The European Union General Data Protection Regulation (GDPR) is a regulation that aims at unifying EU member state data privacy regulations into a single regulation, enforced on the EU single market. This article describes the GDPR compliance status of UserEcho.
If your company needs to ensure it is GDPR-compliant, it also needs to ensure its providers (ie. UserEcho) are also GDPR compliant. UserEcho will be GDPR compliant in advance of the deadline (May 25, 2018), and strictly enforces the regulation as to protect the user data we store.
Please subscribe to this topic to be updated, you also can post comments and questions on it below.
UserEcho and GDPR (in 12 points)
The GDPR regulation can be reduced to 12 important points. For each point, we explain how UserEcho handles its compliance.
All employees responsible of software development & infrastructure maintenance of UserEcho, LLC are fully aware of the GDPR requirements.
2. Information we hold
UserEcho stores data on 2 kinds of parties:
Our users (ie. the agents using the UserEcho service replying to their customers)
Our users’ end-users (ie. the customers of our users)
UserEcho does not share, or resell, any kind of user data (whether data described in point 1 or 2 above).
2.1. Information held on our users
UserEcho collects account information for each user, including:
User first and last name, and profile picture
User payment details (includes invoicing information, eg. company address and country — the credit card number is stored by Stripe)
We don't log user activity, except for system logs that are solely used for debugging and software development purpose and retained maximum 1 year.
2.2. Information held on our users' end-users
Information held on our users' end-users include:
End-user email address (if provided by end-user, thus involving a consent)
End-user messages exchanges
End-user last activity date and time
End-user profile information (resolved from public data shared by end-user on the Internet, see notice below)
UserEcho resolves end-user identity information (first and last name, avatar, company) from external APIs. Those external APIs source this data from public information that the end-user consented to share (eg. on social networks such as Facebook). This end-user identity information is stored on UserEcho services, for as long as the UserEcho user wishes them to be stored in their UserEcho database.
The information help on our users' end-users is solely the responsibility of our users (ie. the individual websites using UserEcho). It is the responsibility of our users to manage the data they hold in their personal UserEcho account, ie. to remove sensitive data if someone may happen to share it with them (eg. Social Security Numbers, etc.).
3. Communicating privacy information
UserEcho users privacy terms are clearly communicated in our Privacy information.
UserEcho users' end-users privacy terms are the sole responsibility of UserEcho users. They should be announced on UserEcho users website.
4. Individuals’ rights
UserEcho users rights regarding to GDPR are considered and enforced, including:
- Right to be informed: we clearly inform our users of which use will be made of their data
- Right of access: our users can access all their data, without restriction, from the UserEcho website
- Right of rectification: it's as simple as contacting us, we'll process all your rectification queries
- Right of erasure: it's as simple as contacting us, we'll process all your erasure queries
- Right to restrict processing: we don't process the data of our users (and our user' end-users)
- Right to data portability: our users may contact us anytime if they wish to get an export of their data
- Right to object: we handle all requests on this matter from our users and users' end-users (contact us)
- Right not to be subject to automated decision-making including profiling: we don't do that (and never will), period
5. Subject access requests
UserEcho replies to all access requests (positively or negatively) under 1 week (the legal limit from GDPR is 1 month).
6. Lawful basis for processing personal data
We don't process personal data, period. UserEcho stores user data involving a consent (ie. a conversation), or our user's responsibility in the event they use our service.
Consent is provided by our users explicitly when proceeding an action or task (eg. when they provide user data).
UserEcho does not offer online services to children, period.
9. Data breaches
Our team closely monitors any unauthorized system access, and has put in place multiple preventive measures to reduce the attack surface on our systems and services. In 6 years, UserEcho has had 0 major security issues, with only a few minor ones, which we fixed the same day they were reported (those would not have allowed a hack or data breach). Security researchers and users can submit a security report to an encrypted email address (firstname.lastname@example.org), for which we process reports in the same day. We also distribute bounties for valid security flaws that are reported to us. UserEcho will notify their users of any data breach, 24h maximum after knowing about it and fixing the flaw. It is then the responsibility of our users to report this data-breach to their end-users in due time.
10. Data Protection by Design and Data Protection Impact Assessments
Whenever UserEcho develops a new system, security comes as a first when designing the architecture of such a system. Our first goal is to protect the integrity of the new production system, and second goal to protect the user data that's being stored and used by that system.
UserEcho developers are well educated to software and network security, which helped us build a secure by design software over time.
11. Data Protection Officers
UserEcho designated a Data Protection Officers, as required by GDPR:
Sergey Stukov, UserEcho co-founder/ developer email:email@example.com
Vladimir Mullagaliyev, UserEcho co-founder/ developer email: firstname.lastname@example.org
UserEcho may, via its users, processes data from individuals from all over the EU.
UserEcho main establishment is US, our servers for EU customers located in Germany.