FirstOfficer and the GDPR

Data Privacy Officer

Mark Henderson
dpo@firstofficer.io

475 Regency Pl
Victoria, BC, Canada, V9C0J7

As part of our ongoing efforts to protect the security and privacy of our users, we are committed to meet the GDPR (General Data Protection Regulation) requirements. This site contains information on what steps we are taking, their progress, and who to contact for any security concerns.

Data Processing Addendum

If you need a signed DPA from FirstOfficer, please use the button below to cross sign and download your copy of our DPA.

Make A Data Request

We respect the rights of individuals to know how their data is being used, export it or request that it be deleted.

Data Processing Partners

GDPR says that we ought to tell you what we do with Personal Data. It also says that we ought to use human-friendly language.

This is a listing of 3rd parties that FirstOfficer uses and who could, even in principle, have some kind of way to see Personal Data.

The reason why this listing is not in the Data Processing Agreement (DPA) itself is that the DPA is supposed to be "in writing", a real signed document. That's why we listed only the core sub-processors there. We don't want to bother you with full signatures every time we change a bug tracker app or accounting service.

Here's how it works: We will email you 10 days before we add any new sub-processors or ancillary services. That way you have time to cancel/complain if you don't approve the new services. You can find the explanation of this process in DPA clause 9.3.

Please note that as you use FirstOfficer.io, we also collect Personal Data from you and that's outside of the DPA. The services that FirstOfficer uses when it handles your own Personal Data are listed in group 3. and further. We don't email you when those change, we just make sure everyone is GDPR compliant and that we have a legal DPA at place.

DISCLAIMER This list is still under work until 25th May, 2018. During that time we don't send any email notifications about the changes.

1. Core Sub-Processors (FirstOfficer as Processor)
Partner Locale Data Shared Purpose
Amazon Web Services, Inc All Data

Web hosting, static file hosting, storage, backups.

2. Ancillary Services (FirstOfficer as Processor)
Partner Locale Data Shared Purpose
PaperTrailApp by SolarWinds Worldwide, LLC Application Logs Usage Data Email Name IP Address

Serverside log management, debugging

Rollbar Email IP Address Internal IDs Web Browser Details

Error, crash, and performance monitoring

3. Services that do not see your end-users' personal data (FirstOfficer as Controller)
Partner Locale Data Shared Purpose
Amazon CloudFront IP Address

CDN, site availability.

ChurnBuster everything we send to Stripe

Dunning

Dropbox VAT code internal ID name business name

Uploaded Files that may contain Personal Data.

GitHub Hosting None

Some of our informational content is hosted on Github infrastructure. Github would have a possibility to collect your IP Address when you visit that content (support.firstofficer.io and apidocs.firstofficer.io), but they do not gather that information.

Google Universal Analytics by Google LLC Anonymized IP Address

Analytics and metrics

Highcharts None

Javascript chart library. We're self-hosting the javascript to prevent personal-data leakage (IP Address). When we enable data exports directly from the charts, we need to check the DPA situation again.

MailChimp by The Rocket Science Group, LLC email name

Email marketing

Mandrill by The Rocket Science Group, LLC email IP Address

Transactional email delivery.

Stripe Payments Europe, Ltd email payment information IP Address

Secure payment processing and subscription billing. Stripe has been audited by a PCI-certified auditor and is certified to PCI Service Provider Level 1.

3.A Business Services (No Personal Data sent to these service unless you submit to us)
Partner Locale Data Shared Purpose
GDPR Page Email Name Address Company Details Signature

GDPR Page shows our GDPR compliance documentation and allows our customers to subject Subject Access Requests and sign Data Processing Addendums.

G Suite by Google LLC Anything Emailed to Us

Email

5. Removed but will be added without separate notice when DPAs available
Partner Locale Data Shared Purpose
Gravatar IP Address

Showing faces in user interface

New Relic ?

Serverside performance monitoring

Optimizely IP Address

A/B testing the landing page

Scout App ?

Serverside performance monitoring. No GDPR statement at their pages.

Services
Partner Locale Data Shared Purpose
Ahrefs Site Verification IP Address

Verifying ownership of your project or website on AHREFs.

Amazon IP Address

This site is hosted on Amazon AWS EC2 Infrastructure.

Amazon Route 53 IP Address

Amazon's scalable DNS web service system.

Amazon S3 IP Address

Amazon Simple Storage provides unlimited storage to developers and online businesses - saving costs and increase storage reliability.

Amplitude IP Address

Mobile analytics platform.

AWS Cloudfront Los Angeles CA Edge IP Address

Content from this site is served from AWS CloudFront Los Angeles, CA, United States. Edge locations may change frequently as we request resources globally.

AWS Cloudfront Miami FL Edge IP Address

Content from this site is served from AWS CloudFront Miami, FL, United States. Edge locations may change frequently as we request resources globally.

AWS Global Accelerator IP Address

Networking service that sends traffic through Amazon Web Service’s global network infrastructure for performance improvements.

Babel IP Address

Babel is a JavaScript compiler.

Classnames IP Address

Javascript utility for conditionally joining classNames together.

Cloudflare Hosting IP Address

Supercharged web hosting service.

Crisp IP Address

Multi-channel customer support platform for startups and SMBs.

Day.js IP Address

Day.js is a javascript date time library.

Decimal.js IP Address

An arbitrary-precision Decimal type for JavaScript.

Elliptic IP Address

Fast Elliptic Curve Cryptography in plain javascript.

Fastly IP Address

Real-time Analytics and CDN platform. Analyze your web and server traffic patterns in real-time.

Fastly Hosted IP Address

Hosted at Fastly

Fastly Load Balancer IP Address

Hosted on Fastly's Load Balancing system.

Fly IP Address

Deploy app servers close to users.

Global Site Tag IP Address

Google's primary tag for Google Measurement/Conversion Tracking, Adwords and DoubleClick.

Google Analytics IP Address

Google Analytics offers a host of compelling features and benefits for everyone from senior executives and advertising and marketing professionals to site owners and content developers.

Google Apps for Business IP Address

Web-based email, calendar, and documents for teams. Renamed to Google Apps for Work, but now known as G Suite from Google Cloud.

Google Tag Manager IP Address

Tag management that lets you add and update website tags without changes to underlying website code.

Google Universal Analytics IP Address

The analytics.js JavaScript snippet is a new way to measure how users interact with your website. It is similar to the previous Google tracking code, ga.js, but offers more flexibility for developers to customize their implementations.

GStatic Google Static Content IP Address

Google has off-loaded static content (Javascript/Images/CSS) to a different domain name in an effort to reduce bandwidth usage and increase network performance for the end user.

Intercom IP Address

Intercom is a customer relationship management and messaging tool for web app owners

Lunr.js IP Address

Simple full-text search in your browser.

Mandrill IP Address

Mandrill is an email infrastructure service. Detailed analytics offer insight to measure email performance.

Plaid IP Address

Way for users to connect bank account to apps.

Robots Disallow IP Address

A robots disallow all directive with no other options.

Selectize IP Address

Selectize is the hybrid of a textbox and select box.

Service Worker IP Address

A script that your browser runs in the background for caching, notifications and other experiences.

Stripe IP Address

Stripe makes it easy for developers to accept credit cards on the web.

Stripe v3 IP Address

Version 3 of Stripe Integration.

TurboLinks IP Address

Turbolinks is a recompilation speed up tool for Ruby on Rails.

US Privacy User Signal Mechanism IP Address

The US Privacy API (USP API) is a lightweight API used to communicate signals represented in the US Privacy String.

Varnish IP Address

Varnish is a web accelerator / reverse proxy caching server.

Compliance Tasks

GDPR Compliance requires maintenance and ongoing work. We are tracking our efforts here.

Application Site Security
Status Name
Completed Ensure Access to Backups is Restricted
Completed Ensure Backups are Stored in on Encrypted File Storage. No actions were needed, just reporting old policy.
Completed SSL (TLS) Deployed on App Site. No actions were needed, just reporting old policy.
Completed Restrict Personal Data at Signup to the Minimum Necessary. No actions were needed, just reporting old policy.
Completed Affirmative Consent mechanism added to User Signup
Completed Personal Data in File Storage is Encrypted
Completed HSTS (HTTP Strict Transport Security) added to SSL/TLS of App Site
Completed Added External Javascript Files to Data Partners
Completed Establish Development Environment Data Handling Guidelines
Completed Ensure Web Application Firewall enabled and blocking common attacks
Completed Ensure internal employees and contractors behaviors around personal data are documented.
Completed Inform Users about the GDPR Page
Completed AWS-certified expert has double-checked the privacy setup for the S3 bucket
Completed Registered with HaveIBeenPwned Domain Notification
Completed Redact Logs from Writing Unneeded Personal or Sensitive Data
Completed Establish Stale Data and User Policies
Completed Personal Data in Databases is Encrypted
Data Mapping
Status Name
Completed Add Social Embeds to Data Partners
Completed Add File Collaboration Service to Data Partners
Completed Add Performance Monitoring Applications to Data Providers
Completed Add Exception/Error Reporting Services to Data Partners
Completed Add Web Analytics Service to Data Partners
Completed Add Internal Email Service to Data Partners
Completed Add Hosting Provider to Data Partners
Completed Add Email Newsletter Service to Partners
Completed Add Transactional Email Service to Partners
Completed Add Customer Support (Helpdesk) Service to Partners
Completed Add Database Provider to Data Partner
Completed Add CDN Provider to Data Partners
Completed Add Third Party Web Font Services to Data Partners
Marketing Site Security
Status Name
Completed SSL (TLS) Deployed on Marketing Site
Completed Reviewed list of users with access to site
Completed HSTS (HTTP Strict Transport Security) added to SSL/TLS of Marketing Site
Privacy Procedures
Status Name
Completed Data Protection Policy Created
Completed Developed a Data Processing Agreement
Completed Briefed all Staff on GDPR Impact to the organization
Completed Process established for subject data requests
Completed Privacy Policy Updates
Completed Informed all Employees and Contractors about GDPR Compliance
Security Procedures
Status Name
Completed Publish statement on public website on how to report security and data issues.
Completed Data Breach Notification Policy has been established

Frequently Asked Questions

If you have any concerns not answered here, please reach out to our contact (listed above) and we'll be happy to assist.

What's the GDPR?

The General Data Protection Regulation (GDPR) is a new piece of privacy legislation enacted by the European Union. It represents a significant change in how personal (IP Addresses, Emails, Names) and sensitive (religion, ethnic origin, health, orientation) data is handled by companies.

How Do I Report a Security Issue?

We take all security reports seriously. Please email our security contact (information listed above) with any information you have regarding any potential data breaches, vulnerabilities or concerns.

Do Non EU Companies need to comply with the GDPR?

While it remains to be seen if the EU has the legislative power to levy fines and enforcement against organizations around the globe, GDPR compliance is being sought by non EU companies for a variety of reasons.

  • Customers and Prospects are making it a requirement
  • It's a solid framework for improving the handling of personal information and complying with the GDPR requirements improves our own security.