Learn more about how we at Precisely handle your data under the EU's data protection law (GDPR)
Introduction to GDPR
What is GDPR?
The General Data Protection Regulation, GDPR is a European regulation governing processing of Personal Data and security thereof. It came into effect on the 25th of may 2018 and replaces the old Data Protection Directive 95/46/EC from 1995.
GDPR protects Personal Data, meaning data/information that relates to, and can be used to identify a natural person (for example you). One of the core values of GDPR is transparency, meaning that no-one has the right to store or process your Personal Data, without your knowledge or consent (with some very specific exemptions).
GDPR also puts responsibility on any entity or company that processes Personal Data or provides a product or service in the EU. This means that even companies, which are not established in the EU, but provide services in the EU must comply with GDPR.
What are the key terms?
- Data Subject: An identified or identifiable natural person
- Data processing: any activity performed on or with Personal Data. E.g. storage or collection.
- Controller: A natural or legal person (typically company or organization) who determines the means and purposes of the processing of Personal Data. For example a company using Personal Data for customer management.
- Processor: A natural or legal person (typically company or organization) who processes Personal Data on behalf of the Controller. For example the vendor, providing the customer management solution.
- Sub-Processor: A Processor's Processor. For example if the Processor uses another vendor to be able to provide their services.
- Personal Data: any information that can be used to identify a natural person. Common examples are: name, email address, personal ID number, address and IP address, but also information about an individual's health or economy. The definition is wide!
When can Personal Data be lawfully processed?
To lawfully process data under GDPR, companies must identify a lawful ground to do so.
A misconception is that consent is the only, and most appropriate, lawful ground to process Personal Data. In fact, there are five other lawful grounds for processing Personal Data that may better fit the current case at hand. The Swedish Authority for Privacy protection has even stated that you should consider other lawful grounds before consent.
The six lawful grounds under GDPR are:
- Consent that is freely given, specific, informed and unambiguous
- Performance of a contract between the Data Subject and Controller
- Legitimate interest of Controller to process Data Subject’s information where this interest overrules the Data Subject’s interest.
- Legal obligation to process data
- Exercise of official authority or task in the public interest
- Fundamental interest
What rights do Data Subjects have?
When someone is processing Personal Data about you as a Data Subject, you have several rights under the GDPR. Unavoidably, this means that the Controller is responsible for ensuring that they can facilitate these rights and properly inform the subjects.
The subject rights are:
- The right to know what and why Personal Data about you is processed
- The right to know who holds the Personal Data, and to whom they may share it
- The right to request a copy of your Personal Data
- The right to update or correct your Personal Data
- The right to be forgotten, or have your Personal Data deleted (certain circumstances)
- The right to restrict the types and ways that your Personal Data is processed
- The right to have your Personal Data transferred from one to another
- The right to object to the processing of your Personal Data or withdraw your consent
What is the “Schrems II decision”?
The Schrems II decision is a case with the Court of Justice of the EU (CJEU) from July 2020. This decision had a major impact on transfers of data outside the EU. Previously, EU → US transfers of data were protected and permitted by the EU-US Privacy Shield but due to the decision of the CJEU, this shield was invalidated.
But let’s not freak out! The CJEU still acknowledged Standard Contractual Clauses (SCC’s) to be a valid mechanism for transfers of data outside the EU, in combination with appropriate supplementary measures. Precisely of course have SCC’s in place in any event that they are deemed necessary or appropriate, as well as supplementary measures to ensure security and protection.
How Precisely works with GDPR?
Precisely is a Swedish company founded by IT lawyers, so you can be sure that we have GDPR, Privacy and Security as one of our main priorities!
Apart from the standard GDPR requirements, such as keeping records, evaluating our Sub-Processors and engaging in Data Processing Agreements and Standard Contractual Clauses, we have gone above and beyond to provide a really secure and industry leading platform also in terms of GDPR compliance.
What is the relationship between Precisely and me as a customer?
Since you as our customer determine the means and the purposes for processing Personal Data in the Precisely Platform, you are deemed the Controller and Precisely the Processor.
We only process data in the Platform based on your instructions, and have taken privacy-by-design and privacy-by-default into careful consideration when developing the platform.
To be able to provide the platform to you, we as any other SaaS company need to rely on Sub-Processors.
Do you have a Data Processing Agreement? (DPA)
We always include a Data Processing Agreement with our customers (available here). Similarly, we always have Data Processing Agreements in place with our Sub-Processors.
What information do you have about me?
This depends on who you are and are further described in our Privacy Policy. However in brief this is the information we have:
As a customer of Precisely with an account in the Platform, we have your email address, name, IP address and potentially phone number connected to your Precisely account, for the purpose of providing the service to you. We also have this information about representatives of your company, that have been or are in contact with us, for customer management purposes.
Depending on how you use the Platform, and what type of documents you upload, these may contain personal information. We don’t have access to such information unless you invite us to your organization for support or assistance purposes.
If you are a counterparty to one of our customers, for example a person appearing in one of our customer’s contracts - we do not have access to the Personal Data about you (unless the customer has invited us as described above). Should you have inquiries related to what Personal Data the customer has about you - please reach out to the customer.
If you are not a customer of Precisely, but you are in contact with us, for example subscribing to our newsletter or visiting our website, we have your name and email address, and potentially phone number.
You can read more about this in our Privacy Policy.
How does Precisely protect personal data and ensure GDPR compliance?
Precisely have taken several measures to protect your data, and to make GDPR compliance easy. Below we have cherry-picked some of our favorite and most important measures. Should you still have further questions, do not hesitate to reach out to us - we are happy to discuss this further.
Storage within the European Union
Storage
The Precisely platform is hosted through Google Cloud with servers located in Frankfurt, Germany and File storage is managed through Amazon Web Services, with servers located in Dublin, Ireland. Backups are stored in Finland. This means that no data needs to leave the European Union!
Backups
Backups are run every hour on the database. Precisely verify the restoration process every time any significant changes are made to the infrastructure. Upon written request from a customer, and identify confirmation, a restorage could be executed.
European E-signing providers
Precisely offers multiple e-signing providers to be able to facilitate each customer's needs and wishes. As a customer of Precisely, you are able to choose one of our European e-signing providers, for example Scrive or Universign. By doing so, you get the full European Precisely package.
If you choose to go with our default and free of charge e-signing provider Dropbox Sign (previously called HelloSign), a copy of the signed document is temporarily stored in the US. This is however only from the point in time when documents are sent for signing, until the signing is completed or canceled, after which they are fully erased. For the sake of clarity, we of course have DPA’s and SCC’s in place with Dropbox Sign (ex. HelloSign).
As a side note we also offer DocuSign and Adobe Sign integrations, giving you the possibility to use your already existing DocuSign or Adobe Sign account with Precisely.
Encryption
We are extremely proud of the very high level of encryption we have in place to protect your data in the Platform, both in transit and at rest.
Encryption at rest
All data is encrypted at rest with Rijndael (AES256) or higher. To safeguard from data loss, non-ephemeral data is automatically backed up and stored in a different data center. The system used to store Precisely contracts is designed to achieve ‘nine 9s’ of durability, meaning that the data is automatically replicated in multiple data centers to ensure that you will have access to your contracts.
Encryption in transit
All interactions with the service are required to be performed over encrypted HTTP (HTTPS) with a minimum TLS (Transport Layer Security) version of 1.2. Communication within the cluster is performed over encrypted channels. All external traffic (from the cluster) is required to be encrypted, otherwise the cluster egress stops the traffic before leaving the cluster.
Your connection to – and communication within – Precisely uses TLS with an ECDHE P-256 AES-256-crypto suite, to ensure that the data is encrypted and transmitted securely. This is the same level of encryption used by several government bodies as well as leading banks.
Sub-Processors
As mentioned before, our main and essential Sub-Processors are Amazon S3, Google GCP and your choice of E-signing provider (standard HelloSign/US). We have chosen these Sub-Processors with due care, since they offer storage and hosting within the EU, but also are internationally well recognized to have high security standards.
Google Cloud security
Access to our Google Cloud instance is handled with our internal API that works as the gatekeeper of all data going in and out of the database and internal services. Only some parts of our API are accessible from the internet and these parts are secured with state-of-the-art authentication as well as SSL encryption to secure the data in the internal services and database.
Amazon S3 (AWS) security
We use Amazon S3 to save any files that are uploaded to- or generated in the platform. For both server-side and client-side encryption, AWS utilizes AES-256 with Galois Counter Mode (GCM) for any symmetric key encryption operations. GCM provides authenticated encryption by adding a unique tag to the ciphertext which verifies that the encrypted data has not been tampered with in any way.
European personnel
All Precisely employees and support personnel are located in Sweden and Finland. Furthermore, we train all our employees in GDPR compliance, and are always following the principle of least privilege when we grant access to our systems.
Our employees will only access your data in the Platform upon consent or request from your side. For example if you have any support inquiries or need help setting up your accounts or templates in the platform together with our lovely customer Success team.
Other technical and organizational measures
On top of all that is mentioned, we conduct audits and continuously review our processes and GDPR compliance. We maintain information security policies, have password controls and ensure that we have an incident recovery plan. Please reach out to us for more details on all our technical and organizational measures!
How can Precisely help me as a customer with GDPR compliance?
Precisely works in numerous ways to provide you with a solution that allows you to stay compliant with GDPR and Privacy legislation. Besides what has been described above, we would like to highlight a few features that may help your internal compliance.
Privacy By Design and default:
Two important key concepts in GDPR, especially for SaaS, or cloud providers, is “Privacy by design” and “Privacy by default”. Both concepts have many things in common, but the main thing is that both are a technique for minimizing the privacy impact when processing Personal Data!
Some valuable Privacy By Design features in the Platform:
- Limited personal information collected for account set up (email address, name)
- Ability to control input fields in contracts (questionnaire) by use of
- Multiple choice
- Numeric only
- Free text
- Ability to provide clear helping text to any free-text field
- Ability to set strict access policies to documents containing personal information
- Metadata tagging allowing you to
- Filter in archive on individuals to identify where they are mentioned
- Track contracts including DPA’s
Single Sign-On (SSO)
By using Single Sign On (SSO), you are able to both enable faster login to the platform, avoid forcing your colleagues to remember numerous account names and passwords. On top of this, usage of SSO increases the security, since employees who only need to remember one password tend to create more complex passwords, and don’t need to write it down. Better password management → Less risk of compromised accounts
Active Directory (AD)
Active Directory (AD) synchronization with Precisely allows you to keep full control of your employees that are also Precisely users. This means that managing access to documents in Precisely is automatically sync between AD and Precisely. More control → higher security.