WHAT IS GDPR?
The EU General Data Protection Regulation (GDPR) came into effect on May 25, 2018.
DOES GDPR AFFECT YOU?
If you’re based in the EU or do business in the EU, then the answer is YES! GDPR has a long reach. If you have any EU personal data in your WebVets account, such as names, email addresses, ID numbers, or… anything personally identifiable, then GDPR applies. You are a Controller of personal data under GDPR, so you need to enter into GDPR-compliant data processing agreements with any online services and third party vendors you rely on, including WebVets. These agreements are commonly called a Data Processing Addendum, or DPA. Also, in the the event of infringement of these laws, you can face fines and penalties from 10 million to 20 million or 2% to 4% of the annual revenue of the organization depending upon whichever is higher.
OUR COMMITMENT TO GDPR
DATA PROCESSING ADDENDUM
If you need to comply with GDPR and you’re using WebVets, then legally you’ll need to enter into a Data Processing Addendum (DPA) with WebVets. Processing EU personal data must be governed by a GDPR-compliant contract. We provide a standard Data Processing Addendum (DPA) to extend GDPR privacy principles, rights, and obligations everywhere personal data is processed.
WebVets participates in the EU-US and Swiss-US Privacy Shield Framework to safeguard the transfer of personal data to the US, thus meeting the GDPR requirement for adequate data protection laws.
WebVets uses third party subprocessors, such as cloud computing providers and customer support software, to provide our services. We enter into GDPR-compliant data processing agreements with each subprocessor, extending GDPR safeguards everywhere personal data is processed.
Subprocessors located in the United States:
- Amazon Web Services : Cloud services provider
- Braintree : Payment processing services
- Google Analytics : Web analytics service
- Postmark : Email delivery services
- HelpScout : Help desk software
CHECKLIST FOR DATA CONTROLLERS
GDPR regulations require the following of any company or organization that is outsourcing the personal data of its’ customers or clients to a 3rd party software supplier:
You should be able to answer and/or assess the following.
DO YOU HAVE A DATA PROCESSING AGREEMENT (DPA) WITH THE SOFTWARE SUPPLIER?
DO THE DATA PROCESSOR USE DATA PROCESSORS OF THEIR OWN? DO THEY HAVE DPAS WITH THESE?
You can see a list of the subprocessors that WebVets uses above. Yes, we have DPAs in place with each one.
DID YOUR COMPANY / ORGANIZATION DO A RISK ASSESSMENT OF THE OUTSOURCING?
You can see a list of the subprocessors that WebVets uses above. You can use this information to make your risk assessment.
DID YOUR COMPANY / ORGANIZATION ASSESS THE DATA PROCESSOR’S ABILITY TO COMPLY WITH THESE REQUIREMENTS?
The information on this page is as transparent as we can possibly be. You can use this information to make your assessment.
HOW DOES YOUR COMPANY / ORGANIZATION AUDIT THE DATA PROCESSOR’S ABILITY TO COMPLY WITH THE DPA?
You’ll have to use the information we provided both on this page and in our DPA to make your audit.
IS PERSONAL INFORMATION BEING TRANSFERRED TO ANOTHER COUNTRY? DOES THIS TRANSFER COMPLY WITH THE REQUIREMENTS ?
WebVets is a participating member in the EU/US and Swiss-US Privacy Shield Framework.
DOES THE DATA PROCESSOR HAVE A PROCEDURE FOR INFORMING CUSTOMERS ABOUT PRIVACY BREACHES?
WebVets is committed to the following actions within 72 hours of any security breach: Carrying out an investigation, informing both regulators and individuals of a breach, disclosing what personal data has been impacted and how, and how the issue will be addressed moving forward. If, for whatever reason, we are not able to complete these steps within 72 hours, we will provide reasonable justification for the delay. Historical data on security breaches as well as announcements of known breaches will be reported
HOW CAN THE DATA PROCESSOR ASSIST WITH YOUR CUSTOMER’S REQUESTS, COMPLAINTS IN TERMS OF THEIR RIGHTS WITHIN THE GDPR?
You can contact us directly at email@example.com with your requests.
HOW CAN CUSTOMERS ACCESS THEIR DATA STORED IN THE SOFTWARE SOLUTION?
WebVets provides an self actuated export functionality for all Contact data, including any associated personal information or created custom fields.
IF WE CANCEL OUR ACCOUNT AND NO LONGER USE THE SOFTWARE, WILL THE DATA PROCESSOR DELETE THE DATA?
WebVets will hold your account for up to 3 months just in case you decide to return, but after that your data will be automatically deleted. If you request that your data is deleted in advance of this automated process, we will comply if we can establish that the requester has the proper authority to make such a request.
WHO IS DOING THE BACKUP OF CUSTOMER DATA, HOW OFTEN AND USING WHAT METHOD?
All of WebVets’s customer’s data & files are backed up multiple times per day using the industry standard snapshot method, and stored in a redundant fashion across the Amazon AWS data center network. These backups are encrypted at rest and are automatically deleted when they reach 14 days of age.