Our Commitment to the GDPR
AppFusions is fully committed to being compliant with the General Data Protection Regulation (GDPR), a new EU regulation intended to strengthen and unify data protection for all individuals within the European Union (EU), and the exportation of personal data outside the EU. The GDPR aims to primarily give back control to citizens and residents in regards to their personal data, while concurrently simplifying regulatory scenarios for international business by unifying the regulation within the EU.
When GDPR goes into effect on May 25, 2018, it will replace the 1995 data protection directive. The complete GDPR regulation text can be found here.
The key principles of GDPR include:
- Personal data collected needs to be processed in a fair, legal, and transparent way. It should not be used in any way that a person would not expect reasonably.
- Personal data should only be collected to fulfill a specific purpose, and not additionally used in a manner incompatible with those purposes. Organizations must specify why they need the personal data when they collect it.
- Personal data held needs to be kept up to date and accurate. It should be held no longer than necessary to fulfill its purpose.
- EU citizens have the right to access their own personal data. They can also request a copy of their data, and that their data be updated, deleted, restricted, or moved to another organization without hinderance.
- All personal data needs to be kept safe and secure, and companies undertaking certain types of activities are now required to appoint a data protection officer.
Does GDPR Apply to AppFusions?
Yes. While AppFusions is an American-based business, we do have many customers in the EU. Moreover, EU citizens may use our US instance and by that we must comply with the GDPR regulations.
GDPR regulations apply to our cloud-solutions only (meaning the integration apps is served via AppSpokes or Aloha). Our solutions that are deployed on-premise do not technically fall into the domain of GDPR concern; the stored data is local to the customer and is the same types of content.
What Personal Information Does AppFusions Collect and Process?
The GDPR definition of personal data includes what we typically consider personally identifiable information (PII)—name, passport number, birth date, etc.—but, it also includes data that we might consider to be non-PII, like IP addresses or device IDs. For a comprehensive list of what GDPR considers personal data, please read Article 4(1) of the GDPR.
Data Processed by AppFusions
AppFusions' AppSpokes cloud integration products process the following information, for purposes of trouble-shooting end-user technical issues.
AppFusions' Aloha DXP product processes the following information, for purposes of trouble-shooting end-user technical issues and indexing content for faceted federated search.
- End-user contributor names
AppFusions does not collect or process any data of the special categories such as race, religion, political opinions, health data, etc.
Privacy by Design
Privacy by design is built-into AppFusions' products inherently, whereby we collect/store as little data as possible. We don’t expose unnecessary information where not mandatory. We use pseudonymization, anonymization, and encryption where possible or necessary.
More detailed information about privacy by design can be found in Article 25 of the GDPR.
Data Breach Procedures
Any person working for AppFusions who knows of, or suspects of a data breach, will report immediately to CTO (Patrick Li) and CEO (Ellen Feaheny).
AppFusions takes any data breach seriously. First the error or the problem to remediate will be an immediate corporate top priority. Subsequently, retrospective meeting(s) to report and investigate the breach will be conducted. The GDPR requires us to report a breach to data protection authorities within 72 hours of detection.
We use our own AppFusions services to keep track of third-party solutions we use and their contracts.
The process of reviewing whether our third-party providers are GDPR compliant is still in review as some vendors have not published anything yet.
All persons working for AppFusions are aware of the importance of GDPR to AppFusions' business, as well as its impact on the collection and handling of customers’ personal data.