Thank you for entrusting FirstOfficer with your financial information and your customers' Personal Data. It's a serious responsibility and we have always treated all your data with great care. Now FirstOfficer is fully committed to achieving the EU General Data Protection Regulation (“GDPR”) compliancy before 25th May, 2018.
GDPR says that we ought to tell you what we do with Personal Data. It also says that we ought to use human-friendly language.
If you're a FirstOfficer account owner and you want your business to be GDPR compliant, here's what you should do:
Sign our Data Processing Agreement (DPA). GDPR requires that you have a written agreement at place when you give someone your customers' Personal Data. We handle your customers' Personal Data in GDPR-compliant way, no matter if you have signed this DPA or not. This DPA is for you, so that you can prove that you've truly checked out the third parties who you share data with.
Note: This page is not intended to provide legal advice. We recommend you consult your own legal counsel.
We’re are fully committed to complying with GDPR so that you can do that as well, and so we’ve done a ton of work to fulfil the regulations as best as our small team possibly can.
Here is a condensed version of our GDPR roadmap and where we are at the moment.
You can find a more detailed list of tasks at our official GDPR Page which collects together all GDPR actions and data partners.
Our DPO is:
If you have any security or privacy concerns, please email to: firstname.lastname@example.org
There is also a higher level authority where you can complain if we don't do our part.
Our company Turbine Room Ltd runs FirstOfficer.io from Finland (EU). Our databases and file systems that contain your customers' personal data are located in the EU (Ireland).
However, some of our partners do move your own personal data to US, when you browse FirstOfficer.io.
We have checked that all our partners who move your data to US either have a Privacy Shield at place or we have signed an agreement with them that bounds them to follow Standard Contractual Clauses. That way we know that they ought to handle your data in GDPR-compliant way.
We have gone through each and every service that we use to make sure they either don't gain access to personal data or that they are GDPR-compatible. We have been extra special careful with all the parties who handle your end-users personal and financial data. Here's a complete listing of services who see your end-users' personal data.
Sadly, we had to let go of several services we really like. The fact the GDPR considers IP Addresses as personal data has caused us grey hair.
We have signed a Data Processing Agreement (or Data Processing Addendum, as US folks call it) with everyone who collects or handles any personal data. That way we contractually bind them to keep any information we share with them as confidential and to process Personal Data only according to our instructions.
While in principle the DPA should be made by you, explaining how you want FirstOfficer to treat your customers' personal data, we just don't have legal resources to go through custom DPAs.
We have created a policy to handle data requests where we explain what we do if you use FirstOfficer and your customer asks us to delete or export his/her data. GDPR Page makes the process secure by forcing people to prove their identity so that we are not leaking personal data through these requests.
You now have to explicitly agree to our Terms of Service when you sign up. We also show the cookie consent banner.
DB data is encrypted at rest and all data is encrypted in transit. The critical fields in the DB are encrypted as well.
An AWS certified expert has audited our AWS S3 setup.
We have signed up for services that will notify us about data breaches.
We have informed all our personnel on GDPR and audited the personnel data risk.
Pretty much everything is updated, you'll have a lot of reading to do.
If you have questions about your business and the GDPR, we highly encourage you to seek legal counsel. However, if there’s a FirstOfficer-specific GDPR question, please contact us by email: email@example.com
Turbine Room Ltd