GDPR Frequently Asked Questions
Equisolve - May 24, 2018
As you are probably aware, things are changing with regard to personal data and privacy, due in large part to the EU's new, expansive data privacy law, the General Data Protection Regulation (GDPR).
We understand that you are probably seeing lots of emails about privacy policies and terms of service updates related to your own personal information. As the company that helps you create your web presence, we hope you will find this informative and somewhat different than those GDPR consumer emails you are seeing.
The services we provide to you as our client dictates that we clarify our relationship in ways that go beyond what you might find in all those updated privacy notices and emails you are getting related to GDPR's impact on you as a consumer customer with those organizations to whom you provide your personal information for individual purposes.
Though the majority of this GDPR impact is on organizations whose core business activities involve the collection and use of personal information on a large scale, the changes are also leading to changes in business practices with companies such as ours.
The purpose of this page is to share information with you regarding our evolving data protection efforts and our role as a data processor serving your business. And we look forward to our continued effort in helping you protect the information of your customers, employees, and other visitors and users of your websites.
How does GDPR affect my website?
Under GDPR, any personal data you collect regarding European residents is subject to GDPR and you are considered the "data controller" of that information. Beyond our core business activity of designing and developing your websites, Equisolve's job is to protect the personal data we process on your behalf through your sites. Under GDPR, Equisolve would be considered the "data processor" serving you as the data controller.
As the company that builds your websites, we will continue to provide you with design and process advice as we build and evolve your sites. Some of that advice may touch on ways for you to fulfill some of your own GDPR responsibilities. Recognize that that kind of advice still requires you to make the ultimate decisions about what data you choose to collect, how you choose to use it, and what tools you make available to individual consumers and your workforce for them to exercise their personal data rights under GDPR and other privacy rules.
For more details about GDPR website compliance see our GDPR Website Compliance Whitepaper
How does GDPR relate to Equisolve?
As your data processor, we have a specific set of responsibilities that we must meet and we must rely on you as the data controller for direction regarding our processing activities.
This page is intended in part to describe some of Equisolve's data processor responsibilities and provide summary information about our ongoing efforts. We will update this page with additional information whenever we believe such information would be beneficial for Equisolve clients.
How do I get a Data Protection Addendum from Equisolve?
If you started service with us on or after June 5, 2018, the Data Protection Addendum was already part of our Terms of Service. If you started service before June 5, 2018, you may download the data protection agreement, sign it, and submit it to firstname.lastname@example.org to be counter-signed.
Is Equisolve "GDPR-compliant"?
Equisolve is working to comply with GDPR as a business-to-business data processor, in order to fulfill our data protection obligations and to help our clients meet their own responsibilities as data controllers.
Currently, there are no certification mechanisms that any business can use to rightfully say that they are "GDPR-compliant". We will continue to strengthen our own privacy practices and the tools we use and intend to pursue independent validation of our efforts when such mechanisms become available from the right authorities.
What is Equisolve doing to comply with GDPR?
We recognize that compliance (with anything) is an ongoing effort, rather than a project to be completed and placed aside in order to "get back to business". We have expanded our own internal privacy and data protection compliance program and we will continue to strengthen our privacy practices.
Here are some of the highlights of changes we've made or are continuing to pursue:
- We have implemented GDPR-specific data processing addenda (DPA) with our other service providers
- We have created a GDPR-specific DPA applicable to our client services
- We have added the DPA to our Terms of Service that governs your business with Equisolve
- We are documenting personal data categories and data flows in which our processing services are involved
- We are updating our existing policies and procedures for:
- Data Classification
- Acceptable Use
- Security Operations and Monitoring
- Security Incident Response
- Hiring and Terminations
- We are creating additional data protection policies and procedures, including ones for:
- Data privacy and quality
- Third party data processing management
- Data breach response
- We are adding a web site Terms of Site Use to Equisolve.com.
- We are providing privacy awareness training for our entire staff
What personal information does my website collect?
Email Addresses and Contact Information
Although the contact form can be customized for each website and IR website, most IR websites collect the following information when a user signs up for email alerts:
- First Name
- Last Name
- Which email alerts are requested, e.g. press releases, SEC filings
- Address, city, state, zip, country
- Company Name
- Job title
Additionally, some data about the visitor is collected to allow you to demonstrate consent:
- IP address
- Browser user agent string
- Timestamp of signup
Other Contact Forms
If your website or IR website has custom forms, be sure to include these in any assessments of your data flows.
IP Addresses and Server Logs
Server logs are collected by web servers and load balancers and contain information about each HTTP request made by a visitor to a website. This data is essential to providing the service securely and complying with GDPR, as it enables us to identify and investigate any attacks or hacking attempts.
What information does Equisolve collect in server logs?
Equisolve's infrastructure generates web server logs containing the following data for each entry:
- IP address of client
- Port on the client
- Request processing time
- Status code
- Request / response sizes in bytes
- User agent provided by the browser
- SSL protocol information
How long does Equisolve retain server logs?
In order to ensure privacy by allowing for the investigation and resolution of any suspected security incidents, it is Equisolve's policy to retain server logs for 1 year.
How are server logs protected?
Server logs are encrypted with industry-standard TLS in transit and with AES 256-bit encryption at rest. They are stored in highly secure, SOC-2-audited AWS cloud computing environment and processed by GDPR-compliant Logz.io. Logs are also protected by firewalls and server-hardening controls.
What does Equisolve do to protect my users' personal information?
Equisolve works to ensure that any contact information collected on your website and stored in our system is secure. Security measures that we use include encryption, access controls, audit logs, and operational and technical policies and procedures. As a part of our expanded data protection compliance efforts, we are currently reviewing and enhancing our policies and procedures to ensure our operations and data processing on your behalf meet our GDPR compliance obligations and we will share additional information as this process continues.
Who has access to my users' personal information?
Equisolve employees and contractors (e.g. cloud hosting, email providers, etc.) have access to your data only to the extent needed to provide service. All access is logged for audit purposes. We do not share your users' information with other third parties not needed to provide the service.
What is the retention policy?
We retain your users' personal information during the time we provide you service, as long as it is necessary to provide the services, and securely delete it within 14 days of the end of your service with us.
Where is the data stored?
Data is stored in Amazon AWS, OVH, and in some cases LiquidWeb data centers in the US, Canada, Ireland, Germany, Singapore, Japan, Brazil, and Australia.
Many of our clients' sites include a Google Analytics tracking code. Typically, Equisolve sets up a Google Analytics account for our clients and installs tracking codes on our clients' websites. However, the relationship with Google as it pertains to Analytics is directly between your company and Google, so you will need to work directly with Google on GDPR compliance for analytics.
Google has their own GDPR compliance website detailing their commitment to GDPR compliance. Any questions about GDPR compliance regarding Google Analytics should be directed to Google.