Roboheart, Inc. ("Trunk", "us", "we", or "our") operates several websites and services including https://www.trunkinventory.com and related subdomains (the "Service"). It is our policy to respect your privacy regarding any information we may collect while operating our Service.
The GDPR and Trunk
On privacy, the GDPR and why it is important
In order to offer greater privacy and control of data for individuals who use or are stored within our Service, we will apply the GDPR to all individuals who are stored within or use our Service, whether inside or outside of the EU.
We believe in the GDPR and support increased privacy for everyone.
General Data Protection Regulation (GDPR)
In 2016, the European Commission approved and adopted the new General Data Protection Regulation (GDPR). GDPR is a significant change in data protection regulation in the EU and replaces the existing legal framework (the Data Protection Directive and the various member state laws).
The GDPR is a comprehensive set of regulations that dictates what companies like us must do in order to properly protect our customers' data. Even though we are not a European company, we have many customers in the EU and we fully comply with these regulations. This document explains in simple terms what we're doing in order to ensure compliance.
It will come into effect on May 25, 2018.
Note: The full GDPR regulations are extremely long and complicated. This isn't meant to be a comprehensive list of every single thing we do to protect your data, but rather it's a simple summary so that you can have a good idea of the protections we have in place. Please feel free to reach out to us at firstname.lastname@example.org if you have questions about specific items that aren't addressed here.
How GDPR applies to Trunk
GDPR defines three parties, which will be referenced throughout this document:
- Data Subject - This is the user about whom data is being stored and used. Any user that you store within our systems (i.e. your customer) is a data subject. You are also a data subject, because you have an account with Trunk (i.e. you're our customer).
- Data Controller - This is the person or company that is using the data that's being stored. You (our customer, and a user of Trunk) are a Data Controller. We are also a Data Controller, concerning your personal data, because you have an account with Trunk.
- Data Processor - These are companies that create tools to actually store and take advantage of the data. We are a Data Processor.
The Data Controller and Data Processor both have different responsibilities to ensure that we are acting legally and ethically. This document explains what we do to comply with GDPR as a Data Processor, and how we use the data we collect, but you should keep in mind that you also have responsibilities to the people whose information you store using Trunk.
Our customers entrust us with very important data for their businesses. Keeping your data secure and private is of the utmost importance, and so we are careful to follow industry best practices. A lot goes into online security, but here are some of the main things we do that might interest you:
- All connections to our Service are encrypted using 256-bit encryption.
- We never store passwords as plain text – they are always hashed and salted securely using bcrypt.
- Our infrastructure provider is Google Cloud and our primary servers are located in the United States of America. Even though GDPR is a European regulation, it does not require that data be hosted physically within the EU.
- All Trunk employees are required to use non-SMS 2FA on all first- and third-party services. When non-SMS 2FA is unavailable, we require use of SMS 2FA. We always require strong passwords, regardless of 2FA availablility.
- We regularly perform external vulnerability scans and application penetration tests to monitor the status of our security efforts.
Data processing officer
We have appointed a Data Protection Officer. They may be contacted at email@example.com.
Data breach notification plan
We work hard to keep our software secure so that there are no data breaches. In the event that there is a data breach, we have a plan in place that fully complies with the requirements laid out by GDPR. You can read our full plan below. To summarize, if we become aware of a data breach, we will notify any of our customers who may have been impacted and provide them with the appropriate information so that they can also comply with their responsibilities as a Data Controller.
The specifics of our response to a data breach would of course depend on the details of the breach itself (the method of the breach, what data was compromised, etc.) but here is an outline of how we will approach the situation:
The first step in responding to a data breach is knowing that one has happened in the first place. We monitor the status of our security with technology (running penetration tests and network scans) as well as policy (training employees on what to look out for, making sure issues are escalated appropriately).
If we ever identify a breach, or even notice something out of the ordinary that justifies investigation, we will take the following steps:
Assigning roles and responsibility
At any company, the best way to ensure that an issue is taken seriously is to make sure that it has the attention of top leadership. Trunk has one individual who will personally handle all security concerns. James Hu, the Founder and CEO, will be responsible for organizing the company-wide response, assigning roles, and ensuring that we do everything outlined in this document and more to handle the situation as thoroughly as possible.
Every member of the company knows that if there is ever a security concern, the issue should go directly to the CEO without any delay.
Investigate the type and scope of the breach
Breaches can happen in many different ways. For instance, they can be the result of a technical or social failing on our end. In many cases however, the customer may have been tricked into giving their login information to the attacker and it might not be the result of insecurity in the Service at all.
In order to decide how to respond to a breach, we must first understand how the breach happened. We will seek to answer the following questions as quickly as possible:
- Was there some sort of failure in our technology or processes that enabled the breach?
- What data was accessed?
- What was (or might have been) done with the data?
- Who was impacted?
Address immediate threats
If we find that the breach was caused by a customer’s login information being compromised, we will disable access for the account in question until we are confident that the rightful owner is the only one with access. In some cases, this can take several days or longer as there may be legal issues outside of our control that must be adjudicated to first.
If we determine that the breach occurred due to a vulnerability on our end, we will work to fix whatever the vulnerability was as quickly as possible to prevent further damage. If a situation like this ever arises, every employee at Trunk who can be helpful will treat this as their top priority and set aside any other responsibilities until the problem is resolved.
Notify the appropriate parties of the breach
This step will depend heavily on the details of the breach. For example, in the situation where a specific user is phished, they will likely already know about the breach and it wouldn’t impact our other customers. But in the situation where our database is actually compromised by a hacker, that would potentially impact all of our customers.
Our general guideline is that if there’s a reasonable possibility that the breach will have a negative impact on a customer, we will notify them quickly. "Quickly" can mean different things depending on how long it takes us to conclude our investigation. When possible, our goal would be to send notifications no more than 72 hours after we become aware of the issue.
Regardless of the nature of the breach, all third-party service platforms that we connect with will be notified within 24 hours since the issue was first detected.
Note: If you are in the EU then you may be subject to the GDPR data breach notification rules. This basically means that if you are storing private information about a person in our system and that data is breached, you may be responsible for notifying that person the same way we are responsible for notifying you (this is true with any service you use, not just us). If this happens, we will work with you to make sure that you have all the information possible so that you can comply with the GDPR.
Trusted third-party services we use
We may share data with the following third-parties, also known as Subprocessors under GDPR so that we can offer our Service to you, and so that we know how to continue improving our Service to remain valuable to you:
- Bugsnag for error and crash reporting.
- ChartMogul for financial reporting.
- Cloudflare for DNS, CDN, and DDoS mitigation.
- FullStory for session analytics.
- Google AdWords for tracking performance of advertisements we buy.
- Google Analytics for website analytics.
- Google Cloud for hosting our infrastructure.
- Intercom for sales, marketing, customer support, and onboarding.
- Mailgun for sending transactional emails.
- Papertrail for log management.
- Segment for analytics routing.
- Skylight for performance monitoring.
- Stripe for payment processing.
Information we collect on our customers
If you have a Trunk account, we are the Data Controller of your personal information (PI). The data below is stored locally within our systems (unless noted otherwise) and may also be stored in a third-party service listed above:
- Your organization's user names and email addresses.
All logs are scrubbed of sensitive info (passwords, tokens, etc.) locally before being sent over the wire.
Data subject rights
Our customers and your customers, the Data Subjects, are entitled through their Data Subject Rights (DSR) to access ("Right To Access"), export ("Right to Data Portability"), change, and permanently delete ("Right To Be Forgotten") all their data from our systems.
If we receive a request from one of your customers (a Data Subject) to access, change, export, or delete their data stored within our systems, we, the Data Processor, will forward the request to you, the Data Controller, without delay.
We, the Data Processor, will not change, export, or delete data on or for any of your customers, a Data Subject, unless it is required by law or by our Terms of Service, or unless we have received documented instruction from you, the Data Controller, to do so.
DSR requests can include personal data of other individuals, like your employees or customers that you have provided to us and who have requested this of you. We will respond to these requests within 14 days or less, which is well within the GDPR requirement of 30 days.
DSR requests may be sent to firstname.lastname@example.org.
Lawful basis for processing
GDPR requires that we establish that our data processing is legally justified. We only collect data that is necessary for the purposes of making the Service valuable to you.
As explained above, we are in the role of Data Processor and you are the Data Controller. If you store your customers' information in our systems, you can be confident that we are handling GDPR compliance on the data processing side of things (and as the Data Controller of your data) but you are still responsible for being compliant as a Data Controller of your customers' data.
If you're concerned that you aren't in compliance, we encourage you to research this topic in more detail. A good starting point is to ensure that you honor the individual rights laid out in the GDPR regulations to your customers.
Revisiting GDPR compliance regularly
As part of our commitment to remaining GDPR compliant and respecting the privacy of our users, we will revisit this document at least once per year to ensure that all of the information is accurate and up-to-date. If you have questions or concerns, contact us at email@example.com.
We collect non-personally-identifying information of the sort that web browsers and servers typically make available such as the browser type, language preference, referring site, and the date and time of each visitor request. We also collect potentially personally-identifying information like Internet Protocol (IP) addresses.
Our purpose in collecting non-personally identifying information is to better understand how visitors use our Service and to better provide related content to its visitors. From time to time, we may release non-personally-identifying information in the aggregate (e.g. publishing a report on trends in the usage of our Service).
Cookies are files with small amount of data which may include an anonymous unique identifier. Cookies are sent to your browser from a website and stored on your device. Tracking technologies also used are beacons, tags, and scripts to collect and track information and to improve and analyze our Service.
You can instruct your browser to refuse all cookies or to indicate when a cookie is being sent. However, if you do not accept cookies, you may not be able to use some portions of our Service or they may not work properly.
Examples of cookies we use:
- Session cookies for operating our Service.
- Preference cookies for remembering your preferences and various settings.
- Security cookies for security purposes.
Information disclosure to third-parties
We do not sell, trade, or otherwise transfer your information to third-parties. This does not include sharing a limited subset of your information with trusted third-parties (our Subprocessors), who assist us in operating our Service, conducting our business, or servicing you, so long as those parties agree to process this information in accordance with their DPA.
We may also release your information when we believe release is appropriate in order to comply with the law, enforce our policies, or protect ours or others' rights, property, or safety.
We are in compliance with the requirements of COPPA (Children's Online Privacy Protection Act). The Act was passed by the U.S. Congress in 1998 and took effect in April 2000. COPPA is managed by the Federal Trade Commission (FTC). We do not collect any information from anyone under 13 years of age. Our Service is directed to people who are at least 13 years old or older. If you are under 13 years old, you cannot use our Service.
Terms of Service
Please also visit our Terms of Service section establishing the use, disclaimers, and limitations of liability governing the use of the Service.
If there are any questions regarding this document, you may contact us at firstname.lastname@example.org.