The European Union General Data Protection Regulation (GDPR) is a regulation that aims at unifying EU member state data privacy regulations into a single regulation, enforced on the EU single market. This article describes the GDPR compliance status of Abyssale.
Info : If your company needs to ensure it is GDPR-compliant, it also needs to ensure its providers (ie. Abyssale) are also GDPR compliant. Abyssale is GDPR-compliant, and strictly enforces the regulation as to protect the user data we store.
Abyssale and GDPR (in 12 points)
The GDPR regulation can be reduced to 12 important points. For each point, we explain how Abyssale handles its compliance. If we did not answer your questions in this article, you can still contact us and drop us a chat or email.
Also, please note that all Abyssale data processor providers have been checked to be all GDPR-compliant (Aws, Auth0, Stripe). See the DPA we provide for a full list of our providers.
Abyssale is a French Company 🇫🇷. All Abyssale data is held on servers hosted in the 🇪🇺 European Union. Our user data is stored in IE Ireland. Servers are hosted by AWS (with a subsidiary in the EU subject to EU law). We do not plan to store data outside the EU in the future.
Note : Certain points of Abyssale GDPR compliance are subject to the law of France, where Abyssale is incorporated. Thus, we have to be compliant with French data protection law, as well as EU GDPR law. GDPR compliance and French law is applied worldwide.
2. Awareness
All employees responsible of software development & infrastructure maintenance of Abyssale SAS, a French limited company (the owner company for Abyssale) are fully aware of the GDPR requirements.
Also, code reviews are performed by the Data Protection Officers (as listed in this article), before any code deployment to the platform. This ensures security breaches and bad practices are not implemented by Abyssale employee, even if aware of GDPR requirements (this plays as a double human safety check).
You can check more about how we manage Abyssale security internally on this article : How is security managed on Abyssale services?
2. Information we hold
Abyssale stores data of:
Our customers (ie. the users using the Abyssale)
Note : Abyssale does not share, or resell, any kind of user data (whether data described in point 1). The data is not used for advertising or analytics. Our business model is solely based on paid subscriptions (ie. the user is not the product).
Information held on our users :
Abyssale collects account information for each user (we refer to them as customers in this article), including:
User first and last name
User payment details (includes invoicing information, eg. company address and
country — the credit card number is stored by Stripe)
User password (Transfert and stored in Auth0)
User Email
User phone number (optional during subscription)
Note : We don't log user activity, except for system logs including IP, user and time of connection. They are solely used for debugging and lawful purpose and retained maximum 1 year. This log retention policy is subject to the law of France (ie. if the judiciary system sends us a search warrant, we have to respond and provide logs up to 1 year, that contain the looked up information).
3. Communicating privacy information
Abyssale customers and users privacy terms are clearly communicated in our Privacy information.
4. Individuals’ rights
Abyssale customers rights regarding to GDPR are considered and enforced, including:
Right to be informed: we clearly inform our users about the use that will be made of their data
Right of access: our users can access all their data, without restriction, from the Abyssale apps
Right of rectification: it's as simple as contacting us, we'll process all your rectification queries
Right of erasure: it's as simple as contacting us, we'll process all your erasure queries
Right to restrict processing: we don't process the data of our customers (and our customers end-users)
Right to data portability: our users may contact us anytime if they wish to get an export of their data (this may take time, however, as the data is fragmented amongst multiple isolated data-stores)
Right to object: we handle all requests on this matter from our users and users' end-users (contact us)
Right not to be subject to automated decision-making including profiling: we don't do that (and never will)
5. Subject access requests
Abyssale replies to all access requests (positively or negatively) under 1 month (the legal limit from GDPR is 1 month).
We offer this free of charge for our customers (paid and free).
6. Lawful basis for processing personal data
Abyssale stores user data involving a consent.
7. Consent
Consent is provided by our users implicitely when proceeding an action or task (eg. when they provide user data).
Abyssale allows its customers to submit raw data in an automated way, via a frontend JavaScript API and backend REST API, for instance generate an image from data on a spreadsheet (name, location, etc..). This data must have been provided by the customer user in a consented way, as it will get propagated to Abyssale in an automatic way (if the customer implemented such API in their source code).
8. Children
Abyssale does not offer online services to children, due to the nature of the service provided (business-to-business). Thus, we did not identified it as relevant to control the age of users signing up for services.
Children might still be able to use the Abyssale services, from the website or apps of a Abyssale customer. To this extent, the Abyssale customer is responsible for checking against their own users and activities regarding children regulations.
9. Data breaches
Our team closely monitors any unauthorized system access, and has put in place multiple preventive measures to reduce the attack surface on our systems and services. In 2 years, Abyssale has had 0 major security issues, with only a few minor ones, which we fixed the same day they were reported (those would not have allowed a hack or data breach).
Security researchers and users can submit a security report to an encrypted email address ([email protected]) as explained on our Security Practices docs page, for which we process reports in the same day.
Note : Abyssale will notify their users of any data breach, 48h maximum after knowing about it and fixing the flaw. It is then the responsibility of our users to report this data-breach to their end-users in due time.
10. Data Protection by Design and Data Protection Impact Assessments
Whenever Abyssale develops a new system, security comes as a first when designing the architecture of such a system. Our first goal is to protect the integrity of the new production system, and second goal to protect the user data that's being stored and used by that system.
Note : Abyssale developers are well educated to software and network security, which helped us build a secure by design software over time.
11. Data Protection Officers
Abyssale designated a Data Protection Officer, as required by GDPR:
Name: Yassine Khial
Role: Co-founder & CTO
Email: [email protected]
Location: Abyssale offices in France (see "International" below)
Note : even as the DPO, the designated Data Protection Officer is not answering to GDPR questions directly. Someone from our support team will answer to all your GDPR-related questions. Moreover, even if it was designed internally, it is not officially declared to the CNIL.
12. International
Abyssale may, via its users, processes data from individuals from all over EU member states.
Abyssale main establishment is France, thus its supervisory authority is based in France.
Abyssale is operated by Abyssale SAS, a French limited company, identified as:
ID / SIREN: 878 526 573
Address: 49 Rue de Ponthieu, 75008 Paris, France
Email: [email protected]
Phone: +33 1 84 71 00 52