing activities.
- Leverage Gist's resources for GDPR compliance.
- Consider privacy when planning your product roadmap.
- Consult with a lawyer about your company's specific needs.
- Stay updated with guidelines from the European Data Protection Board.
Note: This list is informational and is not to be considered professional or legal advice.
Our Sub-Processors
Last updated: April 8, 2023
- AWS - the bulk of user data is hosted in AWS
- Stripe - payment data, including user emails and company names, are maintained in Stripe.
- Zapier - some user data is sent to Zapier for forwarding to some of our other subprocessors, like Slack.
- Slack - user data is sometimes discussed in chat in Slack
- Segment - user data is tracked in Segment for forwarding to other subprocessors, like Mixpanel
- Sendgrid - user emails are sent to Sendgrid for transactional and marketing email purposes
- Conflux - user names and emails are stored in Conflux for feature request tracking
- Bugsnag - user data is stored in Bugsnag for exception/error tracking
- Mixpanel - user data is tracked in Mixpanel for analytics purposes
- New Relic - user data is tracked in New Relic for infrastructure monitoring
- Docusign - user data for legal purposes is maintained in Docusign
We hope this guide provides you with a thorough understanding of GDPR and how Gist ensures compliance with it. If you have any further queries, please don't hesitate to contact us.