The landmark European privacy law - GDPR (the General Data Protection Regulation) is due to take effect on May 25th, 2018. The GDPR imposes new rules on companies, government agencies, non-profits, and other organizations that offer goods and services to people in the European Union (EU), or that collect and analyze data tied to EU residents. The GDPR expands the privacy rights granted to EU individuals, and it places many new obligations on organizations that market to, track or handle EU personal data, no matter where an organization is located. It only reinforces our belief that data privacy is an essential individual right and we’re excited about reviewing and updating our policies to make sure that you and your data are always safe and secure! The changes are being rolled out globally and are made across all accounts, regardless of whether they are in the EEA (European Economic Area) or not.
We believe GDPR is a required step towards the standardization for security measures across all geographical regions. acharta has always been committed to ensuring the highest standards for data security and data privacy and GDPR only takes us closer to our goal by standardizing the process. We are actively preparing our business and compliance processes for GDPR to take effect, and this page will inform you further on how those changes will affect you and your business.
GDPR is the most noteworthy milestone in the space of Data Privacy Regulations and how we think of it. We welcome this milestone in Data Privacy Regulations and would love to share the steps we are taking to make sure we are GDPR friendly on or before May 25th, 2018.
When is the GDPR coming into effect?
The GDPR was approved and adopted by the EU Parliament in April 2016. The regulation will take effect after a two-year transition period and, unlike a Directive it does not require any enabling legislation to be passed by government; meaning it will be in force May 2018.
Who does the GDPR affect?
The GDPR not only applies to organisations located within the EU but it will also apply to organisations located outside of the EU if they offer goods or services to, or monitor the behaviour of, EU data subjects. It applies to all companies processing and holding the personal data of data subjects residing in the European Union, regardless of the company’s location.
What constitutes personal data or Personally Identifiable Data (PID)?
Any information related to a natural person or ‘Data Subject’, that can be used to directly or indirectly identify the person. It can be anything from a name, a photo, an email address, bank details, posts on social networking websites, medical information, or a computer IP address.
How do you define a data processor and a data controller?
A controller is the entity that determines the purposes, conditions and means of the processing of personal data, while the processor is an entity which processes personal data on behalf of the controller. acharta is both a data processor and a data controller.
What are we doing for GDPR?
Updated privacy policy, terms and conditions and cookie policies
We've updated our terms and conditions, privacy policy and cookie policy to incorporate GDPR's requirements.
Consent / Explicit Opt-in During Signup
Acharta explicitly asks for consent for activity tracking via cookies and provides opt-in / opt-out mechanisms for promotional emails. acharta's signup mechanism also requires you to accept the terms and conditions explicitly.
Data Processing Agreements
Strong data protection commitments are an essential component of GDPR’s requirements. As a controller, acharta has an obligation to only work with data processors that provide sufficient guarantees. As part of our preparation, we have eliminated data processors that do not provide these guarantees. We work with data processors like Intercom, Mixpanel, Freshdesk, Stripe and Hubspot.
Right to Portability / Export Data Feature
You have the right to move your data out of acharta to other systems. acharta provides capability to export your expense data in excel format and bills in a consolidated PDF format which can be then be uploaded to a system of your choice.acharta allows account owners to download all of their data in acharta in standard formats like CSV / Excel and PDF. These options are available within the application.
Right to be Forgotten / Delete Account Feature
You have the right to be forgotten i.e. request erasure of all data concerning you in acharta and we will oblige the request without undue delay. We've introduced a feature in the product for account owners to delete their account and all information from acharta and its data processors. Account owners can also send a note to privacy@acharta.com if they require assistance on this front.
Security
Acharta is an enterprise product trusted by small and large enterprises alike. We conduct Vulnerability Assessment and Penetration Testing exercises every 6 months and share it with customers upon request. As part of our roadmap, we will be getting ISO 27001 certification and SOC 2 compliance.
Subprocessor List
To support delivery of our services, acharta may engage and use data processors ("Subprocessors") with access to certain personal information. This section provides information about the identity and role of each Subprocessor we use.
Hubspot - CRM
Segment - Product analytics
Mixpanel - Product analytics
AWS - Storage and compute infrastructure
Hotjar - User behavior analytics
Sentry - Crash reporting
Freshdesk - Support tickets
Stripe - Billing
Sendgrid - Emails
Freshchat - Support chat
Delighted - NPS measurements
Postmark - Incoming receipt mail processing
Natero - Customer success and health
Twilio - SMS
Slack - Messaging and notifications
Microsoft Teams - Messaging and notifications
Smartlook - User behavior analytics
Additional Resources
To know more about GDPR, please go here. For any questions or concerns related to GDPR, please feel free to get in touch with us at privacy@acharta.com and we'd be happy to chat with you! We'll be announcing GDPR related updates on a rolling basis up until GDPR is enforced on May 25, 2018. We will keep adding updates on this page, kindly keep a look out for them.
Disclaimer
The content above is provided for informational purposes only. The information shared here is not meant to serve as legal advice. You should work closely with legal and other professional counsel to determine exactly how the GDPR may or may not apply to you.