The General Data Protection Regulation (GDPR) is a set of rules (directive) designed to give EU citizens more control over their personal data. It aims to simplify the regulatory environment for businesses so both citizens and businesses in the European Union can fully benefit from the digital economy.
The GDPR came into force on May 25 2018. Jottacloud is committed to GDPR compliance across all products and services. We are also committed to helping our customers with their GDPR compliance journey by providing robust privacy and security protections built into our services and contracts.
Protecting your data
As a Jottacloud customer, your data will be treated in accordance with the GDPR legislation. Security of our customers data is our number one priority. More info on our technichal and organizational security measures can be found in this article on Security in Jottacloud.
Our datacentre Green Mountain SVG1 - Rennesøy is certified with i.a. ISO/IEC 27001:2013 – Information Security Management System.
Compliance with GDPR
Jottacloud follows the principles for processing personal data in the GDPR and the Personal Data Act, and has implemented a data protection strategy to ensure compliance with the GDPR. All processing of personal data is assessed and regularly revised against these security principles, in order to minimize risk to the data subjects' rights. Breach of security that affects registered persons' personal data is notified via e-mail or Jotta's direct messaging system.
The purposes for processing personal data are described in our Privacy Policy and in our Terms of Use. Here we also describe how long we store personal data, and what rights the data subjects have under the GDPR, including:
The right to be forgotten - how users can exercise their "Right to be forgotten"
Right to restricted processing - How users can exercise therir right to restricted processing under GDPR with Jottacloud.
We also collect cookies, this is described in our Cookie statement.
All employees in Jotta AS are subject to a duty of confidentiality, and we have the option of giving employees customized and limited access to personal data.
Jottaclouds data processors
Jottacloud use the following data processors, and have signed Data processing agreements with them which includes the updated standard contractual clauses (EU) 2021/914. These subprocessors have their main storage location in the United states of America:
Stripe, Inc. - Payment Processing - https://stripe.com/en-no/legal/dpa
Intercom, Inc - Support ticketing and customer communication - https://www.intercom.com/legal/data-processing-agreement
Microsoft Corporation - Office online (optional) - https://learn.microsoft.com/en-us/compliance/regulatory/offering-eu-model-clauses#european-union-model-clauses-overview
Google Firebase and Crashlytics - Android Mobile App improvement and analytics - https://firebase.google.com/terms/data-processing-terms
Mailchimp - Customer communication - https://mailchimp.com/legal/data-processing-addendum/
Data Protection Officer (DPO)
Data protection officers are responsible for overseeing data protection strategy and implementation to ensure compliance with GDPR. Jottacloud has appointed a DPO that can be contacted at dpo@jottacloud.com.
Jottacloud as a dataprocessor
Jottacloud processes personal data on behalf of business customers and partners, and follows legal instructions given by these data controllers. Jottacloud records and regularly audits processing activities carried out on behalf of the data controller, and seeks to minimize the risk for the data subjects. Breach of security that affects the data subject's personal data is notified via e-mail to the data controller.
European businesses loacated in EU or EEA countries are required to sign a Data Processing Agreement (DPA) with vendors to comply with European Data Privacy laws (GDPR). Jottacloud has updated the DPA to include the updated standard contractual clauses (EU) 2021/914
Frequently asked questions
Does Jottacloud comply with GDPR (General Data Protection Regulation) with regards to the data of Jottacloud customers?
Yes.
Jottacloud follows the principles for processing personal data in the GDPR and the Norwegian Personal Data Act, and takes the necessary measures to ensure that we are in compliance with the GDPR.
Can I view Jottacloud’s data processing agreement (DPA)?
Yes. This can be found here.
Does Jottacloud collect any personally identifiable information from customer’s applications about their users, and what kind of data?
Jottacloud collects name, email address, and in some cases phone number.
Where is the Jottacloud data stored geographically? Under which jurisdiction?
All Jottacloud data is stored in Norway.
Our datacentre Green Mountain SVG1 - Rennesøy is certified with i.a. ISO/IEC 27001:2013 – Information Security Management System.
How long is the data retained for?
Data will remain in your Jottacloud account until your data retention period expires for that data, or you manually choose to delete this information from your account settings. The data retention period is normally 90 days.
How do I prevent sensitive data from being sent into Jottacloud?
You are in complete control of the data you choose to send to Jottacloud. You can delete such data from Jottacloud at any time by accesing the service through our apps or website.
Further information
If you have additional concerns or questions about GDPR compliance, feel free to contact us at support@jottacloud.com or dpo@jottacloud.com