We support the GDPR and have worked hard to ensure that you as a customer (and ourselves) are set up to meet the GDPR obligations. Not only is the GDPR an important step in protecting the fundamental right of privacy for European citizens, it also raises the bar for data protection, security and compliance in the industry. Below is a brief summary of some of the main points.
Servers & Security
For customers requiring GDPR compliance all servers are located within the EU on ISO-certified data centers, including logs, backups, disaster recovery etc. Currently our main European data center is located in Germany with Disaster Recovery and backups in the Netherlands.
In a few cases we depend on sub-processors (e.g. Google Cloud Platform) or technical support and development located ouside of the EU. In such cases we have a signed DPA with each sub-processor and they go through a selection process to ensure they have the required technical expertise and can deliver the appropriate level of security and privacy.
Data is encrypted, both in transit and at rest and we’re continuously running third party scans to detect potential vulnerabilities and make sure we’re up to date with the latest encryption, settings and software. We follow general industry best practices for all servers we manage such as restricting server access within the team as much as possible and manually verifying all server access over an independent channel where relevant. Aggressive use of firewalls and separate customer databases are other examples of measures taken to reduce the attack surface on our systems. On application level, 2-factor-auth is offered and encouraged for all users.
Product & Data
Planhat (as a service provider and Processor) holds “Personal Data” about your endusers , and (as a Controller) about our own endusers as a tenant on our own Platform. Personal data about endusers may include basic profile information (name, email, phone number, job title, notes etc), conversations (email, support/chat, phone calls), and product usage tracking.
Given the nature of Planhat (SaaS B2B), the data we process about our own endusers (Planhat users) only relates to their their professional use of and interactions with Planhat. It does not relate to nor impact their ordinary life nor does anyone try to use the this data to offer them services based on their behaviour as a natural person. Processing this professional data is considered necessary to meet our service commitments, and we cannot imagine any other way to properly support our customers without a disproportionate effort. As a Planhat customer, it’s your responsibility to ensure that your own data is lawfully collected and used.
Right to correct, amend or delete personal data
Removing data related to any of your end-users is easy from the Planhat app or over API - you don't even need to contact our support for it. Correcting or amending data is also easily done from within the app or over API. If you’re a Planhat user and want us to correct or remove data simply reach out to your CSM or our Data Protection Officer at firstname.lastname@example.org
Removal of old or unused data
Finding and removing customer (and end-user) profiles is easy using the built in filtering features of Planhat. As the controller you can set the criteria yourself, for example removing all end-users that haven’t been active for a certain number of months.
As as customer of Planhat you can easily export your data in JSON format over the API. The most relevant data can also be exported in spreadsheet format from within the app.
Planhat team members will only have access to your Personal Data if needed for meeting the service requirement in accordance with the agreement.
Policies & Communication
Data Protection Officer
We’ve appointed a Data Protection Officer to oversee our data management to ensure that our processes now and in the future are in compliance with GDPR. Get in touch directly at email@example.com
Data Processing Agreements (DPAs)
We’re working with all relevant vendors and sub-processors to make sure they’re GDPR-ready and that we have signed DPAs. A Customer Data Processing Agreement has also been included in our Terms of Service.
Information in case of data breach
Each customer is responsible to keep at least one Planhat user flagged as point of contact for issues relating to data and Personal Information (“POC Data”). Planhat will notify these users in case of any data breach, 24h maximum after knowing about it and fixing the flaw. It is then the responsibility of these users to report this data-breach to their end-users in due time. In a similar way, Planhat is responsible for informing all Planhat users as appropriate should our own data have been compromised.