1. Purpose
This Data Protection Impact Assessment (DPIA) outlines how Howwe processes, stores, and protects Personally Identifiable Information (PII) in compliance with applicable data protection laws, including the EU General Data Protection Regulation (GDPR). Our goal is to identify and mitigate risks associated with data processing while ensuring the privacy and security of all personal data.
2. Overview of Data Processing Needs
2.1 Types of PII Stored
We process and store the following types of PII, provided directly by our customers and users:
Name: For user identification.
Email: For communication and account-related functionalities.
Telephone Number: Voluntarily provided for inquiries or event registrations.
Company and Team Information: To enable organizational and goal-tracking features.
Activities and Progress: Metrics related to individual and team performance.
Technical Data: Includes IP address, unique device ID, network and computer performance, browser type, language, and operating system.
2.2 Nature, Scope, and Context of Processing
Data Collection: All data is collected directly from users or customers; no data is sourced from third parties.
Data Context: Data is used exclusively for delivering, maintaining, and improving Howwe services, as well as meeting legal obligations when necessary (e.g., search warrants or court orders).
Data Minimization: We collect only the data strictly necessary to deliver these services effectively.
3. Data Storage and Security
3.1 Secure Data Storage
All data is stored in secure, compliance-certified Google Cloud data centers.
Multi-layered security measures, such as encryption (AES-256 for data at rest, TLS 1.3 for data in transit), access control, and intrusion detection, are in place to safeguard data.
Customers may choose their data hosting region within the options provided by Google Cloud to meet regional compliance requirements.
3.2 System Documentation
More details about data security are documented in the following policies:
Technical Description and Release Management Process Policy
IT Policy
IT Incident Policy
Information Risk Management Documentation
4. Data Sharing
4.1 Limited Third-Party Access
Personal data is never shared with third parties unless explicitly required for a specific purpose.
All use cases involving third parties are clearly defined in our GDPR compliance documentation.
4.2 Third-Party Providers
When data processing involves third-party tools (e.g., email notifications via SendGrid), Howwe ensures these providers comply with GDPR and relevant data protection laws.
5. Data Retention
5.1 Retention Policy
For Customers: PII is retained for the duration of the customer agreement and for six months following its termination.
For Website Visitors: PII provided for inquiries or event registrations is retained as long as it is relevant to our business needs and sales cycles.
5.2 Data Deletion Process
Users can request data deletion at any time by contacting [email protected]. Upon receiving such a request:
All personal data is scrambled, effectively anonymizing it.
Non-personal data (e.g., numerical inputs related to objectives or goals) may be retained in an anonymized form but will no longer be attributable to any user.
6. Data Risk Assessment
6.1 Low Sensitivity of Stored PII
The PII stored by Howwe is limited in scope and sensitivity, resulting in a low risk of harm to individuals in the event of exposure.
6.2 User-Generated Content Risks
Users may input sensitive data into free text fields. While Howwe cannot prevent this, we mitigate risks by:
Employing robust encryption and access controls.
Regularly reviewing and updating our security practices to align with industry best practices.
6.3 Login Risks
We mitigate risks associated with login mechanisms by:
Using a secure global login system powered by Auth0, located in the EU.
Supporting multi-factor authentication (MFA) and encryption for all login processes.
7. Transparency and Accountability
7.1 User Awareness
Users are informed about how their data is collected, stored, and processed.
Transparency regarding data usage is integral to Howwe’s commitment to user trust.
7.2 Customer Accountability
Our customers (typically organizations) have access to tools and documentation that clearly outline their responsibilities in ensuring compliance with GDPR and other data protection regulations.
8. Continuous Improvement
We regularly review and update our data protection practices to adapt to evolving legal, technical, and industry standards.
Audits and feedback loops are integral to our process for maintaining robust data protection measures.
9. Relevant Sources
EU GDPR Overview
Comprehensive details on the General Data Protection Regulation (GDPR) compliance.
ISO/IEC 27001 Standards
Standards for establishing, implementing, and maintaining robust information security management systems.
NIST Privacy Framework
Guidance for identifying and managing privacy risks in organizational operations.
Google Cloud Data Protection
An overview of Google’s infrastructure and practices for protecting customer data in the cloud.
Google Cloud GDPR Compliance
How Google ensures compliance with GDPR requirements for its cloud services.