Epistema is committed to the success of our customers and the protection of their personal data. With a global customers base, we adhere to the General Data Protection Regulation (GDPR). The GDPR clarifies and expands the privacy rights granted to European individuals and requires certain companies that process the personal data of European individuals to comply with a new set of requirements. In particular, the GDPR may apply to companies that process the personal data of European individuals and have a presence in the EU (e.g. offices or establishments), target the European market (e.g. by offering goods or services to the European market). or monitor the behavior of European individuals. We’re here to help our customers in their efforts to comply with the GDPR.
Controllers and Processors
The GDPR defines and distinguishes between two roles when it comes to the processing of personal data: data controllers and data processors. A data controller determines the purposes and means of processing, while a data processor processes it on behalf of the data controller.
Epistema is the data controller of personal data pertaining to its website visitoris and customers, and, with respect to which, assumes the responsibilities of data controller (to the extent applicable under law).
Epistema is the data processor of personal data submitted by our customer which concerns its end users, where we process it solely on behalf of such customer (who assumes the role of data controller). We process such data in accordance with the customer’s reasonable instructions, and subject to our Terms of Service, DPA and other commercial agreements with the customer.
What steps were taken by Epistema following the GDPR requirements?
We view the GDPR as raising the bar for data protection, security, and compliance, and are committed to its important principles.
We worked with our engineering, product, security and legal teams to make both our product and our legal terms in line with the GPDR and will continue to ensure they keep in line continuously. As part of Epistema’s GDPR readiness project we’ve taken the following steps:
- Reviewed and strengthened our security infrastructure and practices, data encryption in transit and at rest, backup, logs and security alerts.
- A risk assessment and data mapping process were performed to achieve better visibility, decision making and risk mitigation.
- We delete or anonymize analytics data of users pursuant to account deletion.
- We’ve incorporated appropriate contractual terms into our terms (including our DPA), to support our role as a data processor for our customers while complying with the GDPR.
- We’ve put on place internal procedures, processes and controls, and introduced recurring training sessions for the team, to ensure our on-going compliance with the GDPR
- Performed security and privacy assessment to our sub-processors to ensure they are all complying with the GDPR requirements.
- We keep audit logs of all database access and activities, documenting every possible access, and changes of the database, for better security.
- We’ve appointed a Data Protection Office (DPO) and a representative in the EU.
- We’ve developed and we’re making available these days product features that allows organization to deal with data deletion:
- Delete user profile: Admins can now delete users’ personal data or submitted content from the service (at their own initiative or pursuant to the user’s request). Please note: deleting a user will not delete the user’s posts or uploaded files – which will remain available for the organization until deleted separately.
- Delete account: While canceling an account, Admins can decide if they want to keep the organization information (including personal data) for future use, or to delete it permanently (by contacting Epistema)
We’ll continue to monitor the official guidance and rulings around GDPR compliance and will ensure that our product and processes are complying with them as they become effective.
Does Epistema offer a Data Processing Agreement (DPA)?
Yes. You can view our Data Processing Agreement/addendum (DPA) online. If you need a signed copy of the DPA, you can download it, send a signed copy to info@Epistema.com and we’ll provide you a countersigned copy.
Does the GDPR prevent businesses from storing data outside of the EU?
Nothing in the GDPR prevents businesses from storing data outside of the EU, provided that the data is transferred in accordance with the regulatory requirements (e.g., to a recipient in a jurisdiction providing an adequate level of data protection; to a US recipient certified under the EU-US and/or Swiss-US Privacy Shield Frameworks; or under the EC-approved Standard Contractual Clauses). Epistema is situated in Israel, which is considered by the European Commission to be providing an ‘adequate’ level of data protection. We store our data with Amazon Web Service (AWS), which is based in the US, and use other processors and sub-processors situated outside of the EU, all in strict accordance with the GDPR’s requirements on cross-border data transfer.
Where can I learn more about GDPR?
Additional information is available on the official GDPR website of the European Union.
I have more questions. Who should I contact?
If you have any additional questions about Epistema’s GDPR and privacy compliance efforts, you are welcome to contact us at email@example.com