GDPR and BentoBox

Last Updated (12/26/2019)

Note: The following content is for informational purposes only and should not be relied upon as legal advice. BentoBox does not provide legal counsel to its users as per its Subscription Agreement and recommends working with a legal professional to determine exactly how GDPR may or may not affect your business.

On May 25th, 2018 the European Union’s General Data Protection Regulation (GDPR) will go into effect. This privacy law means that EU residents will now have a variety of protections in place when it comes to their personal data and how it used by private companies. Even if your business isn’t based in the EU, GDPR applies to any of your website visitors who are EU residents.

At BentoBox we strive to provide the highest level of security and privacy to our customers and their website visitors. Please use the guide below to get a better understanding of how GDPR affects you as a BentoBox customer 

EU based organizations offering goods or services to EU residents will be affected the most by this regulation. However, even though GDPR is a EU regulation, it affects organizations outside of the EU that may be transferring or storing personal data about an EU resident. This means that any BentoBox website visitor or active BentoBox customer who is an EU resident has these privacy rights.

To prepare for GDPR, we are making changes internally to how we process, store and transfer data company wide on behalf of our customers. We are also going to continually update our Privacy Policy, Terms of Service and Subscription Agreement. See below for an overview of additional steps we are taking:

BentoBox Certification Under the EU-US Privacy Shield

BentoBox is certified under the  EU-US Privacy Shield regulations. This voluntary certification recognizes our commitment to data security and privacy when data is transferred from the EU to the United States.

Continual Data Audits

We’re reviewing all the data we collect, how it is transferred, and documenting exactly why we collect it. We are also examining which employees have access to different types of data and how/where this data is stored or processed.

Detailed Security Measures
As we enhance our data security protocols, we’ll provide the technical specifications BentoBox is taking to safeguard your data. This may include how we process data we are not storing, various encryption methods, physical security methods within our workspaces, and more.

Communication with Customers

Any changes we make to processes and methods we use will be documented and shared with BentoBox customers to maximize transparency. This page will be updated frequently and serve as a hub for all GDPR happenings at BentoBox. The most important changes will also be communicated directly via email.

Data Management Enhancements

A large part of GDPR is guaranteeing that website visitors are aware of what data is being collected from them, and that all personal data is successfully removed upon request. We are constantly improving the tools that facilitate these types of requests from both our customers and their online visitors.

We aim to give you all the tools you may need to comply with GDPR. With these tools, our goal is to allow you as a business owner to flexibly manage you and your visitors’ data. See below for some specific examples:

Tools to Help with Data Deletion

Data deletion and accessibility is are important parts of GDPR compliance. We are building tools that consider data deletion from many different perspectives such as:

• An internal tool to comply with any data deletion requests that BentoBox receives directly

• A tool that lets you export data you may have collected about a specific user that is stored by BentoBox

• An option to automatically delete data received from a form submission on your site after a predetermined amount of time

• An option to turn off or make visitors aware of any integrated analytic tracking on your site
  

As we make more tools available, they will be added to this list above.

Again, while we can’t offer legal advice, here are some helpful steps to consider taking when thinking about how GDPR may affect your business:

Perform a Data Audit

Review what data you are collecting, where it is stored, and why you are collecting it. Are you exporting personal data from your website visitors and transferring it somewhere else? How do you keep data safe? If you are using 3rd Party Integrations via BentoBox (Google Analytics, Campaign Monitor, OpenTable, etc.) or other external analytics/cookie tracking tools, review their privacy policies.

Consider Creating a Privacy Policy

Depending on your specific situation, you may want to add your own privacy policy to help make things more transparent for your website visitors. You can use a page to outline what information you collect from visitors, any 3rd Party Integrations you may use, why you may be collecting certain data, and whom you would be sharing that data with.

Remain Informed

Stay up to date with BentoBox by reviewing changes we make that will give you more control over how data is or is not collected about you and your website visitors. 

BentoBox works with many other companies to ensure the best experiences for our customers and their website visitors. During one of our preliminary data audits, we examined what data is being sent to these organizations and why it is being sent. Most importantly we’ve made sure we are not storing unnecessary personal data. We’ve also verified that our Vendors and Sub-Processors have a Data Processing Addendum (DPA) in place in accordance to GDPR Compliance. See below:

• Amazon Web Services - the bulk of customer information is hosted on AWS

• Stripe - payment data from our customers and site visitors is maintained in Stripe

• Google - customer, prospective customer, employee, and visitor data is maintained in Google through products like GMail, Google Analytics, and Google Drive

• Square - payment data from site visitors is maintained in Square

• Sentry - error reporting data is maintained in Sentry

• SalesForce - sales pipeline and account management data is maintained by and within Salesforce

• Zendesk - email and chat based support data is maintained by and within Zendesk

• Mixpanel - customer analytics data is maintained by and within Mixpanel

• Segment - customer analytics data is maintained by and within Segment

• Asana - customer onboarding data is maintained by and within Asana

• Atlassian - employee workflow data is maintained by and within Atlassian

• Slack - employee workflow data is maintained by and within Slack

• Zapier - gives alerts for new inquiries between services which are processed by Zapier

• Dropbox - customer data for onboarding is maintained by and within Dropbox

• CloudApp - screenshot tool to help with workflow and support is maintained by and within CloudApp

• Calendly - scheduling tool is maintained by and within Calendly

• Indicative - anonymized visitor data is maintained in Indicative

• Zoom - customer and prospective customer email and video data is maintained by and within Zoom

• Uservoice - customer feedback data is maintained by and within Uservoice

• Typeform - customer onboarding data is maintained by and within Typeform

• Promoter - customer NPS information is maintained by and within Promoter

BentoBox also facilitates a variety of 3rd Party integrations available to customers. Each of these services may have their own privacy policies, terms of service, and approaches to data security that differ from ours. It is important to review the policies of all services connected or used on your BentoBox website.

Where can I get more information about GDPR?

The full documents surrounding the regulation can be found on the ICO website. The Data Protection Commissioner also provides additional official documentation on their website.

However a simpler breakdown of the full text can be found in this blog post from the Varonis team.

For further assistance with this, or anything else BentoBox related, please reach out to our Support team by email at support@getbento.com or by phone at (646) 585-5021.