EU Data Protection & GDPR Compliance

Summary

When you use our service, you entrust us with your personal information. It is our priority to protect your data and provide you with mechanisms for controlling it. There are particular concerns and regulations from users located in the EU regarding how data is managed. This page is designed to outline how we manage data as it relates to EU users.

Privacy Policy

We outline our policies related to user privacy in our Privacy Policy. This policy was updated on May 25, 2018 to comply with GDPR requirements. All users are required to agree to our privacy policy in order to create an account with Ghost Inspector.

Security & Data Center

Ghost Inspector’s service is hosted entirely using Amazon Web Services (AWS). This includes all of our offered services, our global test running geolocations, and data storage (including backups). While Ghost Inspector has not undergone a SOC audit (due to the prohibitive cost relative to our current size), AWS undergone such audits and provides reports on their website.

We use a number of controls designed to prevent unauthorized access to your personal data. We restrict access to personal data only to our employees, contractors and agents who need to know this information in order to operate, develop or improve our service.

For more details regarding security at Ghost Inspector, please visit our Security page.

GDPR (General Data Protection Regulation) Compliance

The GDPR (General Data Protection Regulation) is a piece of legislation that is designed to strengthen and unify data protection laws for all individuals within the European Union. The regulation became effective and enforceable on May 25, 2018.

GDPR adds new requirements regarding how companies should protect personal data that they process. It also raises the stakes for compliance by increasing enforcement and imposing greater fines for breach. We have taken the appropriate measures to ensure that we are GDPR compliant. Our policies and practices are regularly reviewed to ensure on-going compliance with GDPR.

Access to your Information (DSR requests)

Our service provides a number of built-in features for updating, exporting and deleting your data. This includes an interface for updating your personal and company information, export features for your tests and suites, as well as the ability to close your account entirely.

Closing your account will permanently delete all data from your account immediately. Your personal information may remain for a short time within our support system (if you’ve contacted us) and within our database backups. That information is purged after 60 days and 180 days, respectively.

If you belong to a paid organization when you close your account, that organization’s data will remain intact. Paid organizations can be canceled but their information will remain by default to enable reactivation (which is fairly common). Information can be purged at the request of an administrator of the paid organization.

We are happy to manually service any requests which cannot be adequately serviced using the features detailed above. We have an online form that can be used for making a DSR request. Alternatively, you may contact us with your request. We will always respond to these requests within 30 days (as required under GDPR).

Data Processing Addendum

We offer a Data Processing Addendum (DPA) to our customers operating in the EU. Our DPA offers contractual terms that meet GDPR requirements and reflect our data privacy and security commitments.

To ensure that no inconsistent or additional terms are imposed on us beyond those reflected in our DPA, we cannot agree to sign DPAs provided by our customers. As a small business without a staffed legal team, it is prohibitively expensive for us to review other DPAs or make customizations to our own.

If you are an EU-based customer of Ghost Inspector and you are interested in establishing a DPA, please contact us with your company information and we will follow up in a timely manner.