Information about your privacy and General Data Protection Regulation efforts


The European General Data Protection Regulation (“GDPR”) legislation introduces a new set of rules for the processing of personal data. GDPR is the most modern and fully integrated legislation on data privacy, and the applicability of the GDPR does not stop at the borders of the European Economic Area (“EEA”). Amplus Forms has embraced the requirements of GDPR, and we consider GDPR to be the benchmark for our privacy and data protection efforts. Below you’ll find information about GDPR, as well as answers about data protection and privacy at Amplus Forms.

 

You should also consult our Privacy Policy and Terms of Service for further details on these topics.

 

Why GDPR should matter to you

 

GDPR modernizes outdated privacy laws and impacts your organization if you collect or process data in or from Europe. If you’re based in Europe, or you work with persons that are in Europe, then you likely need to comply with GDPR. Fines of up to €20,000,000 or 4% of global annual revenue, whichever is greater, could be levied on you if your organization is impacted and is not compliant with GDPR regulations.

 

How to prepare for GDPR

 

If your organization is impacted by GDPR, then you need to make sure you are compliant with the legislation before it commences on May 25, 2018. The good news is that we make it easy to use Amplus Forms in a GDPR-compliant way!

 

The following steps are recommended to achieve compliance.

 

NOTE: We’re not lawyers! If you’re unsure about your compliance status, please seek your own legal advice.

 

Review your vendors/suppliers and data flows

 

Make a list of your software and other vendors, and document the data flows across your business, what type of personal data you collect and who has access. It’s likely that you will need to design agreements that assure data protection with any vendors who may handle personal data (personally identifiable information or PII).

 

Review the Amplus Forms DPA if applicable

 

If you are a Amplus Forms client and are a data controller under GDPR, then you should review our online Data Processing Addendum (DPA) as it applies to you. The Amplus Forms DPA incorporates with our Terms of Service so, by having acknowledged our Terms of Service and continuing to use Amplus Forms, you’re already accepting our DPA. If you need to explicitly sign a data processing agreement with Amplus Forms, please email to us your company’s legal name and address to support@amplusforms.com requesting a copy of our DPA.

 

Identify and mitigate your risks

 

Perform a risk assessment within your business to identify any gaps that need to be addressed for meeting GDPR compliance.

 

Implement ongoing compliance

 

Plan and implement your GDPR compliance activities ahead of the May 25, 2018 deadline, and then ensure that compliance continues thereafter as an ongoing discipline for your organization.

 

Q. What if I have a question or dispute about my personal information?

Any questions or disputes about your personal information can be raised with support@amplusforms.com. We will answer you within 2 business days.

 

Q. What is GDPR?

“GDPR” or “General Data Protection Regulation “(EU Regulation 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons regarding the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC) is the new European privacy legislation. It aims to unify legislation throughout the EU with the intention to:

  • increase the general awareness of data privacy
  • allow individuals to take control over their privacy and their fundamental rights, and
  • strengthen security requirements throughout companies and organizations.

 

Q. Where/when does GDPR apply?

GDPR goes into effect on May 25, 2018 and applies to:

 

  • all organizations established in the European Economic Area (“EEA”)
  • to organizations, whether or not established in the EEA, that process personal data in connection with either the offering of goods or services to natural persons in the EEA or the monitoring of behavior that takes place within the EEA.

From the moment there is processing of personal data in the EEA, or from the moment a person located in the EEA is referenced, GDPR will apply (regardless of whether the processing entity is located in the EEA). Though Amplus Forms is an American company, with no offices or personnel within the EEA, GDPR is still applicable for all EEA-located clients of Amplus Forms.

 

Q. What does the Amplus Forms Platform do?

Amplus Forms markets a solution that allows the rapid creation of data-driven business apps on mobile and desktop devices, all with no programming required. This enables businesses to reduce paper, enhance productivity and improve accuracy in a wide variety of industries and field usage scenarios. The most common use-case of our platform is replacing paper forms. Forms and their associated workflows become powerful data-enabled workflow applications that work online or offline.

 

Amplus Forms offers this “end to end” platform for creating custom business apps, securely capturing and accessing data through these apps, safe cloud-based storage of data, and connection/integration of data with other external services.

 

Amplus Forms is offered as “Software as a Service” (“SaaS”), which is a licensing and delivery model where software is centrally hosted and made available to multiple customers over a network, including through interacting applications (including mobile/desktop apps, web browser, and/or connectors to third-party systems).

 

Personal Data (as defined by GDPR) is only processed by Amplus Forms under the control and direction of Amplus Forms clients.

 

Q. Who is the "Controller" or a "Processor" under GDPR?

Amplus Forms clients decide the nature of data being captured and stored, and they choose which individuals interact with the Amplus Forms platform (thus in turn whose personal data is captured and processed).

 

It is thus you, as a Amplus Forms client, that legally acts as the “Controller” as defined under GDPR. Amplus Forms provides the means (the Amplus Forms platform) for Amplus Forms clients to capture data and interact with their respective users, clients and other parties.

As such, Amplus Forms is only processing personal data for, and on behalf of, Amplus Forms clients as a “Processor”, as defined under GDPR. The only case where Amplus Forms acts as a Controller is during a limited set of direct interactions with Amplus Forms clients (these being governed by the Amplus Forms Privacy Policy).

 

Q. What is Amplus Forms doing to meet GDPR requirements?

Amplus Forms has undertaken several initiatives to meet GDPR requirements:

 

Encryption of data at rest and in transit

All data stored within the Amplus Forms Platform is encrypted on the servers, be this within a database, storage service or file backups. All data transport between servers, services and/or devices (both internally and externally) occur exclusively over SSL encrypted transport protocols.

 

Dedicated GDPR and Privacy Information page

We have created a dedicated webpage with detailed information about Amplus Forms’ privacy efforts at https://www.amplusforms.com/gdpr.

 

Security Team Officer (STO)

The Amplus Forms STO supervises our entire data privacy program and works in close conjunction with Amplus Forms and external team members on matters relating to security, data protection and privacy.

 

Data Processing Addendum (DPA)

Amplus Forms provides a standard DPA for clients needing to sign one between us and them. The DPA clearly outlines the data processing terms between Amplus Forms and a client, and it only requires a Amplus Forms client’s signature to complete. This allows Amplus Forms’ European clients to provide the signed DPA to auditors demonstrating that the Amplus Forms Platform is used to process data in a way that meets their GDPR compliance obligation. Please email us for a pre-signed copy of the DPA.

 

“Is Personal Data” flags for data entities in the platform (e.g. forms and data sources)

The Amplus Forms Platform now provides new checkbox options to allow Amplus Forms clients to flag/identify data fields that contain personal data. This, in turn, allows the Amplus Forms Platform to anonymize these fields when data leaves the Amplus Forms Platform (e.g. via manual export, connector integrations, and/or the Amplus Forms Platform API).

 

Careful vetting of sub-processors

Each sub-processor of Amplus Forms is vetted by our team in the areas of security, contractual terms, data processing agreements, and EU standard contractual clauses / Privacy Shield.

 

Up-to-date contractual documents/privacy policies

Our contractual documents have been updated to contain necessary GDPR provisions, including data processing addendum, end-to-end confidentiality and privacy policies.

 

Product Development

All new Platform functionality that is introduced from May 2018 onwards will include consideration of the following:

 

  • the GDPR principles of “privacy by design” and “privacy by default”
  • giving flexibility to all clients while remaining within GDPR guidelines
  • keeping all changes as simple as possible

 

Q. What is a Data Processing Addendum (DPA) and does Amplus Forms provide this?

If Amplus Forms’ processing of personal data for your organization falls within the material and/or territorial scope of GDPR (articles 2 & 3), the legislation (GDPR article 28) requires that this processing occurs under a Data Processing Addendum (DPA).

 

By email request, the Amplus Forms DPA can be emailed to you and incorporates with our Terms of Use so, by having acknowledged our Terms of Use and continuing to use Amplus Forms, you’re already accepting our DPA. You can reference our DPA if you need to show auditors that your use of Amplus Forms meets your GDPR obligations in terms of the data that we process on your behalf.

 

Q. What types of Personal Data does the Amplus Forms Platform process?

For registered users on the platform, basic contact information is processed (i.e. direct identifiable personal data such as e-mail addresses or name) as well as minimal device information, connection information and geolocation. Other personal information may also be processed by the Amplus Forms Platform through data captured and stored by Amplus Forms clients. While it is not up to us to control what data we receive, this can include items such as contact information, IP addresses, and other data. We process client-submitted data as part of our contractual obligation to our clients, and in accordance with applicable laws, including the GDPR.

 

Q. Does the Amplus Forms Platform utilize sub-processors? How can I get the list?

We use certain sub-processors to assist in providing the Amplus Forms platform to clients. A sub-processor is a third-party data processor engaged by Amplus Forms, that has or potentially will have access to or process client data (which may include personal data). Our list of current sub-processors is available in our Data Processing Addendum. To request a copy of that addendum, please email us.

 

Q. How long does personal data remain on the Amplus Forms Platform?

Amplus Forms production (live) environments

 

Registered users

 

  • All personal data relating to a user is either deleted or anonymized within 7 days of the user deletion action. The 7-day period allows for fast recovery if the deletion was accidental.
  • For the avoidance of doubt, deactivation of a user account does not remove the account or its personal data; the account is simply archived.


All other data entities

 

  • This is determined and configured by Amplus Forms clients, based on their own agreements with data subjects in turn. The Amplus Forms Platform provides clients with functionality to delete data entities as needed.

 

Amplus Forms backups

Backups are performed on a regular basis and are kept in encrypted, secure storage for up to 60 days. This means that items deleted in production environments are available for restoration from backups for up to 60 days thereafter.

 

Amplus Forms test/development environments

Data is occasionally extracted from production to development/testing environments for support, testing and debugging purposes. When this occurs, personal data is anonymized to assure privacy.

 

 

Q. Who has access to personal data stored on the Amplus Forms may be visible to:

Personal data stored on the Amplus Forms Platform may be visible to:

 

Amplus Forms Clients

Depending on their assigned access permissions, users can view and access personal data collected and/or stored within their Amplus Forms client account.

 

Amplus Forms employees & contractors

All employees & contractors are trained and contractually committed to following Amplus Forms’ privacy, security and data protection practices.

 

Sub-processors

We work with carefully selected services to provide aspects of the Amplus Forms platform and may process data with these services as necessary to provide Amplus Forms platform services.

 

Other third parties if required by applicable law or where Amplus Forms has a good-faith belief that such disclosure is reasonably necessary to:

 

  1. protect the safety of any person from death or serious bodily injury, or
  2. prevent fraud or abuse


Access only occurs to the extent and limited to, such personal data as necessary for that specific purpose of the respective party.

 

Q. Where is personal data stored? Does it leave the European Economic Area?

The Amplus Forms Platform is hosted on geo-redundant locations (“nodes”) in the United States of America and in the European Union. We understand that some companies and clients have strict rules about where software and data can be hosted. If the above regions are not sufficient to meet your data sovereignty or corporate requirements, please email us to inquire about our plans to host outside these areas or to ask about our managed enterprise server option.

 

Amplus Forms also provides software features to clients which allows them to anonymize personal data upon export out of the Amplus Forms Platform.

 

Q. Is data processed by Amplus Forms used for direct marketing or automated decision making?

Registered administrator users may be contacted by Amplus Forms with news or offers about the Amplus Forms Services. This communication can be unsubscribed at any time by the user. Amplus Forms does not use personal data processed through the Amplus Forms Platform for direct marketing purposes, nor does the Amplus Forms Platform employ automated decision-making processes/techniques which create or deny rights to individual persons. We only process personal data under instruction and under control of the Amplus Forms client for the purpose of the Amplus Forms Platform solution.