Heap's Commitment to GDPR and Data Privacy
As an analytics provider that collects personal data about billions of people across thousands of customers, we’ve taken a proactive approach to data privacy. We’ve taken a number of measures to ensure that we and our customers are ready for the EU’s General Data Protection Regulation, commonly known as GDPR, which goes into effect on May 25, 2018.
Update: Our session replays are also private and secure by default, and fully GDPR compliant. Learn more about session replays here.
What Heap is doing to be GDPR-ready as a data processor
Heap has taken various steps to give customers confidence that the use of the Heap Service will be consistent with the GDPR when it goes into effect on May 25.
Here are the measures we’ve already completed to work toward GDPR-readiness:
Independent of the GDPR, Heap has always had an industry-standard data security and privacy focus. We’re always investing in these areas to make these measures even more robust.
After the GDPR was announced, we worked throughout 2017 and early 2018 to strengthen internal processes, policies, and other changes required to be GDPR ready. As an additional measure, during February 2018, Heap went through a third-party GDPR gap analysis to determine if there were any remaining gaps in our GDPR readiness.
We’ve rewritten our Data Protection Agreement (DPA) to be GDPR-ready and contractually affirm our GDPR-readiness. If the GDPR applies to your company and you don’t already have a DPA in place with us, email us at legal@heapanalytics.com and we will be happy to send you our DPA.
We’ve built internal processes to make it straightforward to be compliant with data subject rights under the GDPR including the right to erasure. When our customers receive inquiries from data subjects, they can forward those to us and know that we’re able to meet the requirements. For more details on data subject rights, this provides an overview: https://gdpr-info.eu/chapter-3/
We’ve developed deletion tools to support our customers and we have built an external User Deletion as well.
We have appointed Kate Helin as our Data Protection Officer (DPO). She can be contacted at dpo@heapanalytics.com.
In addition, here are additional measures that we are taking towards GDPR-readiness that are still in progress, but will be complete prior to May 25, 2018:
We’ve conducted an internal audit of third-party services to determine if they would be considered subprocessors of Heap customer data. We’re in the process of signing GDPR-compliant processing agreements with each subprocessor that we identified. As of April 2018, we have identified 2 subprocessors.
We are in the process of staff training as well as adding processes for ongoing trainings for new and existing employees about how to respond to GDPR requests.
We will revise the information policies in our official employee handbook (signed by all Heap employees upon employment) in accordance with GDPR.
What you need to do as a Heap customer
If you’re based in the EU or are otherwise affected by GDPR, you may want to sign a Data Protection Agreement (DPA) with us if you haven’t already. Email us at legal@heapanalytics.com if you need to do this.
You should also review your companies Terms of Use, Privacy Policy, and/or any other user-facing agreements to understand Heap’s practices and commitments regarding data privacy and to confirm that they’re consistent with how you’re using Heap to collect and use customer data.