FirstOfficer and the GDPR

Data Privacy Officer

Jaana Kulmala
dpo@firstofficer.io

Turbine Room Ltd
www.firstofficer.io

As part of our ongoing efforts to protect the security and privacy of our users, we are committed to meet the GDPR (General Data Protection Regulation) requirements. This site contains information on what steps we are taking, their progress, and who to contact for any security concerns.

Please also see our main GDPR Commitment page.

Data Processing Addendum

If you need a signed DPA from FirstOfficer, please use the button below to cross sign and download your copy of our DPA.

Make A Data Request

We respect the rights of individuals to know how their data is being used, export it or request that it be deleted.

Data Processing Partners

GDPR says that we ought to tell you what we do with Personal Data. It also says that we ought to use human-friendly language.

This is a listing of 3rd parties that FirstOfficer uses and who could, even in principle, have some kind of way to see Personal Data.

The reason why this listing is not in the Data Processing Agreement (DPA) itself is that the DPA is supposed to be "in writing", a real signed document. That's why we listed only the core sub-processors there. We don't want to bother you with full signatures every time we change a bug tracker app or accounting service.

Here's how it works: We will email you 10 days before we add any new sub-processors or ancillary services. That way you have time to cancel/complain if you don't approve the new services. You can find the explanation of this process in DPA clause 9.3.

Please note that as you use FirstOfficer.io, we also collect Personal Data from you and that's outside of the DPA. The services that FirstOfficer uses when it handles your own Personal Data are listed in group 3. and further. We don't email you when those change, we just make sure everyone is GDPR compliant and that we have a legal DPA at place.

DISCLAIMER This list is still under work until 25th May, 2018. During that time we don't send any email notifications about the changes.

1. Core Sub-Processors (FirstOfficer as Processor)
Partner Locale Data Shared Purpose
Amazon Web Services, Inc All Data

Web hosting, static file hosting, storage, backups.

Heroku by Salesforce.com, Inc All Data

Infrastructure, Secure Cloud Service Platform for Database Storage

2. Ancillary Services (FirstOfficer as Processor)
Partner Locale Data Shared Purpose
Help Scout, Inc. Anything Emailed to Support Name Email Company Name IP Address

Customer support and documentation

Honeybadger Industries, LLC Email IP Address Internal IDs Web Browser Details

Error, crash, and performance monitoring

PaperTrailApp by SolarWinds Worldwide, LLC Application Logs Usage Data Email Name IP Address

Serverside log management, debugging

Rollbar Email IP Address Internal IDs Web Browser Details

Error, crash, and performance monitoring

3. Services that do not see your end-users' personal data (FirstOfficer as Controller)
Partner Locale Data Shared Purpose
Amazon CloudFront IP Address

CDN, site availability.

ChurnBuster everything we send to Stripe

Dunning

Dropbox VAT code internal ID name business name

Uploaded Files that may contain Personal Data.

GitHub Hosting None

Some of our informational content is hosted on Github infrastructure. Github would have a possibility to collect your IP Address when you visit that content (support.firstofficer.io and apidocs.firstofficer.io), but they do not gather that information.

Google Universal Analytics by Google LLC Anonymized IP Address

Analytics and metrics

Highcharts None

Javascript chart library. We're self-hosting the javascript to prevent personal-data leakage (IP Address). When we enable data exports directly from the charts, we need to check the DPA situation again.

MailChimp by The Rocket Science Group, LLC email name

Email marketing

Mandrill by The Rocket Science Group, LLC email IP Address

Transactional email delivery.

Stripe Payments Europe, Ltd email payment information IP Address

Secure payment processing and subscription billing. Stripe has been audited by a PCI-certified auditor and is certified to PCI Service Provider Level 1.

Talenom VAT code internal ID

Bookkeeping, invoices

3.A Business Services (No Personal Data sent to these service unless you submit to us)
Partner Locale Data Shared Purpose
GDPR Page Email Name Address Company Details Signature

GDPR Page shows our GDPR compliance documentation and allows our customers to subject Subject Access Requests and sign Data Processing Addendums.

G Suite by Google LLC Anything Emailed to Us

Email

3.b Services that do not see your end-users' personal data (FirstOfficer as Controller) - DPA pending
Partner Locale Data Shared Purpose
Nozbe none for now

Task and issue management. We refrain from using any identifying info in tasks until DPA is signed. We apologise for any delays this may cause in support.

5. Removed but will be added without separate notice when DPAs available
Partner Locale Data Shared Purpose
Gravatar IP Address

Showing faces in user interface

New Relic ?

Serverside performance monitoring

Optimizely IP Address

A/B testing the landing page

Scout App ?

Serverside performance monitoring. No GDPR statement at their pages.

Compliance Tasks

GDPR Compliance requires maintenance and ongoing work. We are tracking our efforts here.

Application Site Security
Status Name
Completed Establish Stale Data and User Policies
Completed Redact Logs from Writing Unneeded Personal or Sensitive Data
Completed Registered with HaveIBeenPwned Domain Notification
Completed AWS-certified expert has double-checked the privacy setup for the S3 bucket
Completed Inform Users about the GDPR Page
Completed Ensure internal employees and contractors behaviors around personal data are documented.
Completed Ensure Web Application Firewall enabled and blocking common attacks
Completed Ensure Access to Backups is Restricted
Completed Ensure Backups are Stored in on Encrypted File Storage. No actions were needed, just reporting old policy.
Completed Establish Development Environment Data Handling Guidelines
Completed Personal Data in File Storage is Encrypted
Completed Affirmative Consent mechanism added to User Signup
Completed Added External Javascript Files to Data Partners
Completed HSTS (HTTP Strict Transport Security) added to SSL/TLS of App Site
Completed Restrict Personal Data at Signup to the Minimum Necessary. No actions were needed, just reporting old policy.
Completed SSL (TLS) Deployed on App Site. No actions were needed, just reporting old policy.
Data Mapping
Status Name
Completed Add Performance Monitoring Applications to Data Providers
Completed Add Exception/Error Reporting Services to Data Partners
Completed Add Web Analytics Service to Data Partners
Completed Add Internal Email Service to Data Partners
Completed Add Hosting Provider to Data Partners
Completed Add Social Embeds to Data Partners
Completed Add Third Party Web Font Services to Data Partners
Completed Add Customer Support (Helpdesk) Service to Partners
Completed Add Transactional Email Service to Partners
Completed Add Email Newsletter Service to Partners
Completed Add CDN Provider to Data Partners
Completed Add File Collaboration Service to Data Partners
Completed Add Database Provider to Data Partner
Marketing Site Security
Status Name
Completed HSTS (HTTP Strict Transport Security) added to SSL/TLS of Marketing Site
Completed Reviewed list of users with access to site
Completed SSL (TLS) Deployed on Marketing Site
Privacy Procedures
Status Name
Completed Informed all Employees and Contractors about GDPR Compliance
Completed Privacy Policy Updates
Completed Process established for subject data requests
Completed Data Protection Policy Created
Completed Developed a Data Processing Agreement
Completed Briefed all Staff on GDPR Impact to the organization
Security Procedures
Status Name
Completed Data Breach Notification Policy has been established
Completed Publish statement on public website on how to report security and data issues.

Frequently Asked Questions

If you have any concerns not answered here, please reach out to our contact (listed above) and we'll be happy to assist.

Do Non EU Companies need to comply with the GDPR?

While it remains to be seen if the EU has the legislative power to levy fines and enforcement against organizations around the globe, GDPR compliance is being sought by non EU companies for a variety of reasons.

  • Customers and Prospects are making it a requirement
  • It's a solid framework for improving the handling of personal information and complying with the GDPR requirements improves our own security.

How Do I Report a Security Issue?

We take all security reports seriously. Please email our security contact (information listed above) with any information you have regarding any potential data breaches, vulnerabilities or concerns.

What's the GDPR?

The General Data Protection Regulation (GDPR) is a new piece of privacy legislation enacted by the European Union. It represents a significant change in how personal (IP Addresses, Emails, Names) and sensitive (religion, ethnic origin, health, orientation) data is handled by companies.