GDPR
Learn how we comply with the General Data Protection Regulation (GDPR)
Commitment
The obligation to manage personal data securely is not new. However, the GDPR strengthens the rules and applies them to a broader framework.
Oneflow conducts processing of personal data for our customers. This means that we are a data processor and that our customers, acting as data controllers, are responsible for how the data is processed in any given activity. And for having secured consent from those whose personal data is processed.
Click here to read our Terms of Use & Data Processing Agreement.
Oneflow and GDPR
Oneflow has implemented technical and organizational measures to protect all personal data processed by Oneflow from disclosure, removal, or modification.
We have proactive measures in place to ensure compliance through password, encryption, backup and impact assessments. Security is a serious and important issue to us and a significant part of our business includes keeping up to date with information security and current legislation.
Oneflow is compliant with both the EU GDPR and the UK GDPR.
Right to data portability and to be forgotten
Oneflow handles data in a way that makes removing and porting possible, through automatic transmission or file export.
GDPR gives everyone the right to demand full disclosure of their personal data from a business at any time. Firstly, this means extracting your data for another service. Secondly, the right to be forgotten — deleting all data on request. The disclosure has to be provided in an easy to access digital format, and is a central part of our customers’ obligations towards their end customers, employees, and vendors.
Sub-processors
Secure storage and processing of data is of utmost importance to us. Oneflow’s services are hosted on Amazon Web Services (AWS), which stores the data in compliance with the regulations within the European Union. AWS’ safety work complies with the industry standard and CISPE. You can find more information regarding AWS through the links provided below.
| Service | Data categories | Optional | HQ | Data centers | Transfer mechanisms | Reference |
|---|---|---|---|---|---|---|
| AWS (Amazon Web Services, Inc.) Primary cloud services provider. | The categories processed will depend on your selected use of the service as described in applicable DPA. | No | US | EU (Ireland, Sweden) | For EU: SCC (2021) For the UK: SCC (2010) AWS SCC | View reference View reference |
| Pusher (MessageBird B.V.) | IP-addresses of your employees. | No | UK | EU (Ireland) | DPA with UK SCC (2010) | View reference |
| 46elks (46 Elks AB) SMS services provider. | Phone numbers of your employees and counterparties. | Yes, opt-in | SE | EU (Sweden) | DPA | View reference |
| Freshdesk (Freshworks Inc.) Service to manage support inquiries. | IP-addresses, names and email addresses of your employees. | Yes, opt-out | US | EU (Germany) | DPA | View reference |
| Postmark (ActiveCampaign, LLC) Transactional email service. | Used to send and receive all emails for the service, and as such it processes names and email addresses for all participants in the system. | Yes, opt-out | US | US | For EU: SCC (2021) For the UK: SCC (2010) Postmark SCC | View reference View reference |
| Customer.io (Peaberry Software, Inc.) | Names and email addresses of your employees. | Yes, opt-out | US | EU | For EU: SCC (2021) For the UK: SCC (2010) Customer.io SCC | View reference |
You can opt-out from the services listed as optional above as an administrator under “Data Management”.
Postmark
Oneflow uses Postmark for sending secure emails to our customers and their customers. For regulatory and compliance reasons Postmark is required to store the email subject and recipient email address for 45 days before being automatically deleted. This information is then stored in Postmarks sub-processors. The email content itself is not stored anywhere but simply processed through Postmark before being delivered to the recipient. The email content is not processed by Postmarks sub-processors. All data sent to postmark is encrypted in transit, and subject and email addresses are encrypted at rest. We are continuously working with Postmark on improving the security and minimizing the data sent and stored in the US.
More information on Postmarks data security here.
More information on Postmarks Privacy and GDPR efforts including Postmarks own sub-processors can be found here.
