LEGAL

GDPR

Thank you for entrusting FirstOfficer with your financial information and your customers' Personal Data. It's a serious responsibility and we have always treated all your data with great care. Now FirstOfficer is fully committed to achieving the EU General Data Protection Regulation (“GDPR”) compliancy before 25th May, 2018.


GDPR says that we ought to tell you what we do with Personal Data. It also says that we ought to use human-friendly language.If you were invited to FirstOfficer just to view the metrics, please see our Privacy Policy to find out how we handle your Personal Data. This page is not meant for you.


What you need to doIf you're a FirstOfficer account owner and you want your business to be GDPR compliant, here's what you should do:


Sign our Data Processing Agreement (DPA).


GDPR requires that you have a written agreement at place when you give someone your customers' Personal Data. We handle your customers' Personal Data in GDPR-compliant way, no matter if you have signed this DPA or not. This DPA is for you, so that you can prove that you've truly checked out the third parties who you share data with.


Make sure your Terms of Service or Privacy Policy communicate to your users that you are using FirstOfficer (and any other similar services) on your website or app. Also let them know what data you share with us.


What we do at FirstOfficer

We’re are fully committed to complying with GDPR so that you can do that as well, and so we’ve done a ton of work to fulfil the regulations as best as our small team possibly can.


We store your customers' Personal Data in EU


We have audited all third parties for GDPR compliancyWe have created a Data Processing Agreement for our customersWe have created a process and policy to handle personal data requestsWe have changed FirstOfficer's UI to support "Explicit Consent" and "Opt-Out"


We have audited our security practicesWe have created a Data Breach Policy


We have updated our policies to be GDPR-compliant

You can find a more detailed list of tasks at our official GDPR Page which collects together all GDPR actions and data partners.We have a Data Protection Officer


Our DPO is:
Mark Henderson
dbo@firstofficer.io


If you have any security or privacy concerns, please email to: dpo@firstofficer.ioThere is also a higher level authority where you can complain if we don't do our part.We store your customers' Personal Data in USAOur company runs FirstOfficer.io from Canada (CAN). Our databases and file systems that contain your customers' personal data are located in the United States (USA).


We have audited all third parties for GDPR compliancy


We have gone through each and every service that we use to make sure they either don't gain access to personal data or that they are GDPR-compatible. We have been extra special careful with all the parties who handle your end-users personal and financial data.


We have signed a Data Processing Agreement (or Data Processing Addendum, as US folks call it) with everyone who collects or handles any personal data. That way we contractually bind them to keep any information we share with them as confidential and to process Personal Data only according to our instructions.


We have created a Data Processing Agreement for our customers


While in principle the DPA should be made by you, explaining how you want FirstOfficer to treat your customers' personal data, we just don't have legal resources to go through custom DPAs.That's why we've written out how we safely process that data and offer a DPA that you can sign at our DPA self-service point. The service is provided by GDPRpage.com.


We have created a process and policy to handle personal data requests


We have created a policy to handle data requests where we explain what we do if you use FirstOfficer and your customer asks us to delete or export his/her data. GDPR Page makes the process secure by forcing people to prove their identity so that we are not leaking personal data through these requests.

 

We have changed FirstOfficer's UI to support "Explicit Consent" and "Opt-Out"


You now have to explicitly agree to our Terms of Service when you sign up. We also show the cookie consent banner.


We have audited our security practicesDB data is encrypted at rest and all data is encrypted in transit. The critical fields in the DB are encrypted as well.


An AWS certified expert has audited our AWS S3 setup.


We have signed up for services that will notify us about data breaches.We have informed all our personnel on GDPR and audited the personnel data risk.


We have created a Data Breach Policy


You can find it included to our Privacy Policy.We have updated our policies to be GDPR-compliant


Pretty much everything is updated, you'll have a lot of reading to do.Contact Us


If you have questions about your business and the GDPR, we highly encourage you to seek legal counsel. However, if there’s a FirstOfficer-specific GDPR question, please contact us by email: dpo@firstofficer.io


FirstOfficer.io by
1216321 BC LTD
475 Regency Pl
Victoria, BC
CANADA


Please also feel free to check out our guide on privacy shield, the agreement between the US and EU relating to personal data.