tag:help.tenderapp.com,2008-11-12:/discussions/questions/22075-gdpr-complianceTender: Discussion 2018-10-18T06:27:50Ztag:help.tenderapp.com,2008-11-12:Comment/448730282018-03-09T06:36:47Z2018-03-09T06:36:48ZGDPR Compliance<div><p>Hello,</p>
<p>I saw the post here on Tender Support: <a href="https://help.tenderapp.com/discussions/questions/21985-gdpr-compliant">https://help.tenderapp.com/discussions/questions/21985-gdpr-compliant</a> about being GDPR compliant, I believe there's a misunderstanding of what is required by Tender. The response says <code>We don't offer European hosting</code> but that doesn't matter, the GDPR requirements are for any organization that may host EU citizens personal identifiable data.</p>
<p>This makes it still an outstanding question, will Tender be GDPR compliant by the deadline, as it does store data on EU citizens?</p></div>c.jonathan.archertag:help.tenderapp.com,2008-11-12:Comment/448730282018-03-10T03:38:07Z2018-03-10T03:38:07ZGDPR Compliance<div><p>Hi Jonathan,</p>
<p>You pulled out one point from that, which is the location of hosting. While I understand that hosting location doesn't matter, however, it was part of a larger point of GDPR compliance which is (paraphrased) "do you follow security procedures with your data". We inevitably get followup questions about localized hosting which I was preëmpting.</p>
<p>I also covered the right of removal, which is one of the main tenets.</p>
<p>Finally, each individual site using tender will store different data on eu customers. Some of them ("you") send account balances as part of the SSO request or phone numbers or names or whatever. We have thousands of customers who all user it differently. Customer email addresses also generally come from the 'host' system via SSO, or may be provided by the user if signing up manually.<br>
The interesting part here is that we do not deal with 'your' end users, nor do we supply or restrict anything based on PII, so many facilities embedded in the GDPR do not relate to us, particularly the communication requirement.<br>
The GDPR are concerned about what is done with the data, where "we" don't do anything with the data, other than country code from IP, but "you" do, as a support site communicating with the end user and modifying their account or shutting their service or whatever, so it needs to be you who communicates what you do with the data. This also puts "you" firmly in place of article 23 provisions of data minimization.</p>
<p>Finally, for us to provide data-portable individual data exports to end-users, is a bit out of scope since there isn't another way for the customer to get support from you if not from the service you're using (i.e tender).<br>
Given that the design of the SSO-provided data was specifically designed NOT to be provided to end users, it is up to our customers, i.e. "you", to provide that data export facility yourselves - the information may or may be not intended for user visibility (custom flags like "idiot user level: 5" or "account-overdue: frequent" or whatever). Given this data comes from your own database, the export should come straight from there and Tender has no responsibility for providing that export as a sort of agent of your company. Also, our psychic module hasn't been working for a while and they're no longer manufactured :)</p>
<p>In all seriousness what other specific points are you concerned about?</p></div>Courtenaytag:help.tenderapp.com,2008-11-12:Comment/448730282018-03-12T19:26:32Z2018-03-12T19:26:32ZGDPR Compliance<div><p>Hello Courtenay,</p>
<p>Thanks for getting back to me and the all those details. The main thing I<br>
wanted to discuss and understand is that Tender stores data on all users of<br>
Tender. I understand if I run a Tender account they are my customers.</p>
<p>But at the end of the day Tender is storing personal identifiable data on<br>
their customers behalf. Tender technically have access to it even if not<br>
processing it, it's being stored. Even if it's the minimum amount, say just<br>
emails for those not using SSO it's falls under PII.</p>
<p>So doesn't that mean Tender need to share details on their compliance in<br>
that regard?</p></div>c.jonathan.archertag:help.tenderapp.com,2008-11-12:Comment/448730282018-03-20T11:22:17Z2018-03-20T11:22:17ZGDPR Compliance<div><p>Well, it's tricky; we are awaiting further feedback on this, but the provisional answer is that we are considered a data processor and we will be able to provide you with the required "sufficient guarantee" that we (and our colo hosts in turn) will be gdpr compliant according to the points listed previously re: security processes, encryption and so forth.<br>
In terms of the UI requirements, well, that's still being figured out (how many popups would you like? two? four?)</p></div>Courtenay