GDPR Compliance

1. Overview of GDPR Compliance

The General Data Protection Regulation (GDPR) is a comprehensive data protection law that applies to the processing of personal data of individuals in the European Economic Area (EEA), United Kingdom, and Switzerland. As a data controller and processor, Akanban has implemented technical and organizational measures to ensure full compliance with GDPR requirements.

1.1 Who This Applies To

GDPR protections apply to:

• Individuals located in the EEA (European Union member states plus Iceland, Liechtenstein, and Norway)
• Individuals located in the United Kingdom
• Individuals located in Switzerland
• Organizations processing data of individuals in these regions

1.2 Akanban's Role

• Data Controller: For account information, billing data, and marketing communications
• Data Processor: For customer content (projects, tasks, files) stored on our platform
• Joint Controller: In certain limited circumstances as specified in our DPA

2. Your Data Protection Rights

Under GDPR, you have comprehensive rights regarding your personal data. Akanban is committed to facilitating the exercise of these rights.

2.1 How to Exercise Your Rights

To exercise any of these rights, please:

• Email: privacy@akanban.com or eu-privacy@akanban.com
• Account Settings: Many rights can be exercised directly through your account settings
• Data Export: Use the "Export Data" feature in your account settings for data portability
• Response Time: We will respond to requests within 30 days (extendable to 60 days for complex requests)

2.2 Identity Verification

To protect your privacy, we may require identity verification before processing rights requests. This may include:

• Verification of email address or account credentials
• Additional information to confirm your identity
• Government-issued identification for sensitive requests

3. Legal Basis for Processing

We process personal data only when we have a valid legal basis under GDPR. The legal bases we rely on include:

3.1 Contract Performance (Article 6(1)(b))

Processing necessary to provide our services and fulfill our contractual obligations:

• Account creation and authentication
• Service delivery and platform functionality
• Customer support and communications
• Billing and payment processing

3.2 Legitimate Interests (Article 6(1)(f))

Processing necessary for our legitimate interests or those of third parties:

• Improving and optimizing our services
• Security monitoring and fraud prevention
• Analytics and product development
• Business operations and administration

We conduct balancing tests to ensure our legitimate interests do not override your rights and freedoms.

3.3 Consent (Article 6(1)(a))

Processing based on your explicit consent:

• Marketing communications and newsletters
• Optional features requiring additional data
• Cookies and tracking technologies (non-essential)
• Third-party integrations

You may withdraw consent at any time without affecting the lawfulness of processing based on consent before withdrawal.

3.4 Legal Obligation (Article 6(1)(c))

Processing required to comply with legal obligations:

• Tax and accounting requirements
• Regulatory reporting
• Law enforcement requests
• Dispute resolution and legal proceedings

3.5 Vital Interests (Article 6(1)(d))

Processing necessary to protect the vital interests of individuals (rare circumstances).

4. Data Processing Principles

We adhere to the core data protection principles set out in Article 5 of the GDPR:

4.1 Lawfulness, Fairness, and Transparency

• We process data lawfully with valid legal bases
• We are transparent about our data practices in our Privacy Policy
• We provide clear information about data processing at collection points

4.2 Purpose Limitation

• We collect data for specified, explicit, and legitimate purposes
• We do not process data in ways incompatible with original purposes
• We obtain consent for any new purposes not covered by original collection

4.3 Data Minimization

• We collect only data that is adequate, relevant, and necessary
• We regularly review data collection practices to minimize unnecessary data
• We provide options to use services with minimal data where possible

4.4 Accuracy

• We take reasonable steps to ensure data accuracy
• We enable users to update their information easily
• We correct or delete inaccurate data promptly when identified

4.5 Storage Limitation

• We retain data only as long as necessary for the purposes collected
• We have defined retention periods for different data categories
• We securely delete or anonymize data when no longer needed

4.6 Integrity and Confidentiality

• We implement appropriate security measures to protect data
• We encrypt data in transit and at rest
• We restrict access to personal data based on role and necessity

4.7 Accountability

• We maintain records of processing activities
• We conduct Data Protection Impact Assessments (DPIAs) where required
• We implement privacy by design and by default

5. International Data Transfers

Akanban may transfer personal data from the EEA, UK, and Switzerland to other countries. We ensure appropriate safeguards are in place for such transfers.

5.1 Transfer Mechanisms

We use the following mechanisms for international data transfers:

5.2 Adequacy Decisions

Where possible, we transfer data to countries that have received adequacy decisions from the European Commission, meaning they are deemed to provide an adequate level of data protection.

5.3 Additional Safeguards

• Encryption of data in transit and at rest
• Technical measures to limit access to authorized personnel
• Contractual obligations on sub-processors
• Regular assessments of transfer mechanisms
• Transfer Impact Assessments (TIAs) for high-risk transfers

5.4 Data Residency Options

For customers who prefer to keep data within specific regions:

• EU Data Residency: Data stored exclusively in EU data centers
• UK Data Residency: Data stored exclusively in UK data centers
• Multi-Region Options: Available for enterprise customers

7. Data Protection by Design and Default

We implement privacy by design principles throughout our platform:

7.1 Privacy by Design

• Privacy considerations integrated from the earliest design stages
• Regular privacy impact assessments for new features
• Default settings that maximize privacy protection
• Data minimization in feature development
• Security controls embedded in architecture

7.2 Privacy Controls

• Granular privacy settings accessible to users
• Opt-in for optional data collection
• Easy-to-use data export and deletion tools
• Transparent privacy dashboards
• Privacy-preserving analytics methods

8. Data Breach Procedures

We have comprehensive procedures to detect, respond to, and report data breaches in compliance with GDPR requirements.

8.1 Breach Detection and Response

• 24/7 security monitoring for potential breaches
• Incident response team on standby
• Containment and remediation procedures
• Forensic investigation capabilities
• Regular incident response drills

8.2 Breach Notification

In the event of a personal data breach:

• To Supervisory Authority: Notification within 72 hours of breach discovery (where required)
• To Affected Individuals: Notification without undue delay if high risk to rights and freedoms
• To Customers (Controllers): Prompt notification to enable them to meet their obligations

8.3 Breach Notifications Include

• Nature of the breach and categories of data affected
• Likely consequences of the breach
• Measures taken or proposed to address the breach
• Contact point for more information
• Recommendations for affected individuals

9. Data Protection Officer (DPO)

We have appointed a Data Protection Officer to oversee our GDPR compliance program and serve as a point of contact for data protection matters.

9.1 DPO Responsibilities

• Monitor compliance with GDPR and internal policies
• Advise on data protection impact assessments
• Provide training and awareness to staff
• Serve as point of contact for supervisory authorities
• Handle data subject requests and inquiries

9.2 Contact Our DPO

Email: dpo@akanban.com
EU Email: eu-privacy@akanban.com
Mail: Data Protection Officer, Akanban Inc., 123 Tech Street, San Francisco, CA 94105, USA
EU Mail: Data Protection Officer, Akanban EU Representative, 456 European Lane, Dublin, Ireland

10. Supervisory Authorities

You have the right to lodge a complaint with a supervisory authority if you believe your data protection rights have been violated.

10.1 Lead Supervisory Authority

Our lead supervisory authority in the EU is the Irish Data Protection Commission:

Data Protection Commission (DPC)
21 Fitzwilliam Square South
Dublin 2, D02 RD28
Ireland
Website: www.dataprotection.ie

10.2 Local Supervisory Authorities

You may also contact your local supervisory authority in your country of residence. A list of EU supervisory authorities is available at: EDPB Members

10.3 UK Supervisory Authority

Information Commissioner's Office (ICO)
Wycliffe House
Water Lane
Wilmslow, Cheshire
SK9 5AF
United Kingdom
Website: www.ico.org.uk

11. Children's Data

Our services are not directed at children under 16 years of age. We do not knowingly collect personal data from children under 16 without parental consent as required by GDPR.

If we become aware that we have collected personal data from a child under 16 without appropriate consent, we will take steps to delete that information promptly.

12. Automated Decision-Making and Profiling

We do not engage in automated decision-making or profiling that produces legal effects or similarly significantly affects individuals under Article 22 of GDPR.

Where we use automated processing for other purposes (such as analytics or recommendations), individuals have the right to:

• Obtain human intervention
• Express their point of view
• Contest the decision
• Opt out of automated processing where possible

13. Updates to GDPR Compliance

We continuously monitor developments in data protection law and update our practices accordingly. Changes to our GDPR compliance program are reflected in updates to this page and our Privacy Policy.

Material changes will be communicated to users via:

• Email notification to registered users
• Prominent notices on our website
• In-app notifications
• Updates to the "Last Updated" date on this page

14. GDPR Resources

Additional resources for understanding GDPR compliance:

• Akanban Privacy Policy
• Security Practices
• Data Processing Agreement (DPA) - Available in account settings
• Sub-processor List - Available in account settings
• GDPR Official Text
• European Data Protection Board