At Eduflow, we worked hard to prepare for EU General Data Protection Regulation (GDPR), to ensure that we fulfil its obligations and maintain transparency about customer messaging and how we use data.
Here’s an overview of GDPR, and how we prepared for it at Eduflow:
What’s GDPR?
The GDPR is a comprehensive data protection law that came into effect on May 25, 2018. It replaced existing EU law to strengthen the protection of “personal data” and the rights of the individual. It's a single set of rules which governs the processing and monitoring of EU data.
Does it affect me?
Yes, most likely. If you hold or process the data of an any person in the EU, the GDPR will apply to you, whether you’re based in the EU or not.
How Eduflow prepared for GDPR
Our teams worked hard to ensure we complied with GDPR. This was a massive overhaul of processes and data models to make sure we met our legal obligations, and did the best thing for our customers while still letting us move fast, scale and build great products.
Here are the main things we did:
We built new features
Our teams built new features to enable our users to easily meet their GDPR obligations. We have been building an API to help you export all your data, and if you need to get your data out without using the API, just reach out to us.
We have designed functionality to permanently delete data linked to a user, a course and an institution. To instantiate deletion of users, courses and institutions, reach out to us and we will make sure it is properly deleted from all of our systems.
If a user has not been active for two years, we will initiate a process to determine if their data should be deleted from our systems automatically.
We updated our Data Processing Agreements (DPAs):
Strong data protection commitments are a key part of GDPR’s requirements. Our updated data processing agreement shares our privacy commitments and sets out the terms for Eduflow and our customers to meet GDPR requirements. You can read our DPA here https://bit.ly/3aTFhXK and if you want to get it signed, you should contact [email protected].
We certified for International Data Transfers:
The EU-US Privacy Shield is a framework negotiated and agreed by the European Commission and U.S. Department of Commerce as a lawful way of transferring personal data.
To comply with EU data protection laws around international data transfer, we self-certified under the E.U.-U.S. Privacy Shield and the Swiss-U.S. Privacy Shield framework.
We appointed a Data Protection Officer
We’ve a dedicated Data Protection Officer to oversee and advise on our data management. Get in touch through the messenger or by emailing [email protected].
We coordinated with our vendors
We’ve reviewed all our vendors, finding out about their GDPR position and signed Data Processing Agreements with them.
We took new security measures
Security is a priority for us. We have regular external audits and penetration tests. We’ve built a robust security framework, achieving International Compliance standards (SOC2, CSA and Privacy Shield) and reviewed our internal access design to ensure the right people have access to the right level of customer data.
We’ll keep sharing information on our progress, and we’ll help our customers and prospective customers be compliant.