Last updated: March 4th, 2021
The General Data Protection Regulation (GDPR) is a comprehensive set of regulations made by the European Union that dictates what companies like Less Annoying CRM must do in order to properly protect our customers' data. Even though we are not a European company, we have many customers in the EU and we fully comply with these regulations. This document explains in simple terms what we're doing in order to ensure compliance.
Note: The full GDPR regulations are extremely long and complicated. This isn't meant to be a comprehensive list of every single thing we do to protect your data, but rather it's a simple summary so that you can have a good idea of the protections we have in place. Please feel free to reach out to us if you have questions about specific items that aren't addressed here.
GDPR is a sweeping regulation that covers many different topics. We will address each of the key points below. This information is targeted at our customers, but we extend these protections to anyone who visits our website, uses our software, or otherwise interacts with us in any way.
How GDPR applies to Less Annoying CRM
GDPR defines three parties:
- Data subject - This is the person about whom data is being stored and used. Anyone that you enter into your CRM (i.e. your customer) is a data subject.
- Data controller - This is the person or company that is using the data that's being stored. You (our customer, and a user of Less Annoying CRM) are a data controller.
- Data processor - These are companies that create tools to actually store and take advantage of the data. We (Less Annoying CRM) are a data processor.
The data controller and processor both have different responsibilities to ensure that we are acting legally and ethically. This document explains what we do to comply with GDPR as a processor, but you should keep in mind that you also have responsibilities to the people who's information you put in the CRM.
As a CRM company, our customers entrust us with very important data for their businesses. Keeping your data secure and private is of the utmost importance, and so we are careful to follow industry best practices. A lot goes into online security, but here are some of the main things we do that might interest you:
- Our servers are hosted by Amazon Web Services. They are the largest and (in our opinion) most sophisticated hosting company in the world, and they have extensive physical and digital security in place. You can read about their GDPR compliance here.
- We use 256-bit encryption at all levels of our software. All connections to our website are encrypted (i.e. we encrypt 'in transit'), our live database is encrypted (i.e. we encrypt 'at rest') and all of our data backups are encrypted.
- Our main servers are in Virginia, USA at Amazon's US-East data center. We also keep encrypted backups of data in other locations within the USA in case anything happens to the Virginia data center. Even though GDPR is a European regulation, it does not require that data be hosted physically within the EU because we include the standard contractual clauses in our terms of service (more on that below).
- We regularly perform external vulnerability scans and application penetration tests to monitor the status of our security efforts.
In addition to making sure that our software is as secure as possible, we also have strict internal policies to ensure that no one at Less Annoying CRM does anything to jeopardize your data privacy. These include:
- We require all employees to participate in training about GDPR compliance and online security best practices.
- We have strict policies around when a Less Annoying CRM employee can access a customer's data. We only allow this if a customer asks for our help or we're fixing a technical bug. We have monitoring and extensive activity logging in place on all employees to ensure that no one abuses this.
- We never sell or share our customers' data with any third parties. The data you enter in your CRM is owned entirely by you.
- We only collect data about you that we actually need. You'll notice that on our signup form we don't ask for your phone number, company name, or any other information that we don't directly use to serve you.
- We have mapped out all of the ways data can enter and leave our system. We do use some third party service providers for things like our internal email hosting and phone system, and we have confirmed that all of our vendors are GDPR compliant.
- We practice “privacy by design”. What this means is that everything we build considers privacy as a core feature and not as an afterthought. In addition to every employee being trained in GDPR and privacy best practices, Tyler King, the co-founder and CEO, is our designated Data Protection Officer (DPO) responsible for ensuring that privacy and security are built in to everything we do as well as full GDPR compliance.
- Less Annoying CRM is certified under the EU-US Privacy Shield which is meant to allow customers who reside in the EU to store information on our servers which are in the US. Currently, the status of Privacy Shield is uncertain (mostly because GDPR is still relatively new and some new trade agreements are being worked out) but we also comply with the Data Protection Addendum (DPA) and include the standard contractual clauses in our terms of service which is another layer of policy compliance to allow EU customers to store their data on US servers.
- GDPR requires that we have a contract with our customers which specifies things like how we process data, that we will assist you in your GDPR obligations to your customers, etc. In our case, this contract is our standard Terms of Service which applies to all of our customers. You can read the details here.
Data breach notification plan
We work hard to keep our software secure so that there are no data breaches, but in the event that there is a data breach, we have a plan in place that fully complies with the requirements laid out by GDPR. You can read our full plan here, but the basic idea is that if we become aware of a data breach, we will notify any of our customers who may have been impacted, and provide them with the appropriate information so that they can also comply with their responsibilities as a data controller.
Lawful basis for processing
GDPR requires that we establish that our data processing is legally justified. They give a variety of reasons it might be valid, and the following is the one that applies to us:
...processing is necessary for the purposes of the legitimate interests pursued by the controller…
Our interpretation of this is that you, as the controller, have legitimate business interests in using a CRM and we're assisting you in pursuing those interests. Keep in mind that this only applies so long as the controller (you) respects the individual rights of the data subjects.
As explained above, we are in the role of data processor and you are the data controller. If you enter your customers' information into our software, you can be confident that we are handling GDPR compliance for the data processing side, but you are still responsible for being compliant as a data controller. This would be true regardless of what CRM you use, so there's no avoiding it. If you're concerned that you aren't in compliance, we encourage you to research this topic in more detail, but a good starting point is to ensure that you honor the individual rights laid out in the GDPR regulations to your customers.
Standard contractual clauses
Standard contractual clauses and additional appendices to the main Data Processing Addendum can be found on this page.
Revisiting GDPR compliance regularly
As part of our commitment to remaining GDPR compliant and respecting the privacy of our users, we will revisit this document at least once per year to ensure that all of the information is accurate and up-to-date.