Last Modified: December 8, 2022
At Planhat, we are commited to upholding the principles of the General Data Protection Regulation(GDPR) and have worked hard to ensure that you as a customer (and ourselves) are set up to meet the GDPR obligations. Not only is the GDPR an important step in protecting the fundamental right of privacy for European citizens, it also raises the bar for data protection, security and compliance in the industry. Below is a brief summary of some of the main points.
Servers & Security
For customers requiring GDPR compliance all servers are located within the EU on ISO-certified data centers, including logs, backups, disaster recovery etc. Currently, our main European data centers as well as disaster recovery and backups are located in Belgium and the Netherlands.
In a few cases we depend on sub-processors (e.g. Google Cloud Platform) or technical support and development located outside the EU. In such cases we have a signed DPA with each sub-processor and they go through a selection process to ensure they have the required technical expertise and can deliver the appropriate level of security and privacy.
Data is encrypted, both in transit and at rest. Penetration tests are performed annually by an independent third-party, and scans are performed regularly to ensure that any vulnerabilities are quickly found and patched. Furthermore, we make sure we’re up to date with the latest encryption, settings and software. We follow general industry best practices for all servers we manage such as restricting server access within the team as much as possible and manually verifying all server access over an independent channel where relevant. Aggressive use of firewalls and separate customer databases are other examples of measures taken to reduce the attack surface on our systems. On application level, 2-factor-auth is offered and encouraged for all users.
Product & Data
Planhat (as a service provider and Processor) holds “Personal Data” about your end users , and (as a Controller) about our own end users as a tenant on our own Platform. Personal data about end users may include basic profile information (name, email, phone number, job title, notes etc), conversations (email, support/chat, phone calls), and product usage tracking.
Given the nature of Planhat (SaaS B2B), the data we process about our own end users (Planhat users) only relates to their professional use of and interactions with Planhat. It does not relate to nor impact their ordinary life nor does anyone try to use the data to offer them services based on their behavior as a natural person. Processing this professional data is considered necessary to meet our service commitments, and we cannot imagine any other way to properly support our customers without a disproportionate effort. As a Planhat customer, it’s your responsibility to ensure that your own data is lawfully collected and used.
Right to Correct, Amend or Delete Personal Data
Removing data related to any of your end-users is easy from the Planhat app or over API - you don't even need to contact our support for it. Correcting or amending data is also easily done from within the app or over API. If you’re a Planhat user and want us to correct or remove data simply reach out to your CSM or our Data Protection Officer at firstname.lastname@example.org.
Removal of Old or Unused Data
Finding and removing customer (and end-user) profiles is easy using the built in filtering features of Planhat. As the controller you can set the criteria yourself, for example removing all end-users that haven’t been active for a certain number of months.
As as customer of Planhat you can easily export your data in JSON format over the API. The most relevant data can also be exported in spreadsheet format from within the app.
Planhat team members will only have access to your Personal Data if needed for meeting the service requirement in accordance with the agreement.
Policies & Communication
Data Protection Officer
We’ve appointed a Data Protection Officer to oversee our data management to ensure that our processes now and in the future are in compliance with GDPR. Get in touch directly at email@example.com.
Data Processing Agreements (DPAs)
We’re working with all relevant vendors and sub-processors to make sure they’re GDPR-ready and that we have signed DPAs. A Customer Data Processing Agreement has also been included in our Terms of Service.
Information in Case of Data Breach
Each customer is responsible to keep at least one Planhat user flagged as point of contact for issues relating to data and Personal Information (“POC Data”). Planhat will notify these users in case of any data breach, 24h maximum after knowing about it and fixing the flaw. It is then the responsibility of these users to report this data-breach to their end-users in due time. In a similar way, Planhat is responsible for informing all Planhat users as appropriate should our own data have been compromised.