FirstOfficer and the GDPR
Data Privacy Officer
Jaana Kulmala
dpo@firstofficer.io
Turbine Room Ltd
www.firstofficer.io
As part of our ongoing efforts to protect the security and privacy of our users, we are committed to meet the GDPR (General Data Protection Regulation) requirements. This site contains information on what steps we are taking, their progress, and who to contact for any security concerns.
Please also see our main GDPR Commitment page.
Data Processing Addendum
If you need a signed DPA from FirstOfficer, please use the button below to cross sign and download your copy of our DPA.
Make A Data Request
We respect the rights of individuals to know how their data is being used, export it or request that it be deleted.
Data Processing Partners
GDPR says that we ought to tell you what we do with Personal Data. It also says that we ought to use human-friendly language.
This is a listing of 3rd parties that FirstOfficer uses and who could, even in principle, have some kind of way to see Personal Data.
The reason why this listing is not in the Data Processing Agreement (DPA) itself is that the DPA is supposed to be "in writing", a real signed document. That's why we listed only the core sub-processors there. We don't want to bother you with full signatures every time we change a bug tracker app or accounting service.
Here's how it works: We will email you 10 days before we add any new sub-processors or ancillary services. That way you have time to cancel/complain if you don't approve the new services. You can find the explanation of this process in DPA clause 9.3.
Please note that as you use FirstOfficer.io, we also collect Personal Data from you and that's outside of the DPA. The services that FirstOfficer uses when it handles your own Personal Data are listed in group 3. and further. We don't email you when those change, we just make sure everyone is GDPR compliant and that we have a legal DPA at place.
DISCLAIMER This list is still under work until 25th May, 2018. During that time we don't send any email notifications about the changes.
| 1. Core Sub-Processors (FirstOfficer as Processor) | ||||
|---|---|---|---|---|
| Partner | Locale | Data Shared | Purpose | |
 |
Amazon Web Services, Inc |  |
All Data | Web hosting, static file hosting, storage, backups. |
| Heroku by Salesforce.com, Inc | |
All Data | Infrastructure, Secure Cloud Service Platform for Database Storage |
|
| 2. Ancillary Services (FirstOfficer as Processor) | ||||
|---|---|---|---|---|
| Partner | Locale | Data Shared | Purpose | |
 |
Help Scout, Inc. |  |
Anything Emailed to Support Name Email Company Name IP Address | Customer support and documentation |
|
Honeybadger Industries, LLC |  |
Email IP Address Internal IDs Web Browser Details | Error, crash, and performance monitoring |
|
PaperTrailApp by SolarWinds Worldwide, LLC | |
Application Logs Usage Data Email Name IP Address | Serverside log management, debugging |
|
Rollbar | |
Email IP Address Internal IDs Web Browser Details | Error, crash, and performance monitoring |
| 3. Services that do not see your end-users' personal data (FirstOfficer as Controller) | ||||
|---|---|---|---|---|
| Partner | Locale | Data Shared | Purpose | |
|
Amazon CloudFront | |
IP Address | CDN, site availability. |
|
ChurnBuster | |
everything we send to Stripe | Dunning |
|
Dropbox | |
VAT code internal ID name business name | Uploaded Files that may contain Personal Data. |
|
GitHub Hosting | |
None | Some of our informational content is hosted on Github infrastructure. Github would have a possibility to collect your IP Address when you visit that content (support.firstofficer.io and apidocs.firstofficer.io), but they do not gather that information. |
| Google Universal Analytics by Google LLC | |
Anonymized IP Address | Analytics and metrics |
|
|
Highcharts | |
None | Javascript chart library. We're self-hosting the javascript to prevent personal-data leakage (IP Address). When we enable data exports directly from the charts, we need to check the DPA situation again. |
|
MailChimp by The Rocket Science Group, LLC | |
email name | Email marketing |
|
Mandrill by The Rocket Science Group, LLC | |
email IP Address | Transactional email delivery. |
|
Stripe Payments Europe, Ltd | |
email payment information IP Address | Secure payment processing and subscription billing. Stripe has been audited by a PCI-certified auditor and is certified to PCI Service Provider Level 1. |
|
Talenom |  |
VAT code internal ID | Bookkeeping, invoices |
| 3.A Business Services (No Personal Data sent to these service unless you submit to us) | ||||
|---|---|---|---|---|
| Partner | Locale | Data Shared | Purpose | |
|
GDPR Page | |
Email Name Address Company Details Signature | GDPR Page shows our GDPR compliance documentation and allows our customers to subject Subject Access Requests and sign Data Processing Addendums. |
| G Suite by Google LLC | |
Anything Emailed to Us | ||
| 3.b Services that do not see your end-users' personal data (FirstOfficer as Controller) - DPA pending | ||||
|---|---|---|---|---|
| Partner | Locale | Data Shared | Purpose | |
|
Nozbe | |
none for now | Task and issue management. We refrain from using any identifying info in tasks until DPA is signed. We apologise for any delays this may cause in support. |
| 5. Removed but will be added without separate notice when DPAs available | ||||
|---|---|---|---|---|
| Partner | Locale | Data Shared | Purpose | |
|
Gravatar | |
IP Address | Showing faces in user interface |
|
New Relic | |
? | Serverside performance monitoring |
|
Optimizely | |
IP Address | A/B testing the landing page |
|
Scout App | |
? | Serverside performance monitoring. No GDPR statement at their pages. |
Compliance Tasks
GDPR Compliance requires maintenance and ongoing work. We are tracking our efforts here.
| Application Site Security | |
|---|---|
| Status | Name |
| Completed | Establish Stale Data and User Policies |
| Completed | Redact Logs from Writing Unneeded Personal or Sensitive Data |
| Completed | Registered with HaveIBeenPwned Domain Notification |
| Completed | AWS-certified expert has double-checked the privacy setup for the S3 bucket |
| Completed | Inform Users about the GDPR Page |
| Completed | Ensure internal employees and contractors behaviors around personal data are documented. |
| Completed | Ensure Web Application Firewall enabled and blocking common attacks |
| Completed | Ensure Access to Backups is Restricted |
| Completed | Ensure Backups are Stored in on Encrypted File Storage. No actions were needed, just reporting old policy. |
| Completed | Establish Development Environment Data Handling Guidelines |
| Completed | Personal Data in File Storage is Encrypted |
| Completed | Affirmative Consent mechanism added to User Signup |
| Completed | Added External Javascript Files to Data Partners |
| Completed | HSTS (HTTP Strict Transport Security) added to SSL/TLS of App Site |
| Completed | Restrict Personal Data at Signup to the Minimum Necessary. No actions were needed, just reporting old policy. |
| Completed | SSL (TLS) Deployed on App Site. No actions were needed, just reporting old policy. |
| Data Mapping | |
|---|---|
| Status | Name |
| Completed | Add Performance Monitoring Applications to Data Providers |
| Completed | Add Exception/Error Reporting Services to Data Partners |
| Completed | Add Web Analytics Service to Data Partners |
| Completed | Add Internal Email Service to Data Partners |
| Completed | Add Hosting Provider to Data Partners |
| Completed | Add Social Embeds to Data Partners |
| Completed | Add Third Party Web Font Services to Data Partners |
| Completed | Add Customer Support (Helpdesk) Service to Partners |
| Completed | Add Transactional Email Service to Partners |
| Completed | Add Email Newsletter Service to Partners |
| Completed | Add CDN Provider to Data Partners |
| Completed | Add File Collaboration Service to Data Partners |
| Completed | Add Database Provider to Data Partner |
| Marketing Site Security | |
|---|---|
| Status | Name |
| Completed | HSTS (HTTP Strict Transport Security) added to SSL/TLS of Marketing Site |
| Completed | Reviewed list of users with access to site |
| Completed | SSL (TLS) Deployed on Marketing Site |
| Privacy Procedures | |
|---|---|
| Status | Name |
| Completed | Informed all Employees and Contractors about GDPR Compliance |
| Completed | Privacy Policy Updates |
| Completed | Process established for subject data requests |
| Completed | Data Protection Policy Created |
| Completed | Developed a Data Processing Agreement |
| Completed | Briefed all Staff on GDPR Impact to the organization |
| Security Procedures | |
|---|---|
| Status | Name |
| Completed | Data Breach Notification Policy has been established |
| Completed | Publish statement on public website on how to report security and data issues. |
Frequently Asked Questions
If you have any concerns not answered here, please reach out to our contact (listed above) and we'll be happy to assist.
Do Non EU Companies need to comply with the GDPR?
While it remains to be seen if the EU has the legislative power to levy fines and enforcement against organizations around the globe, GDPR compliance is being sought by non EU companies for a variety of reasons.
- Customers and Prospects are making it a requirement
- It's a solid framework for improving the handling of personal information and complying with the GDPR requirements improves our own security.
How Do I Report a Security Issue?
We take all security reports seriously. Please email our security contact (information listed above) with any information you have regarding any potential data breaches, vulnerabilities or concerns.
What's the GDPR?
The General Data Protection Regulation (GDPR) is a new piece of privacy legislation enacted by the European Union. It represents a significant change in how personal (IP Addresses, Emails, Names) and sensitive (religion, ethnic origin, health, orientation) data is handled by companies.