EU General Data Protection Regulation (GDPR)
The EU General Data Protection Regulation (GDPR) went into effect on May 25, 2018. BrandSSL is compliant.
Does GDPR affect me?
If you’re based in the EU or do business in the EU, yes! GDPR has a long reach. If you have any EU personal data in your BrandSSL account, such as names, email addresses, ID numbers, or… anything personally identifiable, then GDPR applies. You are a Controller of personal data under GDPR, so you need to enter into GDPR-compliant data processing agreements with any online services and third party vendors you rely on, including BrandSSL. These agreements are commonly called a Data Processing Addendum, or DPA.
You can read the full General Data Protection Regulation here.
GDPR’s concept of ‘Personal Data’ is explained in this article.
How is BrandSSL compliant with GDPR?
We take the security of your data very seriously here at BrandSSL. Protecting our customers’ information and their users’ privacy is extremely important to us. We are dedicated to assisting our users to help them remain compliant with GDPR.
These are the measures we’re have taken to ensure that BrandSSL and all our users meet GDPR requirements:
Tools and features to help you comply with GDPR
As a data processor, we have released features and tools that will help you comply with data requests from your users.
- Ability for you or your team members to delete customer domain records
Tools and features to help us comply with GDPR:
- Automated application endpoint deletion
- Data export tool
BrandSSL uses third party subprocessors, such as cloud computing providers and customer support software, to provide our services. We enter into GDPR-compliant data processing agreements with each subprocessor, and require the same of them. List of BrandSSL subprocessors.
California Consumer Privacy Act (CCPA)
In the CCPA, there is an important distinction between what are referred to as “service providers”, “businesses”, and “third parties”. You can see how the regulation defines these words by visiting the California Attorney General’s website: https://www.oag.ca.gov/privacy/ccpa.
Under the CCPA, BrandSSL is a “service provider.” That means when we process data you provide, we do so solely for the purpose you signed up for. Our business model is simple: we enable businesses to provision SSL certificates for their customers vanity domain names. We do not sell personal information or use your data for any other commercial purposes unless with your explicit permission.
Relevant US laws
The US does not have a national consumer privacy law akin to GDPR. We’d love to see one put in place and until then, shout out to California for leading with the California Consumer Privacy Act.
There are national US security laws that are relevant to GDPR. Chief amongst them are: the Foreign Intelligence Surveillance Act (FISA) and Executive Order 12-333. FISA establishes ways for US law enforcement and intelligence agencies to gather information within the US about non-US entities suspected of espionage or terrorism. Executive Order 12-333 sets out how US intelligence agencies can gather information, including outside the borders of the US.
Virtually every American software service is subject to FISA. That includes all the American big tech companies you can think of as well as any European service that uses cloud infrastructure from Amazon Web Services, Microsoft Azure, or Google Cloud Computing. It also includes American companies like us, BrandSSL Inc.. However to date, BrandSSL has never been served a FISA order or National Security Letter.
Even so, these laws are relevant for why extra mechanisms need to be in place to allow the legal transfer of personal data from the EU to the US. Since GDPR went into effect in 2018, BrandSSL has offered a data processing addendum. Currently, the data processing addendum is the primary mechanism as the Privacy Shield frameworks were invalidated in July and September 2020 respectively.
We take security seriously here at BrandSSL, and it has been our focus from day one. As part of GDPR compliance we continue to review our security measures and responses on an ongoing basis to remain compliant.