At Termly, we are committed to safeguarding personal data and complying with the EU General Data Protection Regulation (GDPR).
Below is a summary of our adherence to GDPR requirements and the measures we have in place to protect individuals’ rights and privacy.
- Transparency & Lawfulness (Articles 5, 6, 7, 12, 13, 14)
- Individual Data Rights (Articles 15-22, 23)
- Security & Breach Notifications (Articles 25, 32-34)
- Accountability & Governance (Articles 5(2), 24, 30, 35-39)
- Vendor Management & Subprocessors (Articles 28-29, 46-49)
- International Data Transfers (Articles 44-50)
- Key Resources & Links
1. Transparency & Lawfulness (Articles 5, 6, 7, 12, 13, 14)
Controls We Have:
Privacy Notice: Our Privacy Notice explicitly details:
- The categories of personal data we collect.
- The purposes for processing (e.g., service delivery, legal obligations, or legitimate interests).
- How and why data is used, stored, and shared.
Lawful Bases: We process personal data only where a valid lawful basis applies (e.g., contractual necessity, legal obligations, or legitimate interests), as outlined in our Privacy Notice.
Cookie Policy: Our Cookie Policy outlines how cookies and tracking technologies are used, with options to manage preferences via our Cookie Banner and Preference Center.
Privacy Center: All privacy-related information, including data practices and rights, is centralized in our Privacy Center for easy access.
Right to Be Informed: We ensure individuals are provided with clear, transparent, and easily accessible information at the time of data collection (Articles 12-14).
In Summary:
- We collect only the necessary data for legitimate purposes.
- We provide clear, accessible notices so users understand how we handle personal data.
2. Individual Data Rights (Articles 15-22, 23)
Controls We Have:
Streamlined DSAR Process: Users can submit requests for access, correction, deletion, object to specific data processing, or enquire about data portability via our DSAR Form.
Opt-Out Tools:
- Marketing: Unsubscribe instantly via the “unsubscribe” link in emails.
- Tracking: Adjust cookie/tracking preferences in our Preference Center.
How We Uphold Your Rights:
- Timely Responses: We address all requests within 30 days (GDPR Article 12).
- No Fees: Requests are free unless manifestly unfounded or excessive.
- Verification: We authenticate identities to protect your data before fulfilling requests.
- Transparency: Explain refusals (if any) with legal reasoning and appeal options.
Need Help? Contact our Data Protection Officer (DPO) for GDPR-specific requests.
3. Security & Breach Notifications (Articles 25, 32-34)
Controls We Have:
Data Protection by Design and by Default: We implement technical and organizational measures ensuring that, by default, only necessary personal data is processed (Article 25).
Robust Security Measures:
- See our Security FAQ for an overview of our encryption, access controls, and penetration testing procedures.
Incident Response Plan:
- We conduct regular risk assessments and tabletop exercises to prepare for any potential data breaches.
In Summary:
- In the event of a breach that poses a risk to individuals, we will notify the relevant authorities and affected users promptly.
- We pseudonymize data where possible and adhere to industry standards to keep personal data secure.
4. Accountability & Governance (Articles 5(2), 24, 30, 35-39)
Controls We Have:
In-House DPO & EU/Swiss Representative:
- We have a dedicated Data Protection Officer, EU/UK/SWISS Representative, and we partner with external privacy counsel worldwide for audits and ongoing improvements.
- Records of Processing Activities (ROPA): Maintained for all data processing, including purposes, categories, and third-party sharing (GDPR Article 30).
- Data Protection Impact Assessments (DPIAs): Conducted for high-risk processing (e.g., large-scale processing) and updated as risks evolve (GDPR Article 35).
- Annual Policy Reviews: Documented reviews ensure alignment with regulatory updates (e.g., EDPB guidance, national laws) and industry standards.
- DPO Responsibilities: The DPO ensures compliance monitoring, impact assessments, internal compliance, conducts training and serves as a contact point for supervisory authorities (Articles 37-39).
-
Sub-Processor Oversight: All service providers are contractually bound by:
- GDPR-compliant Data Processing Agreements (DPAs).
- Standard Contractual Clauses (SCCs) or Data Privacy Framework (DPF).
5. Vendor Management & Subprocessors (Articles 28-29, 46-49)
Controls We Have:
Vetted Subprocessors & DPAs:
- All subprocessors we work with are carefully vetted for GDPR compliance.
- We have strict Data Processing Agreements (DPA) with each of them, ensuring that they process data securely and in line with GDPR requirements.
- Our Data Processing Agreement (DPA) is available upon request.
- View our Subprocessors List for details on our third-party service providers.
Details:
- We ensure that all vendors handling personal data have appropriate safeguards in place.
- Our contracts include Standard Contractual Clauses (SCCs) for international data transfers where required.
- We periodically audit and review all subprocessors to ensure ongoing compliance.
6. International Data Transfers (Articles 44-50)
Safeguards We Implement:
EU-U.S. Data Privacy Framework (DPF):
- We are certified under the EU-U.S. DPF and UK / Swiss Extension to the DPF (Article 45 adequacy decision). Annual re-certification is conducted via the U.S. Department of Commerce.
Standard Contractual Clauses (SCCs):
- For transfers outside the DPF, we use EU/UK-adopted SCCs (Article 46) alongside supplementary technical safeguards like encryption, access controls, and data minimization.
UK & Swiss Compliance:
- Transfers to the UK and Switzerland adhere to the UK International Data Transfer Agreement (IDTA) and Swiss FADP requirements.
Key Resources & Links
- Privacy Policy: https://termly.io/our-privacy-policy/
- Cookie Notice & DSAR Form: https://termly.io/privacy-center/
- Security FAQ: https://termly.io/security-faq/
- Sub-Processors List: https://termly.io/our-sub-processors/
- Contact Our DPO: [email protected]
Last Updated: 03/13/2025
