SaasAnt’s GDPR Commitment

The GDPR plays a pivotal role in protection of the personal data of data subjects residing in the European Union (EU). The GDPR was conceptualised to strengthen and deliver the right to data protection of individuals in the EU and provide such individuals with a greater say over how organisations collect, process and maintain their personal data. This has significantly changed the way personal data is collected, accessed and stored.

The GDPR focuses on principles such as transparency, lawfulness, security, and accountability among others and implements a new set of obligations on organisations. The GDPR applies to organisations located in the EU, and to companies which process the personal data of EU residents irrespective of whether the organisation is established in the EU.

The customer shall be the controller and we shall be the processor of our customer’s service data that is transmitted to us for the performance of our services to the customer. This means that we will process the customer data only on behalf of the customer. Whilst it is the responsibility of the customer to stay in compliance with its obligations as a controller, we shall assist the customer in abiding with such obligations such as reporting security incidents, responding to data subject access requests, conducting data transfer impact assessments, etc. Additionally, we, as a processor also abide by data protection obligations imposed on us by the GDPR.

The following set of actions and measures undertaken by us outline our approach in data protection:

1. Contractual Commitments:

a. Data Processing Agreement: We are required to implement contractual commitments as a part of GDPR’s requirements. Our standard terms and conditions include Data Processing Agreement that automatically apply when a customer signs up for our services. We work extensively with our legal team to ensure that the Data Processing Agreement incorporate evolving developments in EU’s data protection law and are kept up-to-date.

b. Standard Contractual Clauses: GDPR requires one of the approved transfer methods to be put in place beforehand to ensure that the protection guaranteed within the EU travels with personal data when it is transferred to a third country outside the EU. The Standard Contractual Clauses (“SCCs”) is one such transfer method. The SCCs are a set of compulsory clauses required to be included in contracts between data exporters and data importers. Our Data Processing Agreement incorporates the updated SCCs published by the EU Commission on June 4th, 2021.

2. Privacy by Design:

We comply with the Privacy by Design principle of the GDPR and incorporate privacy in our organizational practices including product development. Our product is designed with privacy features that apply by default. Such features include the implementation of encryption in transit and encryption at rest in securing and protecting customer’s data, giving the customer more control over how their personal data are collected and processed, portability of data, and obtaining consent for the data that we hold, where applicable. Our product team works closely with our IT and legal teams to ensure that any new products, product updates, and features incorporate privacy by default and are rolled out with no risk to data security and privacy.

3. Security Measures to Protect Customer Data: 

We have set a high standard to implement security measures to protect customer data. We have implemented technical and organizational security measures to ensure protection of customer data. Additionally, we are in the process of obtaining various security certifications such as SOC 2 and SOC 3.

4. Internal Policies on Data Protection: 

We have established internal policies, guidelines, and processes concerning the handling of personal data by our employees including policies on access control, confidentiality, data backup, data classification, data retention, data protection, encryption, security incident management, password handling. Specifically, we also have Information and Security Policy in place that contains procedures, technical and organizational measures that we follow to protect our customers’ data.

5. Accountability and Governance: 

We recognize the need to ensure that our employees understand the importance of data protection and are trained on the basic principles of GDPR. We extend training programs to our employees who handle personal data in the course of their employment in order to familiarize them with GDPR compliance. We also ensure that we implement measures to demonstrate that we fulfil obligations under GDPR.

6. Access requests and consent:

In the instances where we act as a controller as detailed in our Privacy Policy, we honour requests submitted by data subjects to enable them to access, delete, update their personal data. We have detailed the procedure in our Privacy Policy.

7. Marketing Communications and Cookies:

We only send marketing and promotional emails where we have obtained consent as required in the EU. We provide an opt-out mechanism in the emails that we send and maintain a do-not-disturb list of recipients that have unsubscribed to our marketing communications. Additionally, we obtain consents for non-essential cookies to ensure that we honour your choices.

Please contact us at gdpr@saasant.com if you need to know more about our compliance with GDPR.

The content above is provided for informational purposes only. The information shared here is not meant to serve as legal advice. You should work closely with your legal and other professional counsel to determine exactly how GDPR may or may not apply to you and compliance with GDPR as applicable to you.