Flowpoint

 

Personal data protection at Flowpoint

A statement for clients

This document outlines current information security and personal data protection practices at Flowpoint. The privacy and security of our clients’ data are among our priorities. This statement also contains some tips and recommendations that will help our clients to comply with their obligations under applicable data protection legislation.

 

Summary

We are implementing a comprehensive data governance system which aims at:

• adhering to information security practices and controls appropriate to risks envisaged as a result of the processing to reduce the risk of a data breach;
• achieving compliance with applicable data protection laws, namely the General Data Protection Regulation and the UK Data Protection Act 2018 (GDPR);
• supporting our clients with the compliance obligations as data controllers**;**
• ongoing monitoring and review of our practices and documentation.

 

Information security

We aim to adhere to industry best practices in the field of information security. Below is the outline of the controls in place at Flowpoint that address core requirements with a direct impact on the security of processing:

• Encryption

All the communication is transferred through an encrypted channel using TLS encryption. A primary use case of TLS is encrypting the communication between web pages and servers.

• Confidentiality, integrity and availability

Confidentiality is achieved through an access control restriction. Access to user data is provided on a “need-to-have” basis, available only to team members for whom access is required to perform their duties. Actions, such as access, rectification, or deletion, are logged in the system to provide traceability and accountability, and all team members are required to sign a Non-Disclosure Agreement (NDA).

Integrity is maintained by the use of Network firewall. Regular back-up schemes are implemented to ensure data availability.

• Regular assessment

Flowpoint implemented a process for regularly testing, assessing and evaluating the effectiveness of technical and organisational measures implemented.

• Data minimisation and destruction

The permanent deletion of data upon the end of data retention periods and termination of the relationships with clients.

 

Data protection officer

We have appointed an external Data Protection Officer (DPO) to implement and oversee Flowpoint’s data protection program. You can contact our DPO by sending a message to dpo.flowpoint@legalnodes.com.

 

Data processing agreement

As we consider ourselves to be a data processor, our Data Protection Agreement (DPA) automatically applies to the relationships with our clients. It is required by the GDPR to make sure we process the personal data following the client’s instructions and due data protection safeguards.

 

Limited data retention periods

Clients’ data stored on our servers have limited retention periods. Upon termination of the relationships, we ensure that the personal data is destroyed from our systems within an agreed period of time, as well as from the systems of our subcontractors and vendors.

 

Vendor management

We pick only those third-party providers that provide sufficient guarantees of information protection. Our due diligence assesses the following items:

• overall reputation;
• security practices;
• compliance with privacy laws;
• location of data storage;
• commitments to privacy and security certifications or standards;
• readiness for data protection and security audits.

Flowpoint may use service providers outside of the EEA. In such cases we will make sure that we’ve implemented sufficient safeguards (e.g standard contractual clauses) to legally transfer personal data to such service providers.

 

Ongoing improvement of our GDPR compliance

We are continuously working on improving our data protection efforts.

 

Assisting our clients in ensuring data protection compliance

To help our clients comply with data protection requirements, we are ready to assist our clients with the following technical and organisational measures:

1. Assistance with managing personal data and handling requests from the data subjects or supervisory authorities. Where requested by the clients, we are ready to provide a copy of, rectify, or delete personal data processed on their behalf.
2. Assistance with privacy assessments. As the use of innovative technologies for personal data processing may require taking a prior risk assessment, we will be glad to assist our clients with conducting Privacy Impact Assessments (PIA) or Data Protection Impact Assessments (DPIA). The conditions of assistance are to be discussed additionally and outlined in the DPA.
3. Availability for data protection audits.** Where necessary, the clients may examine our data protection practices to receive proof of our data protection measures.

We understand our role as a data processor and ensure that our services are developed with privacy in mind to help our customers with their data protection efforts.

 

Privacy tips for our clients

However, Flowpoint is not an owner of the data it processes on behalf of the clients. The data collected is owned by our clients and this makes our clients responsible for collection and processing of such data. The extent of the data protection obligations applicable to each client depends on their individual situation.

However, as a minimum, each website owner using our product must ensure that their Privacy Policy properly communicates to their users how Flowpoint service is used. For example, the following sample language may be used when adapted:

We use Flowpoint to get a better understanding of our users’ behavior and needs to help us improve our services and experience. For example, Flowpoint may collect information about your clicks, page scrolls, pages visited, time spent, device-related details, IP address. We use this information to understand how we can make your user experience better or to detect any technical issues.

 

Ongoing monitoring and review

We aim that our privacy and security practices be consistent and systematic. As our organization and external environment continues to evolve, we regularly monitor and review our practices to ensure that the data is protected at all times.

 

Contact us

If you would like to receive more information on our personal data protection practices, please contact us at office@flowpoint.ai.