General Data Protection Regulation

Oneflow’s commitment to the GDPR compliance.

Our commitment to GDPR

The obligation to manage personal data securely is not new. What’s new with the GDPR requirements are that the rules are strengthened and that it applies to a broader framework, plus the data processors are subject to the regulation.

Oneflow conducts the processing of personal data for its customers. This means that Oneflow is a data processor and that the customers, acting as data controllers, are responsible for the purpose, how the data is to be processed in any given activity and for having secured consent from those they send contracts to before creating the contract.

Click here to read our Data Processing Agreement & Terms of Use.

What Oneflow is doing

Oneflow has implemented technical and organizational measures according to the GDPR requirements to protect personal data from disclosure, removal or modification.

We have proactive measures in place to ensure compliance through password, encryption, backup and impact assessments. In addition to complying with the GDPR, security is a serious and important issue to Oneflow and a significant part of our business includes keeping up to date with information security and prevailing legislation.

Privacy by design

With the privacy by design principle required by the GDPR, personal data is not made accessible to more individuals than necessary for the purpose it has permission for. This means that organizations must have a ‘closed unless’ instead of an ‘open unless’ policy in regards to its record management approach.

Oneflow offers a secure platform with capabilities for searchability, follow-up, and control. Personal data is, therefore, safe in one place – instead of spreading to mail, servers and hard drives.

Data and personal data processed in Oneflow are confidential and bound by both the technical design of our platform and also by the legal agreement. As a customer, the ability to handle access rights and permissions to templates, contracts, and correspondence related to the contracts mean that you have the capability to control who can do what.

Right to data portability and to be forgotten

With the GDPR, everyone has the right to demand full disclosure of their personal data from businesses at any time. This implies the right to data portability, that is the ability to extract your data in a structured format to another service. The right also includes the right to be forgotten, that is the removal of the data on request. The disclosure has to be provided in an easy to access digital format. This is a central part of our customers’ obligations towards their end customers, employees, and vendors.

Through Oneflow, data is handled in such a way that both removal and portability are possible, either through automatic transmission or file export. A key issue is to ensure that eligibility and control meet the requirements of GDPR.

Transmission of data to third parties

Secure storage and processing of data is a key issue for Oneflow, and therefore Oneflow’s services are hosted on Amazon Web Services (AWS), which stores the data in compliance with the regulations within Europe. AWS’ safety work complies with the industry standard and CISPE.

Oneflow as a data processor

The Oneflow application uses third party applications (sub-processors) for certain subtasks related to the deliverability and operability of the application. Below is a list of the third parties we use.

Service Type of processing Region Reference
Amazon AWS Primary cloud services provider. Used for storing and processing all PII data and all contract data. EU (Ireland, Sweden)
Postmark (Wildbit LLC) Transactional email service. Used to send and receive all emails for the service, and as such it processes names and email addresses for all participants in the system. US (SCC)
46elks SMS services provider. Processes phone numbers. EU (Sweden)
Datadog Log and metrics aggregation and searching platform. May transiently store PII like names and email addresses through logging from the application. EU (Germany)
TrustWeaver Services for cryptographically signing PDF documents, which may contain PII like names, email addresses, and SSNs. EU (Sweden)

More information about Postmark (Wildbit LLC)

Oneflow uses Postmark as a provider for sending emails to our customers and their customers in a secure and timely manner. For regulatory and compliance reasons Postmark is required to store the email subject and recipient email address for 45 days before being automatically deleted. This information is subsequently stored at Postmarks sub-processors. The email content itself is not stored anywhere but simply processed through Postmark before being delivered to the recipient. The email content is not processed by Postmarks sub-processors. All data sent to postmark is encrypted in transit, and subject and emails addresses is encrypted at rest. We are continuously working with Postmark on improving the security and minimizing the data sent and stored in the US.

More information on Postmarks data security:

More information on Postmarks Privacy and GDPR efforts including Postmarks own sub-processors can be found here:

Oneflow as a data controller

The Oneflow team uses applications for storing information about our customers and related data. This is needed to provide our customer with the best service, follow up and experience. Oneflow is a data controller in this context, and we carry the responsibility and integrity for all stored data. Below is a list of the tools we use.

Service Type of processing Region Reference
Google Corporate email and documents services provider. EU
Freshdesk The Oneflow application support platform. Used by customers requesting support from the Oneflow support staff. EU (Germany)
Prospect & Customer relationship management. EU
Pardot Newsletters & Marketing services platform. US (SCC)


Feel free to contact us if you have any questions