Updated on 5.21.2018

What is GDPR, and what is COMPAS doing to comply?

GDPR stands for the General Data Protection Regulation and is effective as of May 25th, 2018. GDPR replaces national privacy and security laws that previously existed within the EU with a single, comprehensive EU-wide law that governs the use, sharing, transfer and processing of any personal data that originates from the EU.
Our policy is to respect all laws that apply to our business and this includes GDPR. We also appreciate that our customers have requirements under GDPR. We are committed to helping our customers stay in compliance with GDPR.

  • Where we are transferring data outside of the EU, COMPAS commits to having the appropriate data transfer mechanisms in place as required by GDPR.
  • COMPAS commits to follow appropriate security measures and precautions in accordance with GDPR.
  • COMPAS will assist with notifying regulators of breaches and promptly communicating any breaches to customers and users.
  • We will ensure that employees authorized to process personal data have committed to confidentiality.
  • We will hold any sub-processors that handle personal data, including our data center partners, to the same data management, security, and privacy practices and standards to which we hold ourselves.
  • COMPAS will assist our customers, insofar as possible, to respond to data subject requests our customers may receive under the GDPR.

Does COMPAS process personal data?

Yes. We process personal data to provide our products and services only. We do not collect or process personal data for any other purpose than to provide requested services to our customers.

Can COMPAS assist my company with responding to an Individual Rights Request (Subject Access Request)?

As a processor of personal data for many of our customers, we will assist our customers with responding to individual rights requests that they receive under the GDPR.

Where does COMPAS store and send my data? And how is that data sent?

We provide our customers with secure, fast, and reliable services. As a provider of global services, we run our services with common operational practices and features across multiple jurisdictions. Today, we store data in data centers located in various/redundant areas across the US. All data is sent encrypted, and all personal data is encrypted at rest. Our data center providers (Rackspace and Amazon Web Services) are fully compliant and hold the required Compliance and Security certifications (ISO/ IEC 27001, ISO 14001, ISO 18001, ISO 9001, SOC 1 (SSAE 18), SOC 2, SOC 3, PCI DSS Level 1, FedRAMP JAB P-ATO, NIST 800-53, FISMA, NIST 800-171 (“DFARS”), CJIS, ITAR, FIPS 140-2, HITRUST, HIPAA, HITECH, Privacy Act, Swiss-US Safe Harbor, Content Delivery & Security Association (CDSA), Tech UK Member).

How does COMPAS secure my data?

We have implemented organizational and technical safeguards to secure our users’ data, in compliance with GDPR requirements. Our users’ personal data is pseudonimized when stored, and further encrypted if it is being transferred.

Does COMPAS use sub-processors to further process customer data?

COMPAS uses few sub-processors for handling/processing customer data. These include: Rackspace (Data Hosting), AWS Amazon (Data Hosting), Sendgrid (Email provider), Twilio (SMS/Texting).

What is COMPAS doing to further comply with GDPR and maintain that compliance?

COMPAS complies with the framework outlined in the EU-US Privacy Shield as designed by the U.S. Department of Commerce and the European Commission. See our active status and learn more at: https://www.privacyshield.gov