We have implemented processes and procedures to ensure we meet both our Data Controller and Data Processor obligations. With the addition of a few new processes to support Data Subject requests, has determined that our current security controls, and certifications including ISO 27001 and Privacy Shield, allow us to adhere to the GDPR’s requirements applicable to’s business. This assessment includes supporting our customers in meeting their GDPR obligations.

To determine our readiness for GDPR, conducted a gap analysis of our current capabilities and validated that assessment.
It is important to note that GDPR does not have an accredited certification method. That means, there is no GDPR-approved way to demonstrate compliance. We believe our customers will appreciate that we are voluntarily undergoing an audit with a respected firm to obtain their opinion.

Here is what has done to meet our GDPR obligations and help our customers do the same:

Privacy Shield and Data Transfer currently complies with current EU and EEA data protection laws as they stand today regarding the onward transfer of data subject information to a data processor. As a customer, we understand that you are entrusting us with your data. Therefore, takes a principled approach to privacy and security - we were an early adopter and comply with the EU-U.S. Privacy Shield Framework as set forth by the U.S. Department of Commerce regarding the collection, use, and retention of personal information transferred from the EEA to the United States. Privacy Shield was designed with many of the privacy concepts that are in GDPR in mind. You can view a description of how we comply with the Privacy Shield Principles in our Privacy Policy. To learn more about the Privacy Shield Framework and the scope of our participation, visit the U.S. Department of Commerce website.

Privacy Shield allows to meet the current privacy requirements of Europe for onward transfer by doing the following privacy principles:
Accountability for Onward Transfer
Data Integrity and Purpose Limitation
Recourse, Enforcement and Liability

Standard Contractual Clauses (Model contract clauses)

Additionally, signs Data Processing Agreements (DPA) with customers who need them. Where necessary, includes standard model clauses for transfer to third-party countries (the current bar set by the EU Commission). These clauses ensure our customers can transfer data to countries outside of the EEA for use in our system. Further, has DPAs in place with all sub-processors where legally required.
Security has already implemented many strong data security requirements and controls to protect our customers data - many of which already meet GDPR standards. maintains ISO 27001 certification. ISO 27001 is a security management standard that specifies security management best practices and controls based on ISO 27002 best practice guide. As an ISO 27001-certified organization, there is a high level of integration between the ISO 27002 code of practice and the Information Security Management System (ISMS). The ISO 27001 certification validates our security and meets many of the requirements of GDPR. maintains a SOC 2 Type II accreditation report. The SOC 2 evaluates controls that are relevant to the principles of security, availability, and confidentiality. This is a rigorous assessment that tests the operating effectiveness of our controls over a defined period, demonstrating and documenting our compliance with controls pertaining to security, availability, and confidentiality. has strong data protection controls, which includes encryption in transit and encryption at rest of customer data, to safeguard data subject’s data from unintended disclosure or misuse. rigorously tests its product to remedy proactively vulnerabilities and follows industry best practices and guidance in information security. maintains incident response and notification processes. These procedures are tested annually. has procedures in place to ensure data recovery and data integrity, so that customer lost or inadvertently corrupted. provides assurances that the customer retains full control of their data.’s key data sub-processors, i.e. Microsoft Azure & Netlify, all maintain rigorous security standards (SOC2 and/or ISO 27001 certifications, where possible), and undergo annual vendor reviews.