Funding Gates’ Commitment to GDPR

Date: May 24, 2018

We are committed to providing our Accounts Receivable Platform to our customers in compliance with applicable laws and regulations in general and data privacy laws such as the EU General Data Protection Regulation (GDPR) in particular.

We seek to partner with our customers and their users to help them understand how we achieve data privacy compliance as processor and how the Funding Gates AR platform enables our customers to achieve data privacy compliance as controller.

This website generally outlines our approach to GDPR compliance. Please note that this page is provided as a resource to understand the scope of the GDPR in relation to using Funding Gates. It does not constitute legal advice, representations, or warranties of Funding Gates. We encourage you to seek professional legal advice if you have questions about how the GDPR may affect your organization and procedures.

GDPR and what it means for you

The General Data Protection Regulation of the European Union (GDPR), which takes effect on May 25, 2018, is the European Union’s (EU) comprehensive new privacy law that aims to protect the personal data—and rights related to that data—of persons residing within the EU.

The GDPR defines personal data as “any information relating to an identified or identifiable natural person.” Your name and email address are both examples of personal data. Any organization that processes personal data of EU residents will be required to comply with the GDPR, whether or not such companies have any physical or legal presence in the EU. Thus, the GDPR applies globally to any organization which collects personal data or monitors the behavioral activity of persons located within the EU.

How Does the GDPR Affect Funding Gates and Its Customers?

For the purposes of the GDPR, Funding Gates is a “data processor” (i.e., an organization that processes personal data on behalf of a data controller, typically in the context of providing services to the data controller) and our customers are typically “data controllers” (i.e., individuals or organizations that determine the purposes and means of the processing of personal data). Under the GDPR, individuals whose personal data are being processed are referred to as “data subjects.”

Processors and controllers each have their respective obligations under the law. Therefore, even though Funding Gates may be in compliance with the GDPR, it does not mean that our customers are automatically in compliance with the GDPR.

Responsibilities of Data Controllers

Data controllers are individuals or organizations that determine the purposes and means of processing personal data. Data controllers bear the primary responsibility for complying with the rights of data subjects and responding to data subjects’ requests under the GDPR. For example, when a data subject makes a lawful request to access, correct, update, delete, or restrict the processing of his or her personal data, the GDPR obliges the data controller to respond and, presuming the request is reasonable and does not infringe the rights of others, to fulfil that request.

Data controllers are also required to implement appropriate technical and organizational measures to ensure the security and confidentiality of personal data, to provide information about the personal data being processed, the purposes of that processing, and the third parties to which that information will be transferred, among other things. Finally, the GDPR imposes duties of transparency and “data protection by design and by default,” which require the open, intelligible sharing of relevant privacy information and considering the privacy of personal data when undertaking new initiatives or developing new products or services. These are just a few of the various controller-related provisions of the GDPR.

Responsibilities of Data Processors

A data processor only processes data according to the documented instructions of a data controller. While a processor does have certain obligations to support and assist the data controller in upholding its own obligations, such as informing the controller of requests it receives from data subjects, its relationship to the personal data and the data subjects themselves is comparatively quite restricted.

Funding Gates’ Compliance with the GDPR

In anticipation of the GDPR taking effect on May 25, 2018, Funding Gates has undertaken extensive reviews of its data protection policies, security measures and operational processes to ensure our compliance with the GDPR.

As a data processor, we’ve taken various initiatives to ensure Funding Gates’ compliance with the GDPR’s requirements (to the extent applicable) with respect to the scope of services stated in our terms and conditions, privacy policy, security & performance statements and information protection overview, which include among others:

  • Reviewed and assessed the sufficiency of the technological and organizational tools and practices we employ to secure Personal Data
  • Reviewed and updated all sub-processor relationships to ensure our sub-processors observe data protection practices that are at least as protective as our own.
  • Reviewed and updated all internal policies and procedures to enhance Personal Data security
  • Reviewed data mapping and data inventory practices, and updated where necessary, to ensure a clear understanding of the data entrusted to us
  • Implemented training policies and procedures to ensure all Funding Gates employees understand their confidentiality obligations and abide by Funding Gates data protection policies
  • Updated language used throughout our Platform, to ensure our Platform users understand our data practices and their rights with regard to their own data.

Funding Gates’ Commitment to:

Transparency

GDPR requires clear privacy policies that explicitly state what data is being collected and how it is used, stored, and shared. Funding Gates has updated our privacy policy to ensure it is accurate and easy to understand. The policy also seeks to ensure that individuals and companies understand how to access and exercise control over Personal Data which they may choose to share with us.

Minimization

Funding Gates only collects, uses, and retains data as necessary to provide you agreed services and to fulfill our legal obligations. As a user of Funding Gates, you have control over what data you share.

Security

Funding Gates has implemented many controls to promote confidentiality, accuracy, and availability of data. In particular:

  • Funding Gates has strong technical data protection controls, which include encryption in transit and encryption at rest of customer data to safeguard customer data from unintended access or misuse.
  • Funding Gates employs a continuous security testing strategy to aid in the proactive identification of software vulnerabilities.
  • Funding Gates maintains incident response and customer notification processes. These procedures are tested on a regular basis.
  • Funding Gates relies on third-party service providers to help provide the Funding Gates services to you. These service providers are also considered data processors under the GDPR, but since they are only processing data on our instructions, we refer to them as subprocessors. Funding Gates has made sure that each service provider has incorporated in their respective policies, privacy terms that meet the standards of the GDPR. Our service providers include:
Name of Sub-processor Service Provided
Amazon Web Services Cloud Service Provider
Twilio Communication API Provider
Intercom User Messaging Platform
Trello Task Management
Google Apps Business Processes
Dropbox Internal File Sharing / Communication
Mailchimp Email Communication Platform
Stripe Payment Processing Platform
Atlassian Software Development and Collaboration Tools
Github Software Development
Bugsnag Error reporting, monitoring, and resolution
Statuscake Website Uptime & Performance Monitoring
Segment.io Analytics API
Slack Internal Communication
Periscope Data Visualization Platform
Hubspot CRM

Demonstrating Accountability in All Processing Activities

We act only on instructions by users (data controllers) and demonstrate full compliance with obligations across internal entities, subsidiaries, and hosting or cloud providers.

Our Funding Gates compliance program is already comprehensive and based on globally accepted standards. Its effectiveness is periodically attested to by 3rd parties, such as Synopsys on an annual basis. Funding Gates has implemented an information security program consisting of policies and procedures that define how system information is entered, managed, and protected. Funding Gates’ current information security program is further specified in our Master Subscription Agreement (MSA) as well as our Security Policy. In particular, Funding Gates commits to monitor, analyse and respond to security incidents in a timely manner in accordance with Funding Gates’ standard operating procedure, which sets forth the steps that Funding Gates employees must take in response to a threat or security incident. Funding Gates continues to invest in a growing global security team, a group of well trained and experienced talents with industry expertise that includes technical, policy and legal experts in combination with a strong network of external specialists.

Checking Cross-Border Data Flows

Both the Data Protection Directive and the GDPR permit personal data transfers outside of the EU subject to compliance with defined conditions, including conditions for onward transfer. When a customer contracts with Funding Gates, we can enter into a Data Processing Agreement (DPA) with applicable customers. In the DPA, we agree with our customer on the terms for the compliant processing of customer personal data, including the description of our security and data privacy policy and the EU standard contractual clauses.

What you need to do as a user

In order for us as data processors to provide (to the extent applicable) GDPR compliance referred to above, we operate under the assumption that you as a data controller do the following:

  • Obtain personal data of EU citizens with valid permission, as set forth by the GDPR only, including explicit and informed consent
  • Act in compliance with the GDPR’s rules and any other applicable data protection or information privacy laws and regulations
  • Agree to have Funding Gates act as data processor on your (the data controller’s) behalf

Following these steps allows us to operate together under compliance with the GDPR (to the extent applicable), and provide you the same high standard of service you have come to expect.

Frequently Asked Questions

The General Data Protection Regulation, or GDPR, is a European Union law regulation on data protection and privacy and thereby an important new data privacy law that enters into effect on May 25, 2018.

The law aims to protect the personal data of citizens of the European Union and change how companies approach handling the data of individuals (data subjects). It is a major shift toward privacy by default, basically by requiring companies to obtain personal data only with the informed permission of individuals.

It also aims to empower EU regulators in enforcing that companies store, control, and use personal data only with valid consent of the individual. Through the GDPR, individuals are given e.g. the power to ask for the removal of their personal records at any point. Companies that are not compliant with the GDPR can get fined up to 4% of their global revenue.

The GDPR may apply to individuals or entities that are established in the EU as well as certain individuals or entities established outside the EU that are processing the personal data of EU citizens.

Data controllers bear the primary responsibility for ensuring that their processing of personal data is compliant with EU data protection law. Personal data is any information relating to an identifiable natural person (e.g. names or contact details).

Funding Gates understands its role as data processor and supports the protection of personal data within and beyond the borders of the European Union.

We have undertaken extensive reviews in light of this regulation, and adopted internal processes to respond swiftly to GDPR-related requests. You may review our terms and conditions, privacy policy, security & performance statements, and information protection overview.

The scope of the Funding Gates services offering remains the same under the GDPR, and being compliant with the GDPR shall not prevent you from or restrict you in using the services of Funding Gates.

That being said, organizations using Funding Gates should fully understand their GDPR obligations as a data controller in order to ensure compliance.

While it is technically possible to process extensive amounts of personal data, in view of the GDPR requirements, we strongly recommend limiting the personal data entered to what is needed for your purposes in using the Funding Gates platform and for Funding Gates providing the relevant services to you.

The exact nature or category of data that needs to be uploaded to the Funding Gates platform varies based on your needs as a Funding Gates user and data controller. As a user, you have full control over your data that you upload to your Funding Gates account, and can remove any data you upload at any time.

Funding Gates has established internal processes to act swiftly upon requests. Although data subjects (in other words, any individual whose personal data you control as data controller) cannot inquire directly with a data processor, we will notify you in a timely manner should we receive a request from one of your data subjects.

Data processed on the Funding Gates cloud can be deleted at any time without impacting the continuous usage of the service, and we are able to assist with such requests in a timely manner.

The GDPR does not specifically demand that personal data of EU citizens is stored on European-based servers. However, Funding Gates’ data centers are located in the United States.

Nevertheless, in order to perform the services, Funding Gates may transfer personal data to third countries which provide for an adequate level of protection as stipulated by the GDPR.

Yes, one of our core operations is taking appropriate technical and organizational measures to comply with rigorous security standards, including those stated by the GDPR.

We test against security threats to ensure the safety of user data. On a regular basis, Funding Gates employs third-party security experts, like Synopsys, to perform penetration tests on applications and the organization itself.

It is our understanding that all Funding Gates features as defined under the scope of services can be used in compliance with the GDPR. However, the adherence to the GDPR requirements in your function as a data controller is your own responsibility.

Funding Gates takes active measures to support users in protecting personal data and continues to build features and services in line with data protection and information security laws and our focus on strong security and privacy measures.

Any non-standard terms, such as additional compliance requests, are considered on a client by client basis, depending on their requirements and requests. In such situations, Funding Gates can enter into a Data Processing Agreement (DPA) with applicable clients.

Please contact, either through your regular point of contact if you have one or send us an email to [email protected], and we will be more than happy to assist you.

Legal Disclaimer - This website is provided for informational purposes only and should not be considered as a contractual commitment or legal advice and does not discuss other privacy-related laws or regulations that may also be relevant to our customers and prospects, including any industry specific requirements. The relevant privacy and data protection laws and regulations applicable to individual companies will depend on several factors, including but not limited to where a company conducts its business, the industry in which it operates, the type of content it wishes to store, where or from whom the content originates, and where the content will be stored.

Featured in