GDPR, Privacy and Data Protection at Appenate

Information about our privacy & General Data Protection Regulation efforts

The European General Data Protection Regulation (“GDPR”) legislation introduces a new set of rules for the processing of personal data.
GDPR is the most modern and fully integrated legislation on data privacy, and the applicability of the GDPR does not stop at the borders of the European Economic Area (“EEA”).

Appenate has embraced the requirements of GDPR, and we consider GDPR to be the benchmark for our privacy and data protection efforts.
Below you’ll find information about GDPR, as well as answers about data protection and privacy at Appenate, for your convenience.

You should also consult our Privacy Policy and Terms of Use for further details on these topics.

Why GDPR should matter to you

GDPR modernises outdated privacy laws and impacts your organisation if you collect or process data in or from Europe.
If you’re based in Europe, or you work with persons that are in Europe, then you likely need to comply with GDPR.
Significant fines of up to €20,000,000 or 4% of global annual turnover, whichever is greater, could be levied on you if your organisation is impacted and is not GDPR compliant.

How to prepare for GDPR

If your organisation is impacted by GDPR, then you need to make sure you are compliant with the legislation before it commences on 25 May 2018.
The good news is that we make it easy to use Appenate in a GDPR-compliant way!

The following steps are recommended as a means to achieving compliance.
NOTE: We’re not lawyers! If you’re unsure about your compliance status, seek legal advice.

Review your vendors and data flows
Make a list of your software and other vendors, and document the data flows across your business, what type of personal data you collect and who has access. It’s likely that you will need to put in place agreements that assure data protection with any vendors you submit personal data to.

Review the Appenate DPA if applicable
If you’re an Appenate customer and are considered to be a data controller under GDPR, then you should review our online Data Processing Addendum (DPA) as it applies to you. The Appenate DPA incorporates with our Terms of Use so, by having acknowledged our Terms of Use and continuing to use Appenate, you’re already accepting our DPA.
Should you need to explicitly sign a data processing agreement with Appenate, then head to our DPA signing page.

Identify and mitigate your risks
Perform a risk assessment within your business to identify any gaps that need to be addressed for meeting GDPR compliance.

Implement your compliance ongoing
Plan and implement your GDPR compliance activities ahead of the May 25, 2018 deadline, and then ensure that compliance continues thereafter as an ongoing discipline for your organisation.

Common questions about GDPR and privacy at Appenate

What is GDPR?
“GDPR” or “General Data Protection Regulation “(EU Regulation 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC) is the new European privacy legislation.

It aims to harmonise legislation throughout the EU with the intention to:

  • increase the general awareness of data privacy,
  • allow individuals to take control over their privacy and their fundamental rights, and,
  • strengthen security requirements throughout companies and organisations.
Where/when does GDPR apply?
GDPR goes into effect on 25 May 2018 and applies to:
– all organisations established in the European Economic Area (“EEA”)
– to organisations, whether or not established in the EEA, that process personal data in connection with either the offering of goods or services to natural persons in the EEA or the monitoring of behaviour that takes place within the EEA.

Thus from the moment there is processing of personal data in the EEA, or from the moment a person located in the EEA is referenced, GDPR will apply (regardless of whether the processing entity is located in the EEA).

Whilst Appenate is an Australian company, with no offices or personnel within the EEA, GDPR is still applicable for all EEA-located customers of Appenate.

What does the Appenate Platform do?
Appenate provides a solution for rapidly creating data-driven business apps on mobile and desktop devices, all with no programming required.

This enables businesses to reduce paper, enhance productivity and improve accuracy in a wide variety of industries and field usage scenarios.

Appenate platform provides an “end to end” platform for creating custom business apps, securely capturing and accessing data through these apps, safe cloud-based storage of data, and connection/integration of data with other external services.

Appenate is offered as “Software as a Service” (“SaaS”), which is a licensing and delivery model where software is centrally hosted and made available to multiple customers over a network, including through interacting applications (including mobile/desktop apps, web browser, and/or connectors to third-party systems).

Personal Data (as defined by GDPR) is only processed by Appenate under the control and direction of Appenate customers.

Who is a "Controller" or a "Processor" under GDPR?
Appenate customers decide the nature of data being captured and stored, and they choose which individuals interact with the Appenate Platform (thus in turn whose personal data is captured and processed).
It is thus you, as an Appenate customer, that legally acts as the “Controller” as defined under GDPR.

Appenate provides the means (the Appenate Platform) for Appenate customers to capture data and interact with their respective users, clients and other parties.
As such, Appenate is only processing personal data for, and on behalf of, Appenate customers as a “Processor”, as defined under GDPR.

The only case where Appenate acts as a Controller is during a limited set of direct interactions with Appenate customers (these being governed by the Appenate Privacy Policy).

What is Appenate doing to meet GDPR requirements?
Appenate has undertaken a number of initiatives to meet GDPR requirements:

Hosting of EEA customers exclusively within EU data centers
All data for customers identified as being located in the EEA is hosted within our cloud partner’s (Microsoft Azure) West Europe (Amsterdam) and North Europe (Dublin) data centers.

Encryption of data at rest and in transit
All data stored within the Appenate Platform is encrypted on our servers, be this within a database, storage service or file backups.
All data transport between servers, services and/or devices (both internally and externally) occur exclusively over SSL encrypted transport protocols.

Dedicated GDPR and Privacy Information page
We have created a dedicated webpage with detailed information about Appenate’s privacy efforts at https://www.appenate.com/gdpr.

Data Protection Officer (DPO)
The Appenate DPO supervises our entire data privacy program and works in close conjunction with Appenate team members on matters relating to security, data protection and privacy.

Data Processing Addendum (DPA)
Appenate provides a standard DPA which is a self-serve and easy-to-execute document pre-signed by an Appenate director.  The DPA clearly outlines the data processing terms between Appenate and a customer, and it only requires an Appenate customer’s electronic signature to complete.
This allows Appenate’s European customers to provide the signed DPA to auditors demonstrating that the Appenate Platform is used to process data in a way that meets their GDPR compliance obligation.

“Is Personal Data” flags for data entities in the platform (e.g. forms and data sources)
The Appenate Platform now provides new checkbox options to allow Appenate customers to flag/identify data fields that contain personal data.
This, in turn, allows the Appenate Platform to anonymise these fields when data leaves the Appenate Platform (e.g. via manual export, connector integrations, and/or the Appenate Platform API).

Careful vetting of sub-processors
Each sub-processor of Appenate is vetted by our team in the areas of security, contractual terms, data processing agreements, and EU standard contractual clauses / Privacy Shield.

Up-to-date contractual documents/privacy policies
Our contractual documents have been updated to contain necessary GDPR provisions, including data processing addendum, end-to-end confidentiality and privacy policies.

Product Development
All new Appenate Platform functionality that is introduced from May 2018 onwards will include consideration of the following:

  • the GDPR principles of “privacy by design” and “privacy by default”,
  • giving flexibility to all customers while remaining within GDPR guidelines
  • keeping all changes as simple as possible
What is a Data Processing Addendum (DPA) and does Appenate provide this?
If Appenate’s processing of personal data for your organisation falls within the material and/or territorial scope of GDPR (articles 2 & 3), the legislation (GDPR article 28) requires that this processing occurs under a Data Processing Addendum (DPA).

The Appenate DPA is provided online and incorporates with our Terms of Use so, by having acknowledged our Terms of Use and continuing to use Appenate, you’re already accepting our DPA. You can reference our DPA if you need to show auditors that your use of Appenate meets your GDPR obligations in terms of the data that we process on your behalf.

If your organisation requires that you execute an explicitly signed data processing agreement with Appenate, then head to our DPA signing page.
We’ll promptly counter-sign and return a digital copy to you for your records.

What types of Personal Data does the Appenate Platform process?
For registered users on the platform, basic contact information is processed (i.e. direct identifiable personal data such as e-mail addresses or name) as well as minimal device information, connection information and geolocation.

Other personal information may also be processed by the Appenate Platform through data captured and stored by Appenate customers.
While it’s not up to us to control what data we receive, this can include items such as contact information, IP addresses, and other data.
We process customer-submitted data as part of our contractual obligation to our customers, and in accordance with applicable laws, including the GDPR.

Does the Appenate Platform utilise sub-processors? Show me the list?
We use certain sub-processors to assist in providing the Appenate platform to customers. A sub-processor is a third-party data processor engaged by Appenate, that has or potentially will have access to or process customer data (which may include personal data).

Our list of current sub-processors is available here.

How long does personal data remain on the Appenate Platform?
Appenate production (live) environments

  • Registered users
    All personal data relating to a user is either deleted or anonymised within 7 days of the user deletion action. The 7 day period allows for fast recovery if the deletion was accidental.
    For the avoidance of doubt, deactivation of a user account does not remove the account or its personal data; the account is simply archived.
  • All other data entities
    This is determined and configured by Appenate’s customers, based on their own agreements with data subjects in turn.
    The Appenate Platform provides customers with functionality to delete data entities as needed.

Appenate backups

Backups are performed on a regular basis and are kept in encrypted, secure storage for up to 60 days.
This means that items deleted in production environments are available for restoration from backups for up to 60 days thereafter.

Appenate test/development environments

Data is occasionally extracted from production to development/testing environments for support, testing and debugging purposes.
When this occurs, personal data is anonymised in order to assure privacy.

Who has access to personal data stored on the Appenate Platform?
Personal data stored on the Appenate Platform may be visible to:

  • Appenate customers
    Depending on their assigned access permissions, users can view and access personal data collected and/or stored within their Appenate customer account.
  • Appenate employees & contractors
    All employees & contractors are trained and contractually committed to following Appenate’s privacy, security and data protection practices.
  • Sub-processors
    We work with carefully selected services to provide aspects of the Appenate platform and may process data with these services as necessary to provide Appenate platform services.
  • Other third parties if required by applicable law or where Appenate has a good-faith belief that such disclosure is reasonably necessary to:
    (a) protect the safety of any person from death or serious bodily injury, or
    (b) prevent fraud or abuse

Access only occurs to the extent and limited to, such personal data as necessary for that specific purpose of the respective party.

Where is personal data stored? Does it leave the European Economic Area?
The Appenate Platform is hosted in 3 regions (“nodes”) across the world – specifically USA, Europe and Australia.

All customers that identify themselves as being located within Europe are hosted exclusively within our West Europe (Amsterdam & Dublin) datacenters.
As such, all data captured and/or stored on the Appenate Platform for European customers will remain within the EEA by default.

Appenate only exports personal data outside of the European Economic Area (“EEA”) if and when required by:

  • a respective sub-processor for the correct functioning of the service they offer (e.g. push notifications),
  • other recipients, only to the extent required to support the correct and/or compliant functioning of the Appenate Platform

Where data export occurs, Appenate ensures that such export occurs under the adequacy decisions as allowed by GDPR (EU-US Privacy Shield, binding corporate rules, applicable EU standard contractual clauses, such other methods as allowed per the GDPR), and keeps the exported data to a minimum as necessary.

Appenate also provides software features to Appenate customers which allows them to anonymise personal data upon export out of the Appenate Platform.

Is data processed by Appenate used for direct marketing or automated decision making?
Registered administrator users may be contacted by Appenate with news or offers about the Appenate Platform.
This communication can be unsubscribed at any time by the user.

Appenate does not use personal data processed through the Appenate Platform for direct marketing purposes, nor does the Appenate Platform employ automated decision-making processes/techniques which create or deny rights to individual persons.
We only process personal data under instruction and under control of the Appenate customer for the purpose of the Appenate Platform solution.

Got more questions?

For further information and any complaints/issues, please get in touch with us.
Contact Our Privacy Team