GDPR
The General Data Protection Regulation (GDPR) is a European law on data protection and privacy which has been in force since May 2018. It imposes rules on companies which deal with personal data. NextFluent strives to be as GDPR compliant as possible itself all the while helping its customers meet their obligations under the GDPR.1. Important concepts
To understand how we deal with the GDPR at NextFluent, it is important that you are familiar with the following terms:
1.1 Personal data
Any data that can be used to identify a person. This is a very broad concept, not just limited to names, addresses and contact details. For instance, in some cases, IP addresses can be considered personal data.
1.2 Data processing
Anything you do with personal data: collect it, store it, manage it, analyze it, consult it, share it, sell it. You name it.
1.3 Data subject
The person whose personal data is being processed. In other words, the person who can be identified using the data one has about them.
1.4 Data controller & data processor
The GDPR makes a clear distinction between two roles:
- The ‘data controller’: determines which personal data is processed and for which purposes the personal data is used (deciding);
- The ‘data processor’: processes certain personal data on behalf of the data controller (facilitating).
A party’s responsibilities regarding personal data are different depending on its role.
It is possible for one party to act as a data controller in some cases and as a data processor in others. This is the case for us.
2. Customer as controller and NextFluent as processor
2.1 Customer as controller
When using our assessment software, you enter personal data (e.g. name, email address, etc.) of third parties into your account. These third parties can be your company’s or organization’s customers, leads, business partners, etc. (“contacts”). Basically anyone whose personal data you’ve collected for your own purposes, e.g. to provide your services. You are the data controller in relation to their personal data.
2.2 NextFluent as processor
We facilitate the management of your contacts’ data through our software. By entering their personal data into your account, you are sharing this data with us. Our job is to keep this data, for which you are the controller, available and safe on your behalf. That makes us the data processor here.
Wherever possible, we provide tools and assistance enabling you to meet your obligations under the GDPR. Even though we make reasonable efforts to help you with GDPR compliance, it remains your final responsibility as data controller to meet your obligations under GDPR.
| Contact of NextFluent customer the Data subject (a respondent, user, partner,…) | NextFluent AssessFluence application customer, the Data controller | NextFluent the Data processor | Sub-processors (Hosting, IT infrastructure, Standard integrations) |
|---|---|---|---|
| Shares personal data with the NextFluent AssessFluence application | Collects personal data from the Contact of NextFluent customerEnters personal data of its contacts into the software if NextFluent | Securely processes personal data on behalf of the NextFluent AssessFluence application customerShares personal data with other service providers for the purpose of Hosting, IT infrastructure, and Standard integrations | Securely process personal data under instructions of NextFluent |
2.3 The Data Processing Agreement (DPA)
To clearly define the respective GDPR responsibilities of us (as processor) and you (as controller) we have made sure that there is a DPA in place.
In the DPA, we list the different technical and organizational measures we take to safeguard the security of your data and the reliability of our software. The DPA also sets out a clear and well-defined procedure in case of a data breach.
In addition, the DPA includes a general overview of the personal data which we expect to process on your behalf.
Read the DPA for more information: NextFluent AssessFluence DPA
2.4 Sub-processors
As a processor, we engage a limited number of sub-processors. These parties can process some parts of the personal data, for which you are the controller, for specific purposes.
We rely on these trusted sub-processors for three main reasons:
- to host our applications for you and to make sure they run smoothly;
- to offer certain built-in functionalities (“standard integrations”); and
- to provide customer support.
All of these sub-processors were carefully selected because of their strict data protection policies and thorough security measures. We have made the necessary contractual arrangements with each of them to make sure that they meet the same high standards set forth in our DPA with you.
See the full list of sub-processors: For NextFluent AssessFluence
2.5 Hosting location
All customer data is hosted on servers located in the EU:
For NextFluent AssessFluence: Google Cloud servers in Belgium (EU-WEST-1 region)
2.6 Data deletion
As long as you are a customer with us, we keep the data in your account. You are of course free to delete any data from your account, e.g. to meet your own obligations as a controller regarding data minimization and storage limitation.
When your contract with us ends, you will have the possibility to export the data from your account. We permanently delete the personal data in your account within a short period of time after your contract with us has ended:
For NextFluent AssessFluence: 3 months
The reason we keep the data temporarily after the end of the contract is to be able to restore your account should you wish to do so. You can always ask for the data to be deleted earlier. Once the deletion is done, we can no longer restore your account or provide you with an export of your data.
By deleting the personal data in your account, we effectively anonymise the data. In other words, we no longer have a way to identify your contacts using the data that is left. We retain the remaining anonymized data for research, training, educational, statistical and commercial purposes. This is also clearly stipulated in our terms of service. Anonymous data is not covered by the GDPR and can be used freely.
3. NextFluent as controller
We are a data controller when we decide to collect and use your personal data for our own commercial purposes. We mainly do this to provide and improve our services.
Read our Privacy Statement to learn more about why we collect certain personal data about you, how long we store this data, which privacy rights you have, etc.
As a data controller, we engage several service providers which we instruct to process your personal data on our behalf for various purposes, e.g. to send you our newsletter or to collect feedback from you. We have DPAs in place with all these processors to ensure that they apply the same high standards of data protection as we do.
| NextFluent customer (Data subject) | NextFluent (Data controller) | Other service providers – e.g. Customer feedback (Data processor) |
|---|---|---|
| Shares personal data with NextFluent | Collects personal data from the NextFluent customerShares personal data with other service providers for the purpose of Customer feedback | Securely process personal data on behalf of NextFluent |
4. Best practices
Next to everything mentioned above, we have some strict internal policies and procedures in place to carefully handle all personal data. As an example, in a limited number of well-defined cases, colleagues from our Development, Support and Customer Success teams can access the data in your account. Access rights are restricted to authorized personnel only, based on the principle of least privilege. All actions in the account are duly logged. These audit logs are regularly reviewed to prevent abuse.
We also organize recurring awareness initiatives to ensure that data protection remains top-of-mind with our colleagues at all times.
Ensuring the security of your data and complying with data protection legislation is an important part of our mission. We continue to invest effort and resources to make improvements in this area.
5. We are here to help
If you have a question or feedback regarding our privacy practices feel free to contact our Data Protection Officer (DPO) via dpo@nextfluent.com