Last updated: November 30th, 2019
The General Data Protection Regulation (GDPR) is a comprehensive set of regulations made by the European Union that
dictates what companies like Less Annoying CRM must do in order to properly protect our customers' data. Even though
we are not a European company, we have many customers in the EU and we fully comply with these regulations. This
document explains in simple terms what we're doing in order to ensure compliance.
Note: The full GDPR regulations are extremely long and complicated. This isn't meant to be a comprehensive list of
every single thing we do to protect your data, but rather it's a simple summary so that you can have a good idea of
the protections we have in place. Please feel free to reach out to us if you have questions
about specific items that aren't addressed here.
GDPR is a sweeping regulation that covers many different topics. We will address each of the key points below.
This information is targeted at our customers, but we extend these protections to anyone who visits our website,
uses our software, or otherwise interacts with us in any way.
How GDPR applies to Less Annoying CRM
GDPR defines three parties:
-
Data subject - This is the person about whom data is being stored and used. Anyone that you enter into your
CRM (i.e. your customer) is a data subject.
-
Data controller - This is the person or company that is using the data that's being stored.
You (our customer, and a user of Less Annoying CRM) are a data controller.
-
Data processor - These are companies that create tools to actually store and take
advantage of the data. We (Less Annoying CRM) are a data processor.
The data controller and processor both have different responsibilities to ensure that we are acting legally and
ethically. This document explains what we do to comply with GDPR as a processor, but you should keep in mind that
you also have responsibilities to the people who's information you put in the CRM.
Technical Security
As a CRM company, our customers entrust us with very important data for their businesses. Keeping your data secure
and private is of the utmost importance, and so we are careful to follow industry best practices. A lot goes into
online security, but here are some of the main things we do that might interest you:
-
Our servers are hosted by Amazon Web Services. They are the largest and (in our opinion) most sophisticated
hosting company in the world, and they have extensive physical and digital security in place.
You can read about their
GDPR compliance here.
-
We use 256-bit encryption at all levels of our software. All connections to our website are encrypted
(i.e. we encrypt 'in transit'), our live database is encrypted (i.e. we encrypt 'at rest') and all of our
data backups are encrypted.
-
Our main servers are in Virginia, USA at Amazon's US-East data center. We also keep encrypted backups of
data in other locations within the USA in case anything happens to the Virginia data center. Even though
GDPR is a European regulation, it does not require that data be hosted physically within the EU (see the
point on the EU-US Privacy Shield below).
-
We regularly perform external vulnerability scans and application penetration tests to monitor the status
of our security efforts.
Policy Security
In addition to making sure that our software is as secure as possible, we also have strict internal policies to
ensure that no one at Less Annoying CRM does anything to jeopardize your data privacy. These include:
-
We require all employees to participate in training about GDPR compliance and online security best practices.
-
We have strict policies around when a Less Annoying CRM employee can access a customer's data. We only allow
this if a customer asks for our help or we're fixing a technical bug. We have monitoring and extensive
activity logging in place on all employees to ensure that no one abuses this.
-
We never sell or share our customers' data with any third parties. The data you enter in your CRM is owned
entirely by you.
-
We only collect data about you that we actually need. You'll notice that on our signup form we don't ask for
your phone number, company name, or any other information that we don't directly use to serve you.
-
We have mapped out all of the ways data can enter and leave our system. We do use some third party service
providers for things like our internal email hosting and phone system, and we have confirmed that all of
our vendors are GDPR compliant.
-
We practice “privacy by design”. What this means is that everything we build considers privacy as a core
feature and not as an afterthought. In addition to every employee being trained in GDPR and privacy best
practices, Tyler King, the co-founder and CEO, is our designated Data Protection Officer (DPO) responsible
for ensuring that privacy and security are built in to everything we do as well as full GDPR compliance.
-
Less Annoying CRM is certified under the EU-US Privacy Shield. This is what allows customers who reside in
the EU to store information on our servers which are in the US.
-
GDPR requires that we have a contract with our customers which specifies things like how we process data,
that we will assist you in your GDPR obligations to your customers, etc. In our case, this contract is our
standard Terms of Service which applies to all of our customers. You can read the details
here.
Data breach notification plan
We work hard to keep our software secure so that there are no data breaches, but in the event that there is a data
breach, we have a plan in place that fully complies with the requirements laid out by GDPR.
You can read our full plan here, but the basic idea is that if we
become aware of a data breach, we will notify any of our customers who may have been impacted, and provide them with
the appropriate information so that they can also comply with their responsibilities as a data controller.
Lawful basis for processing
GDPR requires that we establish that our data processing is legally justified. They give a variety of reasons it
might be valid, and the following is the one that applies to us:
...processing is necessary for the purposes of the legitimate interests pursued by the controller…
Our interpretation of this is that you, as the controller, have legitimate business interests in using a CRM and
we're assisting you in pursuing those interests. Keep in mind that this only applies so long as the controller
(you) respects the individual rights of the data subjects.
Your responsibilities
As explained above, we are in the role of data processor and you are the data controller. If you enter your
customers' information into our software, you can be confident that we are handling GDPR compliance for the data
processing side, but you are still responsible for being compliant as a data controller. This would be true
regardless of what CRM you use, so there's no avoiding it. If you're concerned that you aren't in compliance, we
encourage you to research this topic in more detail, but a good starting point is to ensure that you honor the
individual rights laid out in the GDPR regulations to your customers.
Revisiting GDPR compliance regularly
As part of our commitment to remaining GDPR compliant and respecting the privacy of our users, we will revisit this
document at least once per year to ensure that all of the information is accurate and up-to-date.