Thank you for entrusting FirstOfficer with your financial information and your customers' Personal Data. It's a serious responsibility and we have always treated all your data with great care. Now FirstOfficer is fully committed to achieving the EU General Data Protection Regulation (“GDPR”) compliancy before 25th May, 2018.
GDPR says that we ought to tell you what we do with Personal Data. It also says that we ought to use human-friendly language.
What you need to do
If you're a FirstOfficer account owner and you want your business to be GDPR compliant, here's what you should do:
- Sign our Data Processing Agreement (DPA). GDPR requires that you have a written agreement at place when you give someone your customers' Personal Data. We handle your customers' Personal Data in GDPR-compliant way, no matter if you have signed this DPA or not. This DPA is for you, so that you can prove that you've truly checked out the third parties who you share data with.
Note: This page is not intended to provide legal advice. We recommend you consult your own legal counsel.
What we do at FirstOfficer
We’re are fully committed to complying with GDPR so that you can do that as well, and so we’ve done a ton of work to fulfil the regulations as best as our small team possibly can.
Here is a condensed version of our GDPR roadmap and where we are at the moment.
- We have a Data Protection Officer
- We store your customers' Personal Data in EU
- We have audited all third parties for GDPR compliancy
- We have created a Data Processing Agreement for our customers
- We have created a process and policy to handle personal data requests
- We have changed FirstOfficer's UI to support "Explicit Consent" and "Opt-Out"
- We have audited our security practices
- We have created a Data Breach Policy
- We have updated our policies to be GDPR-compliant
We have a Data Protection Officer
Our DPO is:
If you have any security or privacy concerns, please email to: email@example.com
There is also a higher level authority where you can complain if we don't do our part.
We store your customers' Personal Data in USA
Our company runs FirstOfficer.io from Canada (CAN). Our databases and file systems that contain your customers' personal data are located in the United States (USA).
We have audited all third parties for GDPR compliancy
We have gone through each and every service that we use to make sure they either don't gain access to personal data or that they are GDPR-compatible. We have been extra special careful with all the parties who handle your end-users personal and financial data. Here's a complete listing of services who see your end-users' personal data.
We have signed a Data Processing Agreement (or Data Processing Addendum, as US folks call it) with everyone who collects or handles any personal data. That way we contractually bind them to keep any information we share with them as confidential and to process Personal Data only according to our instructions.
We have created a Data Processing Agreement for our customers
While in principle the DPA should be made by you, explaining how you want FirstOfficer to treat your customers' personal data, we just don't have legal resources to go through custom DPAs.
We have created a process and policy to handle personal data requests
We have created a policy to handle data requests where we explain what we do if you use FirstOfficer and your customer asks us to delete or export his/her data. GDPR Page makes the process secure by forcing people to prove their identity so that we are not leaking personal data through these requests.
We have changed FirstOfficer's UI to support "Explicit Consent" and "Opt-Out"
You now have to explicitly agree to our Terms of Service when you sign up. We also show the cookie consent banner.
We have audited our security practices
DB data is encrypted at rest and all data is encrypted in transit. The critical fields in the DB are encrypted as well.
An AWS certified expert has audited our AWS S3 setup.
We have signed up for services that will notify us about data breaches.
We have informed all our personnel on GDPR and audited the personnel data risk.
We have created a Data Breach Policy
We have updated our policies to be GDPR-compliant
Pretty much everything is updated, you'll have a lot of reading to do.
If you have questions about your business and the GDPR, we highly encourage you to seek legal counsel. However, if there’s a FirstOfficer-specific GDPR question, please contact us by email: firstname.lastname@example.org
1216321 BC LTD
475 Regency Pl
Please also feel free to check out our guide on privacy shield, the agreement between the US and EU relating to personal data.