As an EU based company we are very soon (May 25th) forced to be compliant with the new extensive privacy regulations - and thus only use companies that are compliant as well.
I can't anything at Flowdock mentioning this. Slack has a great information-page about this: Slack’s Plan for GDPR Compliance | Slack
Most of the US-based companies goes with a Privacy Shield + Data Processing Addendum.
What are your plans regarding this?
All EU based companies requires that you are compliant, or we could be forced (by the threat of huge fines) to take our business elsewhere.
I'm eagerly awaiting your response.
CEO @ Reload
GDPR: our commitments to you
CA believes privacy and protecting data are core aspects of trust in today’s Modern Software Factory. We take our own data protection commitment to you and your customers very seriously. We are acutely aware that we need to earn and maintain your trust on a daily basis.
The GDPR is a far reaching new law that will come into effect on May 25, 2018. Its objective is to further strengthen data protection for individuals and to harmonize the law in this area across the European Union. Enforcement of the regulation will be backed by heavy fines.
CA views the GDPR as a core part of the global trust framework. We want to outline our commitments to you regarding our own GDPR implementation.
What CA is doing to be compliant: CA has a global privacy team, led by our Chief Privacy Officer and a global privacy team. We already have robust processes in place across the world to ensure your data and that of your customers is protected and treated in line with global laws and regulation. We have worked on ensuring that our existing data practices globally are in line with the new requirements in the GDPR.
To see our Privacy Statement and learn more about how we handle your data, www.ca.com/privacy.
What we are doing to ensure you can use CA products in a GDPR compliant-manner: The GDPR is focused on organizational compliance instead of product level compliance. However, we attach the utmost importance on how we build our products and have adopted a Privacy and Security by Design approach. Our products are designed with privacy and security in mind and as a core component of our development process.
As a data controller, you will need to ensure you are compliant with your own obligations under the GDPR. However, if you buy a CA product, we aim to ensure that you can use our products in a GDPR-compliant manner, helping you to satisfy your obligations under the GDPR. For example, we design our products to facilitate data minimization and provide better insight into and control over your data flows in order to make it easier for you to satisfy your GDPR obligations as a data controller.
How does this relate to the real world? We want to give you some real-life examples of a couple of our products and how they relate to the GDPR. This is definitely not meant to be an exhaustive list of all of our products, nor of all GDPR related questions that could arise with a specific product, but we hope that it helps provide context for how CA can help you tackle the challenges posed by the GDPR.
I am a CA Agile central customer. Is the hosting by CA of my personal data respecting the GDPR requirements?
Answer: We do have regional data centres, including in the European Union (EU). In the event that your data for a specific product isn’t hosted in the EU, the GDPR allows for such data flows outside of the EU if using specific legal tools. CA has invested in a range of legal tools to enable our data and that of our customers to be transferred around the world, respecting laws like the GDPR. CA has invested in these tools, like EU – US Privacy Shield and Standard Contractual Clauses, going beyond what many other technology companies have done. Our data flows are therefore respecting the GDPR requirements. If you want to learn more about our data transfer setup, https://www.ca.com/us/legal/privacy/data-transfers.html.
I use a CA Technologies Project Portfolio Management (PPM) product. Is the PPM product GDPR compliant and does it help me, for example, to comply with my requirements to respond to data subject rights? Is my data hosted in the EU?
Answer: the GDPR doesn’t require the PPM product to be GDPR compliant as such. Instead, it focuses for example on the question if you, as a data controller in Europe, have clear visibility on what personal data you are inputting into/deleting from the product. CA has a responsibility in the back end as a data processor. If we touch on personal data, we ensure that it is secured in our systems in line with GDPR requirements. We can host your instance of PPM in our regional data center in the EU. However, should a data transfer be required outside of the EU, we have a range of legal tools in place to ensure we do so, in compliance with the GDPR.
I am a customer of CA payment security. How can I rest assured that it is complying with the GDPR requirements around security?
Answer: CA has strong security policies in place to comply with the GDPR. We maintain a high standard for security and have multiple third-party validations for many of our SaaS offerings. CA payment security adheres to the strict PCI standards that include encryption of data in motion and data at rest. We maintain a robust Incident Response Plan, reviewed bi-monthly with annual table top exercises to ensure that we are prepared to respond to any security event. Should we experience a personal data breach that affects you, CA will tell you without undue delay, to enable you to comply with your obligations under the GDPR.
GDPR compliance is a shared journey - your feedback: We also constantly take on board customer feedback regarding features in our products, including regarding their GDPR compliance journey. For example, we have integrated a feature in our PPM product that supports you in your efforts to respond to data subject right requests, such as the deletion of personal data. Let us know if there are other ways we can further improve our products supporting you on your GDPR compliance journey.
How our products help:
Adoption of and adherence to GDPR obligations requires a
thorough approach, both at the process as well as the technology level. CA can help with a
to make it easier for you to satisfy your obligations under the GDPR.
For an overview of some of our products, please visit www.ca.com/GDPR