Kissflow

GDPR

25.09.2024

The new European General Data Protection Regulation (GDPR) came into force from May 25th, 2018. Since the regulation was announced last year, Kissflow has been working towards becoming GDPR compliant. For this purpose, we made a lot of changes to our processes related to data security and how we handle personal data.

We had sent out an email blast to all our customers two weeks before the regulation came into force, informing them about changes to the terms of service and privacy policy. We mentioned some of the changes we are internally working on pending to be completed before the 25th of May.

Today, we are happy to announce that Kissflow is GDPR compliant.

Kissflow’s Journey Towards GDPR Compliance

1. Identifying Internal Data Collection mechanisms and mapping it to Personal Data being collected.

The first step we took towards GDPR was to identify and document all the channels and mechanisms we use to collect Personally Identifiable Data from EU Data Subjects. We mapped the type of personal data being collected to the channels for better identification.

2. Purpose limitation, Data minimisation and Storage limitation

Once we mapped the Personal Data with the data collection channels, we made sure controls are in place so that the collected data is processed only for the purpose it was collected. We also removed any personal data that was not business critical and defined how long stored this data.

3. Data Protection Impact Assessment

We carried out Data protection impact assessments (DPIA) to help identify, assess and mitigate or minimise privacy risks with data processing activities.

4. Legal basis for Processing Data

Kissflow uses Consent, Legitimate Interest and Contracts as a legal basis to process depending on the personal data we collect. We identified the legal basis and mapped itto personal data we collect.

5. Individual Rights

We created our own internal process on how we respond and resolve requests from data subjects regarding individual rights. These rights include right to information, right to rectification, right to access, right to erasure, right to restrict processing, right to data portability, right to object or right not to subject to automated decision making including profiling.

6. Security

We conduct regular vulnerability tests and annual penetration testing as part of our ISO 27001 audits. We make sure suitable security measures are in place to ensure the confidentiality, integrity, and availability of Information. We also use pseudonymisation through encryption and Hashing to make sure all personal data is protected. We are taking appropriate technical and organizational measures to adequately protect Personal Data against accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to Personal Data.

7. Processing of Personal Data outside of EU

Kissflow has defined a Data Processing Addendum (DPA) with the latest Standard Contractual Clauses enabling Kissflow to process personal data outside of the EU region under GDPR.

8. Sub-processors

Kissflow has signed agreements with Sub-processors instructing them how to process personal data and also ensuring they are GDPR compliant too.

9. Privacy Policy and Data Processing Agreement

We updated our updated Privacy Policy which now describes how we collect, use, share and process EU data subject’s personal data and our customer’s personal data as both Controller and a Processor.

We also created a Data Processing Addendum, which regulates our responsibilities as a host, thus allowing our clients to have GDPR compliant sites themselves, if they need to. This document also describes how we communicate to the customers if there’s a breach and respond to requests from data subjects.

10. Website updation

We updated our website to display the cookie policy. We also now require our users to consent to our Terms of Service and Privacy policy before signing up.

GDPR is not a one-time effort. It’s a continuous process and we will be making sure we review our processes regularly to make sure we do not breach any obligations set forth by GDPR and also closely follow more updations to the regulation.

If your business processes the personal data of EU data subjects and you want to run that data through Kissflow, we’ve got you covered.