Leadformly GDPR Compliance for LeadForms
The EU General Data Protection Regulation (GDPR) comes into effect on May 25th 2018, replacing the Data Protection Directive 95/46/EC. This means that, if you store or process data of European citizens, your business must be in compliance before the May 25th deadline.
Leadformly will be in compliance ahead of the May 25th, 2018 deadline.
You may have questions about what it is and what it means for your lead generation forms. We've compiled a list of common questions to give you a heads up if you're out of the loop.
What do you have to do?
As far as your service with Leadformly goes, we'll take care of adapting Leadformly to accommodate GDPRs terms before the May 25th 2018 deadline.
However, we do encourage you to seek professional legal advice for how GDPR may impact your business in general.
What changes will Leadformly make to its platform to comply?
Changes already made:
- 6/11/2017 - We now delete all customer data (including forms, leads, and personal data) held in our Amazon AWS database after 7 days of a customer canceling their account so that data is not stored for longer than necessary.
- 9/1/2018 - Data portability & right to be forgotten - we made a series of improvements to the 'leads page', allowing you to easily export all of your lead data into a CSV file that can be imported into other tools. We also made it easier to manually delete your lead data individually or in bulk in case a lead envokes the right to be forgotten.
- 22/1/2018 - Two-factor authentication is now mandatory for our development team to access Leadformly's AWS servers
- 8/2/2018 - Two-factor authentication is now mandatory for our support team to access our support & billing platforms
- 17/4/2018 - Two-factor authentication is now mandatory for our development and support team's to access Leadformly's administration area
- 17/4/2018 - Implemented encryption at rest on all Amazon AWS databases containing personal information (including customer data and lead data).
- 17/4/2018 - Improved user access roles & permissions for our development team to limit the number of people with access to customer data
- 17/4/2018 - You can now make it a requirement to tick a Ts & Cs checkbox before submitting a form (i.e. the form cannot be submitted without the user accepting terms and conditions)
- 17/4/2018 - We have removed the ability to have Ts & Cs checkboxes pre-ticked. While this feature may have provided a more seamless user experience, the GDPR requires explicit consent to be given, which means checkboxes should be unticked by default.
- 17/4/2018 - We have added the ability to have multiple Ts & Cs checkboxes in a form to allow for unbundling of terms(previously you could only have one)
- 3/5/2018 - We have now integrated privacy by design into system and product development, including through the creation and implementation of data protection impact assessments
- Finalising our data maps and data-processing records
- We are hiring a managed AWS DevOps / SecOps firm to conduct an audit of Leadformly's server infrastructure and providing ongoing monitoring of our servers.
- We are introducing additional security tools into our development process to identify vulnerabilities in dependencies and source code before it is deployed to the production server.
- We will be sending the status of whether a terms and conditions checkbox was checked or not along with the lead data so that you will have a record of which checkboxes your leads ticked. This will also make it easier to determine whether or not you can add leads to your newsletters or not.
Do you have a GDPR-ready data protection agreement (DPA)?
Do you process any data outside of the EU?
Leadformly stores and processes data in the cloud on Amazon AWS servers in the EU. Many of our subprocessors, however, are based outside of the EU or reserve the right to access data from outside of the EU. You can view a full list of the subprocessors & service providers we use in our DPA.
If you have additional questions about GDPR, we recommend that you get in touch with a qualified legal professional. We're unable to provide specific guidance on how you should prepare.
Do you have an incident response procedure to manage vulnerabilities?
Yes. While we have taken many steps to reduce the likelihood of this happening, we will notify you by email within 72 hours of identifying any incident whereby we believe your data was breached.
What is your data retention policy?
If you decide to cancel your account, we will delete all of your personal data (and any lead/form data associated with your account) 7 days after your subscription ends. Note: We will need to keep some limited information (such as your email address and any payments and invoices associated with your account) to fulfill our legal responsibilities.