General Data Protection Regulation(GDPR) compliance

GDPR(General Data Protection Regulation) aims to strengthen data privacy and data protection for European Union(EU) citizens and must be followed by all companies that have customers from the EU. GDPR will come into effect in May 25th, 2018 and if you have EU customers, you will need to become compliant.

Is Kompassify GDPR compliant?

Yes. Kompassify achieved compliance with GDPR

Does it affect me?

Yes, most likely. If you hold or process the data of an any person in the EU, the GDPR will apply to you, whether you’re based in the EU or not.

How Kompassify prepared for GDPR

Our teams worked hard to ensure we complied with GDPR. This was a massive overhaul of processes and data models to make sure we met our legal obligations, and did the best thing for our customers while still letting us move fast, scale and build great products.

Personal information we hold

There are two type of entities using Kompassify products:

Our customers (ie. the operators using the Kompassify Dashboard to create product tours to their users)
- Email
- First and last name
Our customers end-users (ie. the users of our customers)
- We don't hold any personal informations about our customers end-users (we only store the IDs of Kompassify finished and started product Tours)

* For all two parties we do store the IP address for fraud analysis and data security to:

Detect and block fraudulent sign ups
Ban IPs with suspicious behavior
Rate limit API requests and mitigate DDOS attacks associated to certain users

Stored data location

All Kompassify's data is held on servers hosted in Germany.

Data security and data breaches

We take data protection and security very seriously at Kompassify. We constantly monitor for security flaws and unauthorized access and we will take action immediately if something suspicious is been detected. In an unlikely case of a data breach, we willl notify all of our customers within 72 hours after the breach was detected.

Some of the preventive measures we take include:

Encrypted HTTPS communication layers for all data transfers
Isolated data containers and data network
Powerful firewalls to prevent and mitigate different types of attacks and data leaks
Use of 2-Factor-Authentication on all our sensitive accounts
Multiple encrypted backups at database and disk level, stored for one week
Data retention for expired trial and cancelled users of 2 years and 5 years for the rest

Data subject rights

Kompassify customers rights regarding to GDPR are considered and enforced, including:

Right To Be Informed: we clearly inform our users about the use that will be made of their data
Right To Access: our users can access all their data, without restriction, from Kompassify dashboard
Right To Be Object: we handle all requests on this matter from our users and users' end-users (contact us)
Right Of Erasure: it's as simple as contacting us, we'll process all your erasure queries
Right To Data Portability: our users may contact us anytime if they wish to get an export of their data
Right To Rectification: it's as simple as contacting us, we'll process all your rectification queries
Right not to be subject to automated decision-making including profiling: we don't do that (and never will)

Subject access requests

Kompasify replies to all access requests (positively or negatively) under 1 week (the legal limit from GDPR is 1 month). We offer this free of charge for our customers (paid and free).

Consent

Consent is provided by our users explicitly when proceeding an action or task (eg. when they provide user data). Kompassify allows its customers to submit user data in an automated way, via a frontend JavaScript API and backend REST API,

GDPR-ready Privacy and Cookie Policy

We updated our privacy policy and cookies policy to be GDPR compliant. We also added cookie consent banner to our website to make sure we store cookies only after consent is given.