ComplySci General Data Protection Regulation FAQ’s

As of May 2, 2018

What is the GDPR? 

The General Data Protection Regulation (GDPR) is a European Union law that applies throughout the EU beginning 25 May, 2018.  The EU Parliament focused this legislation on data protection for individuals in the EU and EU citizens. The GDPR is an update to the 1995 Data Protection Directive, and includes stricter requirements for handling personal data and data subject rights. The GDPR has become a major focus for businesses worldwide, as it applies to any global business that handles the data of EU citizens.  GDPR will be applied in all EU citizens and residents.

See the GDPR Home Page.

How does GDPR affect ComplySci?

ComplySci processes customer Personal Data to provide our products and services and for other limited purposes enumerated in our Privacy & Cookies Policy.  With prestigious customers both in the EU and the US with employees who are EU citizens, ComplySci handles significant amounts of EU citizens’ data.  ComplySci is a Data Processor and processes and hosts Personal Data in order to meet our contractual obligations to our customers, the Data Controllers.

What is ComplySci doing?

Like many other companies, ComplySci is in the process of rolling out a company-wide GDPR compliance strategy leading up to 25 May 2018 and beyond. ComplySci is also committed to helping our customers fulfill their requirements under GDPR and local law.  We commit to:

  • Adhere to principles of user consent, data minimization and data subject rights.
  • Review of technical and organizational measures to ensure an appropriate level of security.
  • Ensure our policies, contracts and processes meet all GDPR guidelines.
  • Provide transparency and clarity to customers and partners on our GDPR strategy.
  • Safely transfer data and committing to appropriate data transfer mechanisms as required by GDPR. This includes our current Privacy Shield
  • Security and privacy of processing, notifying regulators of breaches, and promptly communicating any breaches to customers and users.
  • Ensure ComplySci staff that process ComplySci customer personal data have been trained in handling that data and are bound to maintain the confidentiality and security of that data.
  • Hold vendors that handle personal data to the same data management, security, and privacy practices and standards to which we hold ourselves.

When will ComplySci be ready for GDPR?

ComplySci is devoting significant resources and time toward GDPR compliance and will be ready for the May 25, 2018 deadline.

Where does ComplySci send my data?

Our goal is to provide our customers with secure, fast, and reliable services. As a provider of global services, we run our services with common operational practices and features across multiple jurisdictions.

In the US, ComplySci stores data in the Tierpoint data center, in Bethlahem, Pa. and in its AWS data center located in Ohio. In the EU, ComplySci currently stores data in the Equinix and Telehouse data centers in Slough and London, UK, respectively.  By the time GDPR takes effect, ComplySci will be storing data in the AWS Ireland region.  Data is stored in the jurisdiction requested by our customers.  Data is stored in two replicated, geographically separated data centres within the jurisdiction.

ComplySci may allow employees located in the US or the UK access to data stored in another jurisdiction for customer and technical support purposes. We disclose in our Privacy & Cookies Policy that customer data may be transferred to or accessed from these countries but always subject to governance in compliance with GDPR requirements.

What is the ComplySci information security approach?

ComplySci takes the following approach to information security:

  • Physical Access Controls for buildings and premises, to prevent unauthorized persons from gaining access to Personal Data.
  • System Access Controls to prevent Personal Data from being used without authorization.
  • Data Access Controls to provide that Personal Data is accessible and manageable only by properly authorized staff and assets.
  • Transmission Controls to ensure that data cannot be read, copied, modified or removed without authorization during electronic transmission or transport.
  • Input Controls to establish by whom Personal Data has been entered into data processing systems, modified or removed and to ensure that Personal Data is under the control of Data Controller.
  • Data back-ups ensure that Personal Data is protected against accidental destruction or loss when hosted by Data Processor.
  • Logical Separation to ensure that Personal Data that is collected for different purposes may be processed separately.

Is ComplySci Privacy Shield certified?

Yes. You can view our Privacy Shield certifications here.

Is ComplySci SOC certified?

Yes, we have recently completed SOC1 Type 2 certification for both ComplySci and PTCC.

Who are ComplySci’s Sub-Processors under the GDPR?

ComplySci works with certain 3rd parties in order to provide our services. Those relevant third parties are available here.

The GDPR Resources and Updates

We’ll continue to update this page with new / revised information, so please check back periodically. You can also email privacy@complysci.com with specific questions about our GDPR policy and any privacy concerns.