Thank you for entrusting FirstOfficer with your financial information and your customers’ Personal Data. It’s a serious responsibility and we have always treated all your data with great care. Now FirstOfficer is fully committed to achieving the EU General Data Protection Regulation (“GDPR”) compliancy before 25th May, 2018.

GDPR says that we ought to tell you what we do with Personal Data. It also says that we ought to use human-friendly language.

If you were invited to FirstOfficer just to view the metrics, please see our Privacy Policy to find out how we handle your Personal Data. This page is not meant for you.

What you need to do

If you’re a FirstOfficer account owner and you want your business to be GDPR compliant, here’s what you should do:

  1. Sign our Data Processing Agreement (DPA). GDPR requires that you have a written agreement at place when you give someone your customers’ Personal Data. We handle your customers’ Personal Data in GDPR-compliant way, no matter if you have signed this DPA or not. This DPA is for you, so that you can prove that you’ve truly checked out the third parties who you share data with.
  2. Make sure your Terms of Service or Privacy Policy communicate to your users that you are using FirstOfficer (and any other similar services) on your website or app. Also let them know what data you share with us. Here’s a pre-made snippet that you can use.

Note: This page is not intended to provide legal advice. We recommend you consult your own legal counsel.

What we do at FirstOfficer

We’re are fully committed to complying with GDPR so that you can do that as well, and so we’ve done a ton of work to fulfil the regulations as best as our small team possibly can.

Here is a condensed version of our GDPR roadmap and where we are at the moment.

You can find a more detailed list of tasks at our official GDPR Page which collects together all GDPR actions and data partners.

We have a Data Protection Officer

Our DPO is:
Mark Henderson

If you have any security or privacy concerns, please email to:

There is also a higher level authority where you can complain if we don’t do our part.

We store your customers’ Personal Data in USA

Our company runs from Canada (CAN). Our databases and file systems that contain your customers’ personal data are located in the United States (USA).

We have audited all third parties for GDPR compliancy

We have gone through each and every service that we use to make sure they either don’t gain access to personal data or that they are GDPR-compatible. We have been extra special careful with all the parties who handle your end-users personal and financial data. Here’s a complete listing of services who see your end-users’ personal data.

We have signed a Data Processing Agreement (or Data Processing Addendum, as US folks call it) with everyone who collects or handles any personal data. That way we contractually bind them to keep any information we share with them as confidential and to process Personal Data only according to our instructions.

We have created a Data Processing Agreement for our customers

While in principle the DPA should be made by you, explaining how you want FirstOfficer to treat your customers’ personal data, we just don’t have legal resources to go through custom DPAs.

That’s why we’ve written out how we safely process that data and offer a DPA that you can sign at our DPA self-service point. The service is provided by

We have created a process and policy to handle personal data requests

We have created a policy to handle data requests where we explain what we do if you use FirstOfficer and your customer asks us to delete or export his/her data. GDPR Page makes the process secure by forcing people to prove their identity so that we are not leaking personal data through these requests.


We have changed FirstOfficer’s UI to support “Explicit Consent” and “Opt-Out”

You now have to explicitly agree to our Terms of Service when you sign up. We also show the cookie consent banner.

We have audited our security practices

DB data is encrypted at rest and all data is encrypted in transit. The critical fields in the DB are encrypted as well.

An AWS certified expert has audited our AWS S3 setup.

We have signed up for services that will notify us about data breaches.

We have informed all our personnel on GDPR and audited the personnel data risk.

We have created a Data Breach Policy

You can find it included to our Privacy Policy.

We have updated our policies to be GDPR-compliant

Pretty much everything is updated, you’ll have a lot of reading to do.

Contact Us

If you have questions about your business and the GDPR, we highly encourage you to seek legal counsel. However, if there’s a FirstOfficer-specific GDPR question, please contact us by email: by
1216321 BC LTD
3-775 Central Spur Road
Victoria, BC

Please also feel free to check out our guide on privacy shield, the agreement between the US and EU relating to personal data.