Updated – May 22, 2018
ProcessMaker is committed to complying with the General Data Protection Regulation (GDPR), a new EU data privacy regulation effective May 25, 2018. The regulation gives EU citizens more control over their personal data and unifies a number of existing privacy and security laws under one comprehensive law.
At ProcessMaker we understand that compliance with a new set of privacy laws can be challenging, and we are here to help with your GDPR compliance initiative by providing you with state of the art GDPR compliant services.
Our legal and security experts have closely analyzed the requirements of the GDPR and continue to monitor new guidance on best practices for implementing the GDPR requirements. We have updated our products, contracts, and policies to ensure compliance with the GDPR. We are also dedicated to helping our customers succeed in complying with GDPR.
Steps ProcessMaker is Taking for GDPR Compliance
ProcessMaker has implemented a company-wide GDPR compliance strategy. Below are a few examples of initiatives ProcessMaker has committed to in order to satisfy GDPR requirements that apply to both ProcessMaker and our customers:
- We have ensured our products and services are delivered in accordance with ISO27001, ISO27002 and ISO27018 standards. These standards mirror many of the security and privacy requirements of the GDPR and give our customers a transparent framework to measure our development and data management practices.
- When processing personal data regulated under the GDPR, we commit to follow any additional security and privacy measures required under the GDPR.
- Where we have transferred personal data outside of the EU, we are committed to appropriate data transfer mechanisms as required by the GDPR.
- We have ensured that applicable users can access and update their personal data (access to most data resides in our service).
- Should a breach occur, we will notify regulators, customers, and users promptly as required by the GDPR.
- We require vendors that handle personal data to meet data management, security, and privacy best practices and standards.
- We have carried out data impact assessments and consulted with EU regulators where appropriate.
- ProcessMaker employees and contractors have been trained how to handle customer personal data. They are bound to maintain strict confidentiality and security of that data.
GENERAL DATA PROTECTION REGULATION FAQS
DOES ProcessMaker PROCESS THE PERSONAL DATA OF ITS CUSTOMERS?
WHAT PERSONAL DATA DO WE PROCESS?
For most users, this is limited to “business card” information of users that register for the service. In other words, we obtain a user’s name and email address, and an IP address for session security purposes. We may obtain your phone number, and you can put your picture on your account if you would like to personalize your interactions with other users. Unlike many other SaaS companies, we do not process personal information outside of that user information (and require that customers not provide us with any other such personal information).
WHERE DOES ProcessMaker STORE AND PROCESS MY DATA?
Our goal is to provide our customers with secure, fast, and reliable services. Today, ProcessMaker stores data in its AWS data center located in the United States. In order to bring you world class products, and to provide 24×7 support coverage and maintenance, ProcessMaker may also allow employees and contractors located outside the U.S. (including the European Union, Argentina, Australia, and Canada) to access certain data for product development, and customer and technical support purposes. Such disclosures are compliant with the law and for the limited purpose described.
HOW CAN I MANAGE MY PERSONAL DATA THAT IS STORED BY ProcessMaker?
If you are using ProcessMaker at your organization, you will need to contact your administrator for information on how you can access, rectify, export or erase your personal data. You can also contact us directly at [email protected] if you have any additional requests or questions.
IS ProcessMaker E.U.-U.S. PRIVACY SHIELD CERTIFIED?
ProcessMaker is actively working to attain EU-U.S. and Swiss-U.S. Privacy Shield certification with respect to the personal data we receive and process through our services. We will update this document once we’ve received that certification. ProcessMaker certifies its adherence to the Privacy Shield principles of notice, choice, onward transfer, security, data integrity, access, and enforcement for personal data submitted by our customers in participating European countries through the services.
DOES ProcessMaker ENTER INTO GDPR-COMPLIANT DATA PROCESSING AGREEMENTS (DPA)?
For our customers:
ProcessMaker will enter into DPAs with our customers who are data controllers and have purchased a subscription to our business process management software via a written agreement. We provide a GDPR-compliant DPA that is customized to our service, and invite such customers to complete and execute our GDPR-compliant DPA by requesting our ProcessMaker Customer Data Processing Addendum. It is a very easy document to sign electronically.
ProcessMaker is committed to our customers’ success and the protection of customer data, which is why our customers can count on our commitment to GDPR compliance.
- Privacy: You own your data, and we’re committed to protecting your privacy.
- Security: ProcessMaker maintains customer security as our highest priority.
- Compliance: We maintain strict standards for achieving legal, regulatory and industry compliance frameworks such as SOC, PCI and CSA-Star.
- Policies and reports: We actively promote our information security policy library allowing customers insight into our data handling requirements.
- More information: You can find more detailed information about the GDPR from the European Commission website.