Personal data protection at Flowpoint
A statement for clients
This document outlines current information security and personal data protection practices at Flowpoint. The privacy and security of our clients’ data are among our priorities. This statement also contains some tips and recommendations that will help our clients to comply with their obligations under applicable data protection legislation.
We are implementing a comprehensive data governance system which aims at:
We aim to adhere to industry best practices in the field of information security. Below is the outline of the controls in place at Flowpoint that address core requirements with a direct impact on the security of processing:
All the communication is transferred through an encrypted channel using TLS encryption. A primary use case of TLS is encrypting the communication between web pages and servers.
Confidentiality is achieved through an access control restriction. Access to user data is provided on a “need-to-have” basis, available only to team members for whom access is required to perform their duties. Actions, such as access, rectification, or deletion, are logged in the system to provide traceability and accountability, and all team members are required to sign a Non-Disclosure Agreement (NDA).
Integrity is maintained by the use of Network firewall. Regular back-up schemes are implemented to ensure data availability.
Flowpoint implemented a process for regularly testing, assessing and evaluating the effectiveness of technical and organisational measures implemented.
The permanent deletion of data upon the end of data retention periods and termination of the relationships with clients.
We have appointed an external Data Protection Officer (DPO) to implement and oversee Flowpoint’s data protection program. You can contact our DPO by sending a message to firstname.lastname@example.org.
As we consider ourselves to be a data processor, our Data Protection Agreement (DPA) automatically applies to the relationships with our clients. It is required by the GDPR to make sure we process the personal data following the client’s instructions and due data protection safeguards.
Clients’ data stored on our servers have limited retention periods. Upon termination of the relationships, we ensure that the personal data is destroyed from our systems within an agreed period of time, as well as from the systems of our subcontractors and vendors.
We pick only those third-party providers that provide sufficient guarantees of information protection. Our due diligence assesses the following items:
Flowpoint may use service providers outside of the EEA. In such cases we will make sure that we’ve implemented sufficient safeguards (e.g standard contractual clauses) to legally transfer personal data to such service providers.
We are continuously working on improving our data protection efforts.
To help our clients comply with data protection requirements, we are ready to assist our clients with the following technical and organisational measures:
We understand our role as a data processor and ensure that our services are developed with privacy in mind to help our customers with their data protection efforts.
Privacy tips for our clients
However, Flowpoint is not an owner of the data it processes on behalf of the clients. The data collected is owned by our clients and this makes our clients responsible for collection and processing of such data. The extent of the data protection obligations applicable to each client depends on their individual situation.
We use Flowpoint to get a better understanding of our users’ behavior and needs to help us improve our services and experience. For example, Flowpoint may collect information about your mouse clicks, page scrolls, pages visited, time spent, device-related details, IP address, approximate location, browser details (configuration, fingerprint), custom data (custom events, user attributes). We use this information to understand how we can make your user experience better or to detect any technical issues.
Ongoing monitoring and review
We aim that our privacy and security practices be consistent and systematic. As our organization and external environment continues to evolve, we regularly monitor and review our practices to ensure that the data is protected at all times.
If you would like to receive more information on our personal data protection practices, please contact us at email@example.com.