Booya: General Data Protection Regulation Compliance

GDPR information as mandated by European regulations

Background

The European Parliament and the European Council, on April 27, 2016 adopted legislation known as General Data Protection Regulation (GDPR), which became enforceable 25 May 2018. This legislation has replaced the European Privacy Directive 95/46/EC.

GDPR is intended to unify and strengthen data privacy for individuals located in the European Union (EU). GDPR also extends the applicability of EU data privacy legislation to non-EU companies who store or process data on EU residents and increases the fines that may be levied against companies who are responsible for preventing breaches of personal data or who violate GDPR requirements.

Definitions

Here are the definitions used for Booya’s GDPR documentation:

Term

Definition

Subject

An individual/natural person

Data Controller

The entity that collects and processes data on subjects (see GDPR for exact definition) in this case: The User, Client, Company or subject who uses Booya.

Data Processor

The entity that processes data on behalf of a data controller (see GDPR for exact definition). In this case: The software product known as Booya.

Personal Data

Data that can be used to identify (directly or indirectly) a subject, particularly via reference to an identifier (such as a name, identification number, location data, or online identifier), or to the physical, physiological, genetic, mental, economic, cultural, or social identity of that person

Sensitive Personal Data

Personal data that reveals racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade-union membership; genetic data or biometric data

Booya Subprocessors

Third party systems to which Booya provides personal data. In this case: HubSpot.

GDPR summary

Applicability

GDPR applies to a wide scope of territory including non-EU based services/companies that possess data on EU residents.

Notifications and consent

Before you collect personal data from your end users, you must obtain their consent to do so. When requesting consent, your notifications must:

  •  Be clear and easy to understand.
  •  State the purpose of the data involved and how it will be processed.

 You must also:

  •  Explicitly request consent.
  •  Make it as easy for your end-user to revoke their consent as it is to grant consent.

Rights of individuals

Your end users, as individuals, have the right to: 

  • See the data the company has about them.
  •  Know how their data will be processed or used.
  •  Be forgotten (the individual may ask the controller of their data to erase the data in question, cease disseminating the data, or halt further data processing).
  •  Portability (the individual can ask for their data in a standard, machine-readable format and can transmit their data to another data controller).
  •  Not be subjected to automatic decision making (a process typically called profiling).

Privacy by design and privacy by default

As the data controller, you must design your app to abide by both privacy by design and privacy by default principles.

Privacy by design means that each new implementation that uses personal data must take the protection of such data into consideration.

Privacy by default means that the strictest privacy settings automatically apply once the end user acquires a new product or service (that is, without any manual change required on the part of the user).

Requirements for data processors and controllers

As the data controller, you must:

  • Do due diligence to ensure that your data processors provide adequate protection of provided data.

 Booya, as the data processor, must:

  •  Comply with instructions provided by data controllers.
  •  Maintain adequate documentation.
  •  Implement adequate security.
  •  Conduct data protection impact assessments.
  •  Appoint a data protection officer or establish a privacy office.
  •  Comply with rules on international data transfers.
  •  Agree to and sign a written data processing agreement that meets GDPR requirements.

Enforcement

GDPR mandates that data controllers release notifications regarding data breaches within 72 hours of the incident.

Fines for non-compliance are much higher and are determined using a tiered system.

Supervisory authorities in the European Union have greater investigative powers.

Organizations controlling data must appoint a Data Protection Officer, while organizations processing data should have a Data Privacy Office.

Roles and responsibilities under GDPR

Booya customers are data controllers. The product known as BOOYA is a data processor.

Personal data handled by Booya and InboundLabs

Booya handles end-user data present in user profiles, including metadata, stored in HubSpot contacts or accessed from third-party OAuth providers.

Data controller (customer) responsibilities

Roles and responsibilities under GDPR

Ultimately, you, as the data controller, are responsible for GDPR compliance, which mostly consists of operational procedures and documentation.

More specifically, the customer is responsible for: 

  • End-user notification, consent, and withdrawal of consent.
  •  Deciding what data they expose to Booya.
  •  Signing up and, if necessary, creating new users.
  •  Ensuring their users meet the age requirements and obtaining the appropriate consent if necessary (such as parental consent for children).
  • Implementing the mechanisms necessary for their end users to retrieve, review, correct, or remove personal data.
  •  Deleting user data after receiving right-to-be-forgotten requests.
  •  Providing data in standardized formats.
  •  Responding to their end users' privacy-related requests (DSAR).
  •  Responding to communications from the European Union Data Privacy Authorities.
  •  Data breach notifications sent to supervisory authorities and end users (InboundLabs will assist the customer and provide the necessary information if we are involved).

The customer is the party that's responsible for the security of their data. Booya and InboundLabs have no knowledge of how the customer processes data and so on.

Data processor (Booya) responsibilities

Booya is responsible for: 

  •  Notifying the customer if it receives requests from the customer's end users exercising their GDPR rights as subjects for data access, erasure, and so on.
  •  Notifying the customer if it receives requests from EU Data Privacy Authorities (unless prohibited by law enforcement).
  •  Notifying the customer if it becomes aware of a confirmed security breach.
  •  Notifying the customer if any of its sub-processors notify Booya about a confirmed data breach that impacts Booya customer data (unless prohibited by law enforcement).
  • Providing information about its data processing, so that customer has info it needs to process data lawfully.
  • Defining its services and features, how data is processed, and the rights and obligations of customers.
  • Providing the means to enable customers to retrieve, review, correct, or delete customer data by syncing user data to the HubSpot CRM and deleting user data in Booya when corresponding contacts are deleted in HubSpot CRM
  • Providing a mechanism for customers to display consent terms and a consent agreement checkboxes as well control what data is collected from end users by modifying Registration and Profile forms via HubSpot.

Booya data processing

Data Booya possesses

In the case of OAuth based authentication (e.g Google, Facebook etc), Booya stores all user data in HubSpot, while for email/password authentication Booya stores the user’s email and a bcrypt hash of the user’s password for authentication, all other profile data is stored in HubSpot.

The specific properties contained in the user profile vary based on customer implementation and are based on a number of factors, such as the authentication provider, user consent during the authentication flow, and whether you've augmented the user registration and profile forms with additional custom fields.

How Booya uses the data it stores

The personal data stored in Booya is used only for the purposes of providing its services, namely authenticating users.

What happens to data when an end user's account is deleted

When an end user's account/contact is deleted in the customer’s HubSpot, their user data, including metadata, is automatically deleted from Booya as well.

Booya features aiding GDPR compliance

Here is a list of GDPR regulations and how Booya can help you comply with them.

Conditions for consent

According to Article 7 of GDPR, you must:

  • Ask users to consent on the processing of their personal data in a clear and easily accessible form.
  • Be able to show that the user has consented
  • and Provide an easy way to withdraw consent at any time.

You can use Booya and HubSpot to ask your users for consent upon signup (by either modifying the default registration form or creating a custom form for elaborate consent schemes) and save this information in the user’s HubSpot contact. You can later update this information using Booya’s profile form or HubSpot CRM tools.

Right to access, correct, and erase data

According to Articles 15, 16, 17, and 19 of GDPR, users have the right to: 

  • Get a copy of their personal data you are processing.
  • Ask for rectifications if they are inaccurate, and.
  • Ask you to delete their personal data.

With Booya, end users can also modify and correct their data via the “Edit Profile” form that the user can manage in Hubspot.

Booya stores all user data in HubSpot, allowing customers to access, edit, export and delete user information, either manually or using HubSpot’s API. 

Data minimization

According to Article 5 of GDPR: 

  • The personal data you collect must be limited to what is necessary for processing.
  • Must be kept only as long as needed, and
  • Appropriate security must be ensured during data processing, including protection against unauthorised or unlawful processing and against accidental loss, destruction, or damage.

There are several Booya features that can help you achieve these goals, like account linking, ability to manage data collected about user’s by modifying registration and profile forms, using HubSpot as the primary data store and only storing data needed for authentication in Booya, TLS encryption of all API endpoints, use of industry standard services like Heroku and MongoDB Atlas for application and database servers. 

Data portability

According to Article 20 of GDPR, users have the right to receive the personal data concerning them in a structured, commonly used and machine-readable format.

You can export user data, stored in HubSpot’s contact list, either manually or programmatically. Raw data from HubSpot can be exported in CSV and EXCEL format. 

Protect and secure user data

According to Article 32 of GDPR, you must implement appropriate measures to ensure a level of security, including (but not limited to):

  • Data encryption. 
  • Ongoing confidentiality. 
  • Data integrity, and 
  • Availability and resilience of processing systems and services.

There are several Booya features that can help you achieve these goals, like TLS encryption of all API endpoints, ability to customise required password complexity, storing all user data in your HubSpot portal, use of industry standard services like Heroku and MongoDB Atlas for application and database servers. Additional features like multi-factor authentication and anomalous and brute-force login detection are also on our roadmap.

Security advice

Booya recommends the following practices to help ensure the security of your end users data and minimize the probability of a data breach:

  • Protect client secrets and keys. 
  • Protect Management Dashboard credentials, and require multi-factor authentication for access to the Booya’s management dashboard via HubSpot. 
  • Review the list of administrators for the Management dashboard and HubSpot on a regular basis and remove outdated entries. 
  • Ensure that Dashboard and HubSpot administrators use corporate credentials that can be easily revoked if necessary, not personal credentials such as a personal email account. 
  • Remove accounts for terminated employees promptly. 
  • Ensure that administrators use devices with mandatory screen locking. 
  • Provide regular training to all Dashboard and HubSpot administrators and developers on security and privacy best practices. 
  • Make sure that you monitor any HubSpot extensions and/or plugins you use to send log data to logging tools with reporting capability.