GDPR Compliance
Docupilot, Inc.’s GDPR Commitment
At Docupilot, Inc., we are dedicated to safeguarding our customers' data and privacy. Our commitment to data protection and security is evident through our meticulous adherence to the EU General Data Protection Regulation (“GDPR”). We consistently strive to stay updated with the latest enhancements and advancements to the GDPR, and we make ongoing efforts to embrace, execute, and uphold industry best practices for data protection and privacy.
What is the GDPR?
The GDPR, a comprehensive data protection law, plays a pivotal role in protection of the personal data of data subjects residing in the European Union (“EU”). The introduction of GDPR has significantly transformed the way personal data is collected, accessed and stored. GDPR was introduced with an intention to bolster and provide the right to data protection for individuals in the EU and grant such individuals with an increased influence over how companies or organisations collect, process and maintain their personal data. GDPR introduces principles such as transparency, lawfulness, security, and accountability among others and a new set of obligations on organisations. GDPR applies to organisations located in the EU, and to companies which process the personal data of EU residents irrespective of whether the organisation is established in the EU.
What role does Docupilot, Inc. play in processing its customer’s personal data?
When we process the personal data forming a part of the customer’s service data that is transmitted to us for the performance of services to the customer, the customer shall be the controller and we shall be the processor. This essentially means that we will process the customer’s service data only on behalf of and on the instructions of the customer. Whilst it is the responsibility of the customer to stay in compliance with its obligations as a controller, we shall assist the customer in adhering to such obligations as required under applicable data protection laws such as reporting security incidents, responding to data subject access requests, conducting data transfer impact assessments, responding to any correspondence, or enquiry by a data protection authority, etc. Additionally, we, as a processor diligently abide by data protection obligations imposed on us by the GDPR.
- Privacy by Design: We adhere to the Privacy by Design principle of the GDPR, integrating privacy into our organizational practices, including product development. Our product is designed with privacy features that apply by default, such as use of encryption both in transit and at rest to secure and protect customer data. These privacy features empower customers to control over how their personal data is collected and processed, ensure data portability, and obtain consent for the data that we hold, where applicable. One of the significant product features is the short data retention period of the customer’s service data that relates to the end-user (any third party whose data the customers upload on Docupilot). By default, the end-user data is deleted within 24 hours. The customer also has the option to shorten the data retention period for this portion of the service data to 30 minutes. Our product team collaborates with our IT and legal teams to ensure that any new products, product updates, and features incorporate privacy by default and are rolled out with no risk to data security and privacy.
- Security Measures to Protect Customer Data: We have set a high standard to implement security measures to protect customer data. We are in the process of receiving certifications such as SOC 2 that demonstrates our commitment towards implementing security measures.
- Internal Policies on Data Protection: We have developed and implemented internal policies, guidelines, and processes regarding how our employees handle personal data including policies on access control, confidentiality, communications and network security, data backup, data classification, asset management, data retention, data protection, data breach notification, encryption, endpoint security, HR security, security incident management, media disposal, operation security, password management, communication and network security, physical security on the premises, policy on organization of information security, risk assessment and management, vendor and vulnerability management. Particularly, we have established the Information and Security Policy that comprises procedures, technical and organizational measures that we follow to protect our customers’ data.
- Accountability and Governance: We acknowledge the necessity of ensuring that our employees understand the importance of data protection and trained to understand the basic principles of GDPR. We extend training programs to our employees who handle personal data in the course of their employment to familiarize them with the basic tenets of GDPR and the subsequent compliance. Additionally, we implement measures to demonstrate our fulfilment of GDPR obligations.
- Access requests and consent: In instances where we act as a controller as detailed in our Privacy Policy, we honour requests submitted by data subjects to enable them to access, delete, update their personal data. Our Privacy Policy provides detailed procedure for these requests.
- Contractual Commitments:
- Data Processing Agreement: We implement contractual commitments as required by the GDPR. Our standard terms and conditions include Data Processing Agreement that automatically apply when customers from EU subscribe to our services. We work extensively with our legal team to ensure that the Data Processing Agreement incorporates evolving developments in EU’s data protection law and are kept up to date.
- Standard Contractual Clauses: The GDPR requires one of the approved transfer methods to be put in place beforehand to ensure that the protection guaranteed within the EU travels with personal data when it is transferred to a third country outside the EU. The Standard Contractual Clauses (“SCCs”) is one such transfer method. The SCCs are a set of compulsory clauses required to be included in contracts between data exporters and data importers. Our Data Processing Agreement incorporates the updated SCCs published by the EU Commission on June 4th, 2021.
- Onward Compliance: Prior to engaging our vendors, we conduct necessary due diligence to evaluate their security, privacy and confidentiality practices. We also enter into agreements with them that impose obligations equivalent to GDPR requirements.
- Marketing Communications and Cookies: We only send marketing and promotional emails only with obtained consent as required in the EU. We provide an opt-out mechanism in the emails that we send and maintain a do-not-disturb list of recipients that have unsubscribed to our marketing communications. Additionally, we obtain consents for non-essential cookies to ensure that we respect your preferences
Please contact us at support@docupilot.app if you need to know more about our compliance with GDPR.
Disclaimer: The content above is provided for informational purposes only. The information shared here is not meant to serve as legal advice. You should work closely with your legal and other professional counsel to determine exactly how GDPR may or may not apply to you and compliance with GDPR as applicable to you.