The following is for informational purposes only and does not constitute contractual obligations. Our legal relationships with customers are governed solely by our formal legal agreements. For specific legal advice, please consult with your own legal counsel.
The General Data Protection Regulation (GDPR) is a comprehensive data privacy regulation that impacts businesses and individuals across the European Union (EU) and the wider European Economic Area (EEA). This regulation focuses on granting individuals greater control and rights over their personal data.
For Smilecloud and our customers, understanding and complying with GDPR is crucial. It not only ensures the protection of individual privacy but also builds trust in our services, reinforcing our commitment to data protection and security.
Smilecloud collects two principal categories of data:
This data, important for our operations and user experience, is treated with the utmost regard, ensuring it is both protected and utilized in a manner compliant with prevailing data protection norms. Consider reading our Privacy Policy to better understand how we process personal data.
As a controller, we manage personal data in scenarios such as end-user interactions, billing processes, and website visits, adhering to practices transparently articulated in our Privacy Policy.
Contrastingly, we act as a processor when processing customer-uploaded data to Smilecloud. Details regarding how we manage such data are outlined in our Data Processing Agreement (DPA) and incorporated into our Terms of Service.
To align with GDPR requirements, Smilecloud offers a robust Data Processing Agreement (DPA) to our customers. Our DPA is designed to respect all the stipulations of Article 28 of GDPR, detailing the rights and obligations of both parties regarding data processing.
Underpinning our GDPR compliance, we implement a range of technical and organizational measures (TOMs). These measures are critical to safeguarding data and include enhanced IT security, data minimization strategies, regular privacy assessments, and employee data protection training. Our TOMs are continually reviewed and updated to address emerging privacy challenges and technology advancements. Detailed information on these measures can be found on our Security Measures Page.
Smilecloud adheres to privacy regulations in its data processing and transfers, particularly involving subprocessors and transfers outside the European Economic Area (EEA). We uphold secure and lawful data management by utilizing GDPR-sanctioned transfer mechanisms, such as Standard Contractual Clauses (SCCs), approved codes of conduct or certification mechanisms, and adhering to adequacy decisions. Our practices align with the latest GDPR guidelines and regulatory updates, ensuring data protection and compliance in all operations.
Retention: We adhere to a principled data retention policy, preserving personal data for durations necessitated by our Privacy Policy and fulfilling the purposes outlined within it. When acting as a data processor, our retention periods are customized to adhere to stipulations within our general terms of service and DPA, safeguarding data while respecting temporal boundaries.
Deletion: Customers maintain autonomous control over their data, with options to modify, export, or erase it using our user interface. Data deletion requests instigate a 90-day deletion process post-contract termination, affording a temporal window for database rollbacks.
Destruction: Data destruction is managed by AWS and strictly follows NIST 800-88 guidelines. Once data is obsolete or deletion is requested, AWS ensures it's permanently and irreversibly erased from storage, aligning with recognized, stringent practices to secure user data effectively.
Any inquiries or concerns regarding our GDPR compliance and data protection practices can be directed to our designated Data Protection Officer (DPO) via email at dpo@smilecloud.com.
