Thank you for entrusting FirstOfficer with your financial information and your customers’ Personal Data. It’s a serious responsibility and we have always treated all your data with great care. Now FirstOfficer is fully committed to achieving the EU General Data Protection Regulation (“GDPR”) compliancy before 25th May, 2018.
GDPR says that we ought to tell you what we do with Personal Data. It also says that we ought to use human-friendly language.
If you’re a FirstOfficer account owner and you want your business to be GDPR compliant, here’s what you should do:
Note: This page is not intended to provide legal advice. We recommend you consult your own legal counsel.
We’re are fully committed to complying with GDPR so that you can do that as well, and so we’ve done a ton of work to fulfil the regulations as best as our small team possibly can.
Here is a condensed version of our GDPR roadmap and where we are at the moment.
You can find a more detailed list of tasks at our official GDPR Page which collects together all GDPR actions and data partners.
Our DPO is:
If you have any security or privacy concerns, please email to: firstname.lastname@example.org
There is also a higher level authority where you can complain if we don’t do our part.
Our company runs FirstOfficer.io from Canada (CAN). Our databases and file systems that contain your customers’ personal data are located in the United States (USA).
We have gone through each and every service that we use to make sure they either don’t gain access to personal data or that they are GDPR-compatible. We have been extra special careful with all the parties who handle your end-users personal and financial data. Here’s a complete listing of services who see your end-users’ personal data.
We have signed a Data Processing Agreement (or Data Processing Addendum, as US folks call it) with everyone who collects or handles any personal data. That way we contractually bind them to keep any information we share with them as confidential and to process Personal Data only according to our instructions.
While in principle the DPA should be made by you, explaining how you want FirstOfficer to treat your customers’ personal data, we just don’t have legal resources to go through custom DPAs.
We have created a policy to handle data requests where we explain what we do if you use FirstOfficer and your customer asks us to delete or export his/her data. GDPR Page makes the process secure by forcing people to prove their identity so that we are not leaking personal data through these requests.
You now have to explicitly agree to our Terms of Service when you sign up. We also show the cookie consent banner.
DB data is encrypted at rest and all data is encrypted in transit. The critical fields in the DB are encrypted as well.
An AWS certified expert has audited our AWS S3 setup.
We have signed up for services that will notify us about data breaches.
We have informed all our personnel on GDPR and audited the personnel data risk.
Pretty much everything is updated, you’ll have a lot of reading to do.
If you have questions about your business and the GDPR, we highly encourage you to seek legal counsel. However, if there’s a FirstOfficer-specific GDPR question, please contact us by email: email@example.com
1216321 BC LTD
3-775 Central Spur Road
Please also feel free to check out our guide on privacy shield, the agreement between the US and EU relating to personal data.