Learn how Unito complies with GDPR rules and regulations and how that affects our users.
What is GDPR?
The General Data Protection Regulation (GDPR) is a European regulation strengthening the security and protection of personal data.
What is Unito's role under GDPR?
Unito acts as both a "data processor" and a "data controller" under the GDPR.
Unito is a "data processor" when downloading and transforming personal data contained in synced tasks, cards, and issues. This personal data can include, for example, assignee or commenter names and email addresses.
Unito is also a "data controller", as we need to collect information to set up and run our services and to provide timely customer support. This customer information includes things such as customer name and contact information.
Does Unito comply with GDPR?
What personal data does Unito collect?
We store data that customers have given voluntarily. For example, to be able to provide support, we may collect and store contact information, such as name and email address, when customers sign up for our products and services. In order to connect to the synced tool, we also collect OAuth tokens, which are fully encrypted and treated as confidential and restricted data.
When processing and syncing task data, Unito does not permanently store any contents and relies on mere checksums to detect changes.
Does Unito transfer data internationally?
The GDPR imposes restrictions on transferring data outside the EU and prohibits the export of personal data outside of the EU to non-EU recipients unless the export meets certain criteria. Unito is hosted on Amazon Web Services in the United States and customer support operations are performed in Canada, which is recognized by the EU as providing adequate protection.
Finally, although the Court of Justice of the European Union invalidated the EU-US Privacy Shield as a mechanism to transfer data outside of the EU, the same ruling confirmed that companies can continue to use Standard Contractual Clauses (SCCs) as a valid mechanism for transferring data outside of the E.U. Since then,
We confirmed that the Data Processing Addendums (DPAs) we have with our own sub-processors have these SCCs.
We enriched our own DPA with the SCCs.
We reviewed the technical and organizational measures protecting our users’ personal data.
Who should I contact if I have questions regarding GDPR or my personal data?
Please contact us for more information.