Hoppa till huvudinnehåll

Data Protection Impact Assessment

Uppdaterad för mer än en månad sedan

1. Purpose

This Data Protection Impact Assessment (DPIA) outlines how Howwe processes, stores, and protects Personally Identifiable Information (PII) in compliance with applicable data protection laws, including the EU General Data Protection Regulation (GDPR). Our goal is to identify and mitigate risks associated with data processing while ensuring the privacy and security of all personal data.

2. Overview of Data Processing Needs

2.1 Types of PII Stored

We process and store the following types of PII, provided directly by our customers and users:

  • Name: For user identification.

  • Email: For communication and account-related functionalities.

  • Telephone Number: Voluntarily provided for inquiries or event registrations.

  • Company and Team Information: To enable organizational and goal-tracking features.

  • Activities and Progress: Metrics related to individual and team performance.

  • Technical Data: Includes IP address, unique device ID, network and computer performance, browser type, language, and operating system.

2.2 Nature, Scope, and Context of Processing

  • Data Collection: All data is collected directly from users or customers; no data is sourced from third parties.

  • Data Context: Data is used exclusively for delivering, maintaining, and improving Howwe services, as well as meeting legal obligations when necessary (e.g., search warrants or court orders).

  • Data Minimization: We collect only the data strictly necessary to deliver these services effectively.

3. Data Storage and Security

3.1 Secure Data Storage

  • All data is stored in secure, compliance-certified Google Cloud data centers.

  • Multi-layered security measures, such as encryption (AES-256 for data at rest, TLS 1.3 for data in transit), access control, and intrusion detection, are in place to safeguard data.

  • Customers may choose their data hosting region within the options provided by Google Cloud to meet regional compliance requirements.

3.2 System Documentation

More details about data security are documented in the following policies:

  • Technical Description and Release Management Process Policy

  • IT Policy

  • IT Incident Policy

  • Information Risk Management Documentation

4. Data Sharing

4.1 Limited Third-Party Access

  • Personal data is never shared with third parties unless explicitly required for a specific purpose.

  • All use cases involving third parties are clearly defined in our GDPR compliance documentation.

4.2 Third-Party Providers

When data processing involves third-party tools (e.g., email notifications via SendGrid), Howwe ensures these providers comply with GDPR and relevant data protection laws.

5. Data Retention

5.1 Retention Policy

  • For Customers: PII is retained for the duration of the customer agreement and for six months following its termination.

  • For Website Visitors: PII provided for inquiries or event registrations is retained as long as it is relevant to our business needs and sales cycles.

5.2 Data Deletion Process

Users can request data deletion at any time by contacting [email protected]. Upon receiving such a request:

  • All personal data is scrambled, effectively anonymizing it.

  • Non-personal data (e.g., numerical inputs related to objectives or goals) may be retained in an anonymized form but will no longer be attributable to any user.

6. Data Risk Assessment

6.1 Low Sensitivity of Stored PII

The PII stored by Howwe is limited in scope and sensitivity, resulting in a low risk of harm to individuals in the event of exposure.

6.2 User-Generated Content Risks

Users may input sensitive data into free text fields. While Howwe cannot prevent this, we mitigate risks by:

  • Employing robust encryption and access controls.

  • Regularly reviewing and updating our security practices to align with industry best practices.

6.3 Login Risks

We mitigate risks associated with login mechanisms by:

  • Using a secure global login system powered by Auth0, located in the EU.

  • Supporting multi-factor authentication (MFA) and encryption for all login processes.

7. Transparency and Accountability

7.1 User Awareness

  • Users are informed about how their data is collected, stored, and processed.

  • Transparency regarding data usage is integral to Howwe’s commitment to user trust.

7.2 Customer Accountability

  • Our customers (typically organizations) have access to tools and documentation that clearly outline their responsibilities in ensuring compliance with GDPR and other data protection regulations.

8. Continuous Improvement

  • We regularly review and update our data protection practices to adapt to evolving legal, technical, and industry standards.

  • Audits and feedback loops are integral to our process for maintaining robust data protection measures.

9. Relevant Sources

EU GDPR Overview

Comprehensive details on the General Data Protection Regulation (GDPR) compliance.

https://ec.europa.eu/info/law/law-topic/data-protection/data-protection-eu_en

ISO/IEC 27001 Standards

Standards for establishing, implementing, and maintaining robust information security management systems.

https://www.iso.org/isoiec-27001-information-security.html

NIST Privacy Framework

Guidance for identifying and managing privacy risks in organizational operations.

https://www.nist.gov/privacy-framework

Google Cloud Data Protection

An overview of Google’s infrastructure and practices for protecting customer data in the cloud.

https://cloud.google.com/security

Google Cloud GDPR Compliance

How Google ensures compliance with GDPR requirements for its cloud services.

https://cloud.google.com/security/gdpr

Fick du svar på din fråga?