Vanillasoft and the General Data Protection Regulation

The EU General Data Protection Regulation (GDPR), replacing the 1995 EU Data Protection Directive, came into force on May 25, 2018. The GDPR is designed to strengthen the rights that individuals have over their personal data and unifies data protection laws across Europe regardless of where the data is processed.

Vanillasoft is committed to compliance with GDPR and to helping our customers with their GDPR compliance needs. The following outlines the robust privacy and security protections built into the solution.

Vanillasoft customers will typically act as the data controller for any personal data that they upload into their account. The data controller is responsible for determining the purpose and means of processing personal data. Vanillasoft typically acts as a data processor, as we process data on your behalf when you are using the Vanillasoft solution.

The responsibility of implementing appropriate technical and organisational measures to comply with GDPR falls to the data controller. These responsibilities relate to principles such as fairness and transparency, data limitations, data minimisation and respecting data subjects’ rights with respect to their personal data.

Guidance is available to data controllers online through the websites of your national or lead data protection authority under the GDPR. You should also seek independent legal advice if you have any questions. Nothing in this document is intended to provide you with, or should be used as, a substitute for legal advice.

Data controllers have a responsibility to only use data processors that provide sufficient guarantees that they are implementing appropriate technical and organizations measures to ensure processing meets the requirements of the GDPR. here is some important information in that regard.

A Data Processing Addendum is part of Vanillasoft’s Terms of Use and is valid for any customers that work with data from the European Union. The standard contract also includes Standard Contractual Contracts (SCC) regulating data transfer.

Customer data put into our system by the customer or a user will only be processed in accordance with the customer’s instructions.

All Vanillasoft employees have signed a confidentiality agreement and must abide by our Code of Conduct.

Vanillasoft does engage some third-party vendors to assist in supporting the provision of the service. Each vendor must pass a detailed selection process which includes an evaluation of their technical expertise to ensure they can deliver the appropriate level of security and privacy. These are set out in Vanillasoft’s Vendor Management Policy.

Under the GDPR the data controller and the data processor must show the ability to ensure ongoing confidentiality, integrity and resilience of the system. Vanillasoft uses state-of-the-art hosting facilities with strict access controls, multiple internet connections and backup energy sources. User and session information are kept using advanced security methods based on dynamic data and encoded session IDs. Database machines are not directly accessible from the public internet, and all data is stored on world-class redundant SSD disks.

Vanillasoft uses multiple data centers that are geographically distributed to minimize the effects of a regional disruption. Data is backed up every 15 minutes, and we carry out disaster recovery testing on an annual basis in order to evaluate fail-over scenarios.

2048-bit SSL technology is used for all data transmissions, through both server authentication and data encryption. All data is encrypted at rest.

Vanillasoft carries out quarterly security scans for both network and application vulnerabilities. A third-party security test is carried out annually. All hardware and software is managed to ensure that all relevant patches are applied on a consistent basis.

Vanillasoft has an Information Security Breach Response policy that establishes a documented and formalized approach for any actual or suspected security incidents. The policy includes a notification within 48 hours when deemed necessary for a personal data breach.

Vanillasoft administrators can export data at any time during the term of their agreement. You can also delete customer data as an administrator. When Vanillasoft receives a complete deletion instruction – for example a delete contacts through Contact Management – the relevant customer data will be permanently and irretrievably deleted within a maximum period of 90 days unless retention obligations apply.

The GDPR provides for several mechanisms to facilitate transfers of personal data outside of the EU. We contractually commit under our current agreement to maintain a mechanism that facilitates transfers of personal data, and continue to offer that commitment after the GDPR comes into force.