Gist and GDPR Compliance
As a company, we strive to be as transparent as we can about our business, and GDPR has provided us with an opportunity to help you understand how we use data shared by you. We are fully committed to providing features in Gist that help your use of be GDPR compliant.
The GDPR (General Data Protection Regulation) is a new comprehensive data protection law in the EU that comes into effect on May 25, 2018. It will replace the 1995 EU Data Protection Directive (DPD). The GDPR law significantly enhances the protection of EU citizens' personal data and increases businesses' obligations that collect or process personal data.
The full text of the GDPR can be found here.
Does the GDPR affect your business?
Most likely, it does. Even if your business is registered outside of the EU region, the GDPR law applies to you if you hold or process the data of any citizen of the EU. While the previous EU legislation (the 1995 EU Data Protection Directive) governs only those businesses that are within the EU, the new GDPR law applies to non-EU businesses that market their products to people who are citizens of the EU, or monitor the behavior of people in the EU. Hence, even if you’re based outside of the EU, the GDPR applies to you if you control or process the data of EU citizens.
How is Gist preparing for the GDPR?
Here's an overview of the steps that we, at Gist, have taken to make your use of Gist is GDPR compliant.
Right to be forgotten: Under GDPR, each of your subscribers in the EU has the right to erasure (or the right to be forgotten), meaning they can contact you and ask you to delete all of their personal data from our systems. You can delete all their personally identifiable data by selecting the user from your People page and deleting them.
Right to access and data portability: You can request an export of your own personally identifiable information or that of your customers. The process for submitting individual personal data export requests will be available in your Project Settings starting May 25th. You can also export your data as JSON files using our REST API
Right to object: We have also updated our People deletion API so you can now blacklist people from ever being tracked by our systems. This API call would not just delete the personal information but also prevent the information from being sent to any third-party services connected to Gist, as well as prevent the person from being re-tracked and re-appearing in Gist.
Right to rectification: You can change or update your customer's personal information from within their profile page.
Data Processing Agreement: As part of GDPR's requirements, we've updated our data processing agreement with our customers, detailing our commitments to privacy as a data processor and setting the terms for Gist and our customers to meet all GDPR obligations. If you’re one of our customers who needs to sign a Data Processing Agreement with us, please fill this form here.
Vendor compliance: We've also reviewed our vendors to make sure they are GDPR compliant and have signed GDPR-ready data processing agreements with them.
New security measures: We redesigned our internal process to give data security a greater role in our products. Security is a priority for us, and we have a dedicated security team whose job is to ensure that your customer data and your customer's personal data are kept safe. We regularly run data audits, vulnerability scans, penetration tests, and bug fixes.
What you can do
- Get familiar with the GDPR requirements and how they affect your company
- Get explicit confirmation (opt-in) from existing subscribers (using tags)
- Review how you process and store your customer data
- Consider how you can leverage Gist to help with your GDPR compliance
- Talk to your lawyer about what your company needs to do in regards to the compliance
Note: The aforementioned suggestions are intended to be informational and are not to be considered professional or legal advice.
Last updated: April 8, 2021
AWS - the bulk of user data is hosted in AWS
Stripe - payment data, including user emails and company names, are maintained in Stripe.
Zapier - some user data is sent to Zapier for forwarding to some of our other subprocessors, like Slack.
Slack - user data is sometimes discussed in chat in Slack
Segment - user data is tracked in Segment for forwarding to other subprocessors, like Mixpanel
Sendgrid - user emails are sent to Sendgrid for transactional and marketing email purposes
Conflux - user names and emails are stored in Conflux for feature request tracking
Bugsnag - user data is stored in Bugsnag for exception/error tracking
Mixpanel - user data is tracked in Mixpanel for analytics purposes
New Relic - user data is tracked in New Relic for infrastructure monitoring
Docusign - user data for legal purposes is maintained in Docusign
If you have any further questions, please start a Live Chat. Just "Click" on the Chat Icon in the lower right corner to talk with our support team.