GDPR Compliance Status of QuoteRules
On the 25th of May, 2018, The European Union will bring into force a regulation called GDPR. The General Data Protection Regulation lays down rules relating to the protection of natural persons with regard to the processing of personal data and rules relating to the free movement of personal data, ensuring data protection as a fundamental right of EU residents.
Companies with business or customers in the EU need to ensure they’re GDPR-complaint, while also ensuring that their providers (like QuoteRules) are also GDPR compliant. We write this to affirm that QuoteRules is, in fact, GDPR-compliant, and strictly enforces the EU’s regulation for data protection and storage for user data. Our Data Processing Agreement is kept up to date and has a list of our providers (data processors) available at all times.
QuoteRules and GDPR
The General Data Protection Regulation is summarized in the points below. In the following article, we identify and explain what the crux of this EU law is, and elucidate how QuoteRules is compliant with the GDPR.
We also maintain that all of QuoteRules’s backend partners, (like Stripe, SendGrid, monday.com and Chargebee) are also GDPR compliant. For more information about this, you can refer to our DPA to see a full list of providers.
Awareness
We at QuoteRules have made sure that all our employees responsible for software development and infrastructure maintenance are aware of the GDPR’s data requirements.
Also, code reviews are performed by the Data Protection Officers (as listed in this article), before any code deployment to the platform. This ensures security breaches and bad practices are not implemented by eg. a third party temporary contractor or a QuoteRules employee, even if aware of GDPR requirements (this plays as a double human safety check).
Information we hold
QuoteRules stores data on 2 kinds of parties:
- Companies that use our products, i.e. our customers who pay us.
- The customers of the companies that use our products, i.e. their customers who pay them.
QuoteRules never shares, re-sells, or distributes any kind of data, and neither is the data from either of these parties used for advertising. Our business model and revenue stream are solely based on paid subscriptions (ie. our users, or their users are not our product).
Information held on our users
QuoteRules collects account information on behalf of our customers, and that information is limited to:
The customers first and last name, email, phone and profile picture
Their payment details (includes invoicing information, eg. company address and country — the credit card number is stored by Stripe, and Chargebee)
Our system logs an IP address and visitors demographic information, our customers’ agents and time of connection. They are solely used for showing analytics to our clients, debugging and based on lawful purposes, we retain this information for a maximum of 1 year. This log retention policy is subject to the law of the United States (ie. if the judiciary system sends us a search warrant, we have to respond and provide logs up to 1 year, that contain the looked up information).
Information held on our customers’ end-users
Information held on our customers end-users include:
- Their email address (if provided by end-user, thus involving a consent)
- Their phone numbers (if provided by end-user, thus involving a consent)
- Their message exchanges
- Their activity date and time
- Their IP address
- Their demographic information base on their IP
- Basic profile information
- Any other information given by our customers
Information on our dashboard given to us by the customers end-users is the sole responsibility of the company in question (i.e. the individual websites using QuoteRules). It is the responsibility of these companies and individuals to manage the data they hold in their personal QuoteRules Dashboard, i.e. to remove sensitive data if their end-users happen to share it with them (eg. Social Security Numbers, Government ID or address proofs etc.). It is QuoteRules’s responsibility to restrict access to this data, so that only website operators can access it and have a right to rectification and deletion.
Communicating Privacy Information
We at QuoteRules believe not only in consent, but informed consent. Our Privacy Information aims to explain in clear terms the privacy terms for QuoteRules customers and users.
The privacy terms of our client companies (i.e. the websites that use QuoteRules) are the sole responsibility of QuoteRules’s customers and should be announced on our customers’ website.
Individuals Rights
The crux of the GDPR is to provide citizens of the EU bloc a fundamental right: Data Protection. Under the ambit of this, there are various rights awarded to our customers.
- The right to be informed: We here at QuoteRules strive clearly inform our users about the use that will be made of their data.
- The right of access: We’ve made sure that all our users can access all their data, without restriction, from the QuoteRules apps
- We’ll help you process all your rectification queries.
- We’ll process all your erasure queries
- The right to restrict processing: We don’t externally process our customers’ data (and our customers end-users)
- If they would like to get an export of their data at any time. This process often takes time given our isolated data stores.
- The right to object: The QuoteRules team is ready to handle all requests on this matter from our users and users’ end-users, you can simply contact us.
- The right not to be subject to automated decision-making including profiling: QuoteRules doesn’t do that.
Subject access requests
QuoteRules makes it a point to reply to all access requests (positively or negatively) under 3 weeks (the legal limit from GDPR is 1 month). We offer this free of charge for our customers (paid and free).
A lawful basis for processing personal data
QuoteRules only stores user transmission data that involves consent (emails, or chats, where a conversation was initiated by will by both parties).
Consent
Consent is provided by our customers explicitly when proceeding an action or task (eg. when they provide user data).
Data transmission can be automated using QuoteRules, using webhooks and/or email. This data must have been provided by the customers’ user in a consented way, as it will get propagated to QuoteRules in an automatic way (if the customer implemented such API in their source code).
Children
QuoteRules does not, and will not offer online services to children by virtue of being a B2B company, which is why we don’t have age restrictions for users signing up for our services.
We understand, however, that children might interact with one of our Live Chat tools from the websites or apps of a QuoteRules customer. In this case, it is the responsibility of the company to check their own users and activities regarding children regulations.
Data Breaches
The QuoteRules team closely monitors our systems and searches for any unauthorized attempts at access. We have various measures to reduce the likelihood of any attacks, which is proven by our track record of data security. In more than 1 years, QuoteRules has had 0 major security issues.
We’re big about constantly keeping on our toes, so we welcome researchers and users to submit security flaws. We distribute bounties for valid security flaws that are presented to us in a responsible manner.
In aid of that, we undertake a few measures to protect our customers’ data.
- Serve only on HTTPS.
- Use strong password hashes.
- Aggressive use of firewalls and network isolation in our infrastructure.
- Use of 2-Factor-Authentication on all our sensitive accounts (eg. hosting provider, etc.)
- Isolate data stores and sensitive backends.
Data Protection by Design and Data Protection Impact Assessments
When QuoteRules develops new software, we ensure that security development is a parallel build. All QuoteRules developers are rigorously trained in software and network security, ensuring that every product you use of ours is state of the art.
Data Protection Officers
QuoteRules designated a Data Protection Officer, as required by GDPR:
Name : Inderjit
indr.sidhu@gmail.com