The European Union General Data Protection Regulation (GDPR) is a regulation that aims at unifying EU member state data privacy regulations into a single regulation, enforced on the EU single market. This article describes the GDPR compliance status of Noticeable.

To ensure your company is GDPR-compliant, it needs to ensure its providers (i.e. Noticeable) are also GDPR compliant. Noticeable is GDPR-compliant, and strictly enforces the regulation as to protect the user data we store. The list of our providers (ie. Data Processors) is available, and kept up to date, in our Data Processing Agreement (DPA).

Noticeable data processor providers have been checked to be GDPR-compliant (Cloudflare, Stripe) or certified to the EU-US Privacy Shield Framework (Firebase Authentication, Firebase Hosting, Cloud Firestore for Firebase).

Some believe that EU personal data can’t leave the EU for GDPR compliance is not true.

Noticeable and GDPR

The GDPR regulation can be reduced to 12 important points. For each point, we explain how Noticeable handles its compliance. If we did not answer your questions in this article, you can still contact us and drop us a chat or email.

1. Awareness

All employees responsible for software development & infrastructure maintenance of Noticeable are fully aware of the GDPR requirements.

Also, code reviews are performed by the Data Protection Officers (as listed in this article), before any code deployment to the platform. This ensures security breaches and bad practices are not implemented by for instance a third party temporary contractor or a Noticeable employee, even if aware of GDPR requirements (this plays as a double human safety check).

2. Information we hold

Noticeable stores data on 2 kinds of parties:

Our customers (i.e. the customer using the Noticeable service to publish updates and measure adoption).
Our customers end-users (i.e. the users of our customers).

Noticeable does not share, or resell, any kind of user data (whether data described in point 1 or 2 above). Our business model is solely based on paid subscriptions (i.e. the user is not the product).

2.1. Information held on our users

Noticeable collects account information for each user (we refer to them as customers in this article), including:

User full name, email, job title, and profile picture.
User payment details (includes invoicing information, company address and country — the credit card number is stored by Stripe).
Company updates (known as posts).
Message exchanges.

2.2. Information held on our customers' end-users

Information held on our customers' end-users include:

End-user full name (if sent via our SDK by the customer).
End-user email address (if sent via our SDK by the customer).
End-user geolocation (if emoji reactions or feedback feature is enabled by the customer).
End-user emoji reactions (if the feature is enabled by the customer).
End-user feedback (if the feature is enabled by the customer).

We log user activity for system logs including IP, user agents and time of connection. They are solely used for debugging and lawful purpose and retained maximum 1 year. This log retention policy is subject to the law of France (i.e. if the judiciary system sends us a search warrant, we have to respond and provide logs up to 1 year, that contain the looked up information).

Name, email addresses, location, emoji reactions and feedback data on our users' end-users is solely the responsibility of our users (ie. the individual websites using Noticeable). It is the responsibility of our users to do not pass via our SDK data they do not want us to store and to disable the features that collect emoji reactions or feedback data. It is our responsibility to secure access to this data (i.e. only project collaborators can access it and only owners have a right to rectification and deletion).

3. Communicating privacy information

Noticeable customers and users privacy terms are clearly communicated in our Privacy information.

Noticeable customers end-users privacy terms are the sole responsibility of Noticeable customers. They should be announced on Noticeable customers website.

4. Individuals’ rights

Noticeable customers rights regarding GDPR are considered and enforced, including:

Right to be informed: we clearly inform our users about the use that will be made of their data.
Right of access: our users can access all their data, without restriction, from the Noticeable apps.
Right of rectification: it's as simple as contacting us, we'll process all your rectification queries.
Right of erasure: it's as simple as contacting us, we'll process all your erasure queries.
Right to restrict processing: as for previous right, it's as simple as contacting us.
Right to data portability: our users may contact us anytime if they wish to get an export of their data (this may take time as data is fragmented among multiple isolated data-stores).
Right to object: we handle all requests on this matter from our users and users' end-users (contact us).
Right not to be subject to automated decision-making including profiling: we don't do that (and never will).

5. Subject access requests

Noticeable replies to all access requests (positively or negatively) under 2 weeks (the legal limit from GDPR is 1 month).

We offer this free of charge for our customers.

6. Lawful basis for processing personal data

Noticeable stores user data involving a consent. It is the Noticeable customers' responsibility to ensure user data is lawfully collected in the event they use our features. For instance, if the emails that get collected from a Timeline page gets re-used for marketing campaign purposes either on Noticeable or an external system, the Noticeable customer has to ask for user consent upon collecting this email.

7. Consent

Consent is provided by our users explicitly when proceeding an action or a task (e.g. when they provide user data).

Noticeable allows its customers to submit user data in an automated way, via a frontend JavaScript API and backend GraphQL API, for instance assigning an email or avatar or name to a feedback, when the user is already identified to their customer website account. This data must have been provided by the customer user with a consent, as it will get propagated to Noticeable in an automatic way (if the customer implemented such API in their source code).

8. Children

Noticeable does not offer online services to children, due to the nature of the service provided (business-to-business). Thus, we did not identify it as relevant to control the age of users signing up for services.

Children might still be able to use the Noticeable services, from the website or apps of a Noticeable customer. To this extent, the Noticeable customer is responsible for checking against their own users and activities regarding children regulations.

9. Data Breaches

Our team closely monitors any unauthorized system access and has put in place multiple preventive measures to reduce the attack surface on our systems and services. In 2 years, Noticeable has had 0 major security issues, with only a few minor ones, which we fixed the same day they were reported (those would not have allowed a hack or data breach).

Security researchers and users can submit a security report to security@noticeable.io as explained on our docs page, for which we process reports on the same day. We also distribute bounties for valid security flaws that are reported to us. We already distributed such bounties to independent security researchers who reached to us and disclosed minor security flaws in a responsible way (i.e. the report was not publicly disclosed before a fix was issued).

Here are a few measures we took to reduce any attack surface:

Aggressive use of firewalls and network isolation in our infrastructure.
No access to our server systems is allowed from the public Internet, trusted administrators from the Noticeable team need to connect via a trusted VPN network.
We monitor any security flaw in any library we may use in our running backends, and patch them as soon as an update is issued.
Use of 2-Factor-Authentication on all our sensitive accounts (e.g. hosting provider, etc.)
Isolate data stores and sensitive backends on different servers.
All platform backups are stored privately.

The points listed above help to reduce the probability of a major data breach occurring. You can read more on how Noticeable manages security there.

Noticeable will notify their users of any data breach, 24h maximum after knowing about it and fixing the flaw. It is then the responsibility of our users to report this data-breach to their end-users in due time.

10. Data Protection by Design and Data Protection Impact Assessments

Whenever Noticeable develops a new system, security comes as a first when designing the architecture of such a system. Our first goal is to protect the integrity of the new production system, and the second goal is to protect the user data that is being stored and used by that system.

Noticeable developers are well educated to software and network security, which helped us build a secure by design software over time.

11. Data Protection Officers

Noticeable designated a Data Protection Officer (DPO), as required by GDPR:

Laurent Pellegrino
Email: laurent.pellegrino@noticeable.io
Phone: +33665262907
Address: 1 Chemin des rosiers, 06800 Cagnes-sur-mer, France

12. International

Noticeable may, via its customers, processes data from individuals from all over EU member states.

Noticeable main establishment is in France, thus its supervisory authority is based in France.

Noticeable is operated by Laurent Pellegrino, a French micro-enterprise, identified as:

ID / SIREN: 810697763
1 Chemin des rosiers, 06800 Cagnes-sur-mer, France
Email: laurent.pellegrino@noticeable.io
Phone: +33665262907
Was this article helpful?
Cancel
Thank you!