Last update: 01.18.2024
The European Union General Data Protection Regulation (GDPR) is a regulation that aims at unifying EU member state data privacy regulations into a single regulation, enforced on the EU single market. This article describes the GDPR compliance status of Anvilo.
If your company needs to ensure it is GDPR-compliant, it also needs to ensure its providers (ie. Anvilo) are also GDPR-compliant. Anvilo is GDPR-compliant and strictly enforces the regulation as to protect the user data we store.
The GDPR can be reduced to 11 important points. For each point, we explain how Anvilo handles its compliance. If we did not answer your questions in this article, you can still drop us an email.
All employees responsible for software development & infrastructure maintenance of Anvilo are fully aware of the GDPR requirements.
Also, code reviews are performed by the Data Protection Officers, before any code deployment to the platform. This ensures security breaches and bad practices are not implemented by eg. a third-party temporary contractor or an Anvilo employee, even if aware of GDPR requirements.
2. Information we hold
Anvilo stores data on 2 kinds of parties:
- Our customers
2.1. Information held on our users
Anvilo collects account information for each user (we refer to them as customers in this article), including:
- User first and last name, email, and profile picture
- Browsed pages on the Controller’s website and referring URL
b) date and time of visits to the Controller’s website
c) technical information as screen resolution, operating system, browser type and device type
d) geolocation data (country and city)
e) IP address
The information help on our users’ end-users is solely the responsibility of our users (ie. the individual websites using Anvilo). It is our responsibility to secure access to this data (ie. only website operators can access it and have a right to rectification and deletion).
3. Communicating privacy information
Anvilo customers’ end-users’ privacy terms are the sole responsibility of Anvilo customers. They should be announced on Anvilo customer’s website.
4. Individuals’ right
- Right to be informed
- Right of access: our users can access all their data
- Right of rectification
- Right of erasure
- Right to restrict processing
- Right to data portability
- Right to object
- Right not to be subject to automated decision-making including profiling
5. Subject access requests
Anvilo replies to all access requests (positively or negatively) within 2 weeks (the legal limit from GDPR is 1 month).
6. Lawful basis for processing personal data
Anvilo stores user data involving consent (ie. a conversation both parties entered by will, and exchanged eg. emails).
Consent is provided by our users explicitly when proceeding with an action or task (eg. when they provide user data).
Anvilo does not offer online services to children, due to the nature of the service provided (business-to-business). Thus, we did not identify it as relevant to control the age of users signing up for services.
Children might still be able to use the Anvilo services, from the website or apps of a customer. To this extent, the Anvilo customer is responsible for checking against their users and activities regarding children’s regulations.
9. Data breaches
Our team closely monitors any unauthorized system access and has put in place multiple preventive measures to reduce the attack surface on our systems and services.
Here are a few measures we took to reduce any attack surface:
- Aggressive use of firewalls and network isolation in our infrastructure
- No access to our server systems is allowed from the public Internet, trusted administrators from the Anvilo team need to connect via a trusted VPN network
- We monitor any security flaw in any library we may use in our running backends, and patch them as soon as an update is issued
- Use of 2-Factor-Authentication on all our sensitive accounts (eg. hosting provider, etc.)
- Isolate data stores and sensitive backends on different servers
- All platform backups are GPG/PGP-encrypted and stored privately, retained for a maximum of 1 week
The points listed above help reduce the probability of a major data breach occurring.
10. Data Protection by Design and Data Protection Impact Assessments
Whenever Anvilo develops a new system, security comes first when designing the architecture of such a system. Our first goal is to protect the integrity of the new production system, and the second goal is to protect the user data that’s being stored and used by that system.
11. Contact Us
If you have any questions about these Terms, please contact us.