The General Data Protection Regulation (GDPR) is the new legal framework of data protection across the EU. Starting 25th May 2018 it will be enforceable. This post clarifies how CloudConvert complies with the GDPR and what our customers can do to be compliant.
In the terms of the GDPR, CloudConvert takes two different roles: CloudConvert is classed as data controller, if it provides services to end customers and directly collects or processes personal data. CloudConvert is classed as processor, if it processes data on behalf of a data controller (typically a customer of CloudConvert).
CloudConvert as data controller
In short, we do collect:
- Your IP address and times of access
- Name, email address and photo if you create an account
- Billing address and payment information if you buy a package or if you subscribe
We do share:
- Your billing address and payment information with our payment provider Stripe
- Your IP address, time of access, browser agent, and referrer with Google Analytics
CloudConvert commits to:
- Not to mine or collect any data from your uploaded files
- No sharing or copying of your uploaded files
- Irreversible deletion of your uploaded files within 24 hours (or immediately, if you manually use the delete button)
CloudConvert as processor
If you are an organisation and use CloudConvert to process your customers files, we are typically acting as processor. This is the case if you collect personal data and send them to us for conversion, for example via our API.
As a processor, CloudConvert commits to:
- Processing provided personal data solely in accordance with your instructions. CloudConvert will never process or share your data for any other purposes.
- Keeping your data inside the EU.
- Applying strict security standards to provide a high level of security.
- Implementing technical and organizational measures in accordance to Art. 32 GDPR.
- Reporting any data breach to you without “undue delay”.
- Solely using subcontractors that comply with the GDPR and have signed appropriate contractual agreements.
- Helping you meet your own regulatory obligations, by providing you with adequate documentation of our services.
In accordance to Art. 28 GDPR it is possible to sign a data processing agreement with us. This binds us legally to the proper processing of data in accordance to the GDPR. Therefore, contact us.