FAQS: GDPR - Satuit as Data Processor
1. Is Satuit GDPR compliant?
Yes. We understand that the Satuit platform is an important tool for our clients to manage and store data so we have undertaken a full program to evaluate our software and to provide webinars and guidance to help facilitate our clients’ compliance under the GDPR.
2. Is Satuit a controller or a processor?
For the data provided by our direct clients within the Satuit platform, Satuit is a data processor (as defined by the GDPR). For the data we hold on clients and prospects, we are a data controller.
3. Is Satuit a Joint Controller?
No, as the name suggests joint controllers determine the purposes and means of processing data together or jointly. As the data processor, Satuit does not determine the purposes and means of processing the data that clients supply to the platform.
4. Can we search for personal data on your systems?
Yes. Satuit holds the data that our users have uploaded in a SQL database. Each client has a SQL database. Our users have full control and access to their data, including the ability to search, import, export, delete and modify the data as needed.
Clients must maintain their own procedures as to who can access their Satuit database and the data held there.
You should review User permissions and consider restricting the access within your account. Your Satuit System Administrator can do this by setting and editing User permissions.
Satuit staff have access to your account to provide support and assist in the provision of the services.
6. How long does Satuit keep data?
Satuit holds data for as long as clients use the platform and keep data within their account, or when deleted from the platform (see below).
7. Can we delete personal data from your systems?
Yes, you can delete data on your account at any time (including when responding to a request for a data subject to be “forgotten”).
8. Can you confirm our right to have personal data deleted upon termination of contract?
At the termination of your ASP Agreement, your database is destroyed within a week of the termination date unless you request in writing that we keep the data for a longer period (in which case you would be required to pay fees). Users may delete contact data at any time during the term of the Agreement in response to the "right to be forgotten." We will be adding a PURGE function in the Summer '18 release.
9. How is data deleted?
When deleting a contact, the contact will be placed in the recycle bin – users must delete their recycle bins after which time the data is permanently deleted. Once the new feature is available, users will be able to purge the history associated with the contact as well.
10. What will Satuit do if it receives a Subject Access Request?
This is a highly unlikely scenario, but If we do receive a Subject Access Request from one of your clients (a data subject), we will pass on any request for data for which you are the data controller so that you can manage the request.
11. Do your standard contract terms include the new GDPR mandatory provisions?
We have updated our ASP Agreement terms and conditions in advance of 25 May 2018, but we also recommend that you execute a Data Processing Agreement that we are providing in addition to your current contract with us. For the moment, this document can be requested from firstname.lastname@example.org.
12. Does Satuit provide a sample Data Processing Agreement?
Yes, Satuit provides a sample Data Processing Agreement that can be added to your contract. For the moment, this document can be requested from email@example.com.
13. I have a Data Processing Agreement – can Satuit agree to that?
Given the number of Licensees to whom Satuit provides processing services and the need for processing activities to be documented, we require clients to use our Data Processing Agreement, as this has been prepared to cover the specific services Satuit provides. Your legal counsel may, of course, redline this agreement.
14. Do you have a documented breach notification process?
15. What will Satuit do in the event of a data breach?
In relation to the data our clients store with us (where we are a data processor), we will notify any affected client (data controller) of a personal data breach as soon as practically possible, and in any event, within 24 hours of discovering the breach.
In the event of data breach of data relating to our direct clients (where we are a data controller), we will report any data breach within 72 hours to the Information Commissioner’s Office if a breach is likely to result in a high risk to the rights and freedoms of individuals.
16. Does Satuit have a DPO?
Yes. We appointed a full time Chief Security Officer, who is our Data Protection Officer, in 2016.
17. Do any other organisations (including sub-contractors, contractors or consultants) process any of the data provided by our clients on our behalf?
Yes, our data centers, which are located in Canada, are owned and managed by Century Link.
18. What steps do you take to safeguard the processing of our data by third party organisations?
Satuit fully evaluates the data processing practices of any proposed subprocessor that might have access to client data – this includes reviewing their security and privacy practices.
Satuit has entered into contracts with the organisations listed on our sub-processors to ensure the safeguarding of personal data, including entering into Data Processing Agreements reflecting the obligations under the GDPR, passing down the measures of the EU Model Contract Clauses or ensuring the organisations maintain U.S. Privacy Shield certification to ensure that all client data is protected.
19. What happens if Satuit replaces or designates a new sub-processor?
We will provide you with advance notice of any changes or additions and give you the right to object (provided these are reasonable). Satuit will always ensure the safeguarding of personal data, including entering into Data Processing Agreements reflecting the obligations under the GDPR, passing down the measures of the EU Model Contract Clauses or ensuring the organisations maintain U.S. Privacy Shield certification (where appropriate) when working with parties outside of the EU.
20. Where is our data stored?
Your data is stored in the productions centers owned by Century Link at the following locations:
6800 Millcreek Drive
555 West Hastings Street
BC V6B 4N6
21. Satuit development and testing platforms
Satuit is frequently updating our platform with feature enhancements and additions. We do this in development, testing and staging environments separate to the main platform. No client data is stored in our testing or development environments.
Occasionally, at your request, we may make a copy of your database for testing purposes or to help you with a configuration project. These databases are destroyed upon completion of the projects.
22. Is Satuit compliant with the EU-U.S Privacy Shield and the Swiss-U.S. Privacy Shield?
Satuit complies with the EU-U.S. Privacy Shield Framework and the Swiss – U.S. Privacy Shield Framework as set forth by the U.S. Department of Commerce regarding the collection, use, and retention of personal information transferred from the European Union and Switzerland to the United States.
Satuit has certified to the Department of Commerce that it adheres to the Privacy Shield principles.
23. To what extent can clients audit Satuit’s systems?
Satuit will facilitate client requests for audits and inspections. The terms of such audits can be found in the Data Processing Agreement in addition to the Terms and Conditions of your ASP Agreement.
Complete details on our security measures may be downloaded via our client portal. Please submit a request to access this document from firstname.lastname@example.org.
24. Tracking consent
If you are using consent as your legal basis, you may modify your Satuit forms to include enhanced functionality around consent storage to allow you to store additional information.