Composity's GDPR Commitment

 

Composity fully complies with the GDPR in the delivery of our services to our clients. We believe this new law is an important step forward to the protection of our customers’ and their customers' data. We have enchant our software, contracts, and documentation to support compliance with the GDPR.

What has Composity Done?

Here’s a summed up version of what actions we have taken to ensure that Composity, as a service provider, and, by extension, our users, are compliant with the GDPR.

What Changes Are Made for Composity to be GDPR Compliant?

We have taken all the needed actions to implement the required changes within our internal processes and procedures, in order to achieve and maintain compliance with GDPR. We are also dedicated to helping our customers comply with the GDPR.

We have ensured that our software meets all regulation standards, to support our customers’ compliance with the GDPR.

Consent

We have made changes to allow our clients to record when, how and what type of consent they have requested. We have also added logs that show any consent given or withdrawn. We have added a visible mark for every profile who has not given a consent, so the data can't be processed further.

Rights of the Data Subject

We have created interfaces to allow our clients to address requests from their customers, related to their rights for accessing any personal data that might be stored in our client's workspace.

Link with access to a specific page containing only personal data collected will be sent to an indicated email address. The generated data will be accessible for 7 days only. Also, it will be available for download in a commonly used and machine-readable format.

Composity cannot perform search for or access such information. Only users associated with the clients' workspace will have the ability to search for personal data in the individual accounts on the workspace.

Data Retention

The Data Retention setup gives our customers the ability to set the time-limit for storing data by Composity software. After the period data is ready to be deleted from client's workspace and Composity servers. This process is not automatic. Users need to manually remove any account that is for deletion. The system will notify you for such accounts and combine them in a specially designated table.

You may select the time period for which you want to retain account data. You will have the option to reset the retention period for an account with each new activity, created for that account. This means extending the expiration date, based on current time plus retention period.

Data Erasure

There are two options to erase an account profile and personal data collected in it, if this data is no longer needed or the data subject wishes its erasure.

First one is to permanently delete the user account from your workspace. As soon as you opt to delete the data, the process starts and the data is not retrievable. It will take up to 30 days in total for all the data to be deleted from our servers and backups as well.

The other option is to mask all personal information, collected in the account. This data will be unrecognizable, but still usable for general stats and analysis. This process is irreversible and once encrypted the information can't be retrieved.

Data Safety & Security

Our customer's data is safe with Composity. We have undertaken a number of steps to ensure you and your users are the only ones who can access your workspace.

Composity servers are positioned in Germany, Europe on the Contabo infrastructure. All workspaces and databases run inside a Contabo VPC, Virtual Private Cloud. Our client's data is only accessible from the application servers and no outside sources are allowed to connect to the database. Firewalls are in place to block access if any suspicious login activity is detected.

Composity transmits data from the user's browser to our systems using HTTPS. All Data in transfer is encrypted.

Data collected in Composity software is exclusively owned and used by our users and customers. We do not make use of the data stored in any workspace. We at Composity do not have access to any workspace unless consent is officially given by an admin of the workspace and login details are given to the Composity employee to perform support.

Engineers have different access rights and level of access to the system components according to what their job requires. Developers have their own credentials and SSH Key-Based authentication is used for server access.

Data Processing Agreement

We’ve created a Data Processing Agreement compliance with GDPR law. If you want to sign a Data Processing Agreement with Composity you can review and download it from here. Send a signed copy via email on info@composity.com and we will countersign it and provide you with a fully executed downloadable copy via email within 4 business days.

We are confident these changes are addressing the requirements of GDPR. We are committed to helping our customers address their GDPR needs and to provide the tools that can help Composity's customers achieve this goal.