Zapflow and GDPR

25 May 2018 marked the start of enforcement of the European Union’s General Data Protection Regulation. This new piece of legislation has had a great impact on anyone whose business involves handling personal data about EU residents or within the EU. This also applies to information Zapflow users gather from target companies and their stakeholders.

This article provides an overview of the data-related roles and responsibilities when you’ve chosen Zapflow as your deal management platform and will explain our efforts to live up to the values and requirements of the GDPR.

Zapflow as the data processor

The people you store in Zapflow as Contacts are your data subjects, and you are considered the data controller for this personal data.

Using Zapflow to manage your customers means that you have engaged Zapflow as a data processor to carry out certain processing activities on your behalf. According to Article 28 of the GDPR, the relationship between the controller and the processor needs to be made in writing (electronic form is acceptable under subsection (9) of the same Article).

This is where our Terms of Service and Privacy Policy come in. These two documents also serve as your data processing contract, setting out the instructions you are giving to Zapflow regarding processing the personal data you control and establishing the rights and responsibilities of both parties. Zapflow will only process your data based on your instructions as the data controller.

Data transfers

Zapflow uses sub-processors such as Amazon Web Services where the Zapflow platform runs on. This means your data may be transferred to a trusted 3rd party for sub-processing like any other modern cloud-based system.

We will keep an up-to-date list of sub-processors in our Terms of Service to be transparent about these transfers. We also make sure our third-party service providers have either certified under the EU-US Privacy Shield framework or signed the EU Commission’s standard contractual clauses for data transfers with us.

Zapflow as the data controller

Zapflow also acts as the data controller for the personal data we collect about you, the user of our web app, mobile apps, and website.

First, we process data that is necessary for us to perform our contract with you (GDPR Article 6(1)(b)).

Secondly, we process data to meet our obligations under the law (GDPR Article 6(1)(c))

Thirdly, we process your personal data for our legitimate interests in line with GDPR Article 6(1)(f). By “legitimate interests”, as defined in the law, we mean our ability to

· Improve the app to help you get even more value out of Zapflow

· Ensure your data and Zapflow’s systems are safe and secure.

· Market our product & features responsibly

As the controller for your personal data, Zapflow is committed to respect all your rights under the GDPR. If you have any questions or feedback, please reach out to legal@zapflow.com.

What is Zapflow doing for the GDPR?

Zapflow is up to speed with the implications that the EU General Data Protection Regulation has for businesses. We appreciate the privacy needs of our users as well as their stakeholders and, as such, have implemented — and will continue to improve — technical and organizational measures in line with the GDPR to safeguard the personal data processed by Zapflow.

Security and data transfers

Any access to the Client Data that we process on your behalf is strictly limited. Our internal procedures and logs make sure that we meet the GDPR accountability requirements in this regard.

We make sure that third-parties meet the high expectations that Zapflow and its customers have when it comes to privacy and security.

Readiness to comply with subject access requests

Data subjects’ ownership of their personal data is at the very core of the GDPR. We have created tools for you to handle requests related to data subjects. Of course, we are also happy to comply with your requests related to Zapflow.

Documentation

Our Terms of Service and Privacy Policy are constantly being revised to increase transparency and to make sure the documents meet GDPR requirements.

Topics: news