Tapper's GDPR and CCPA compliance
Introduction
At Tapper, we are fully committed to complying with GDPR and CCPA requirements. We have established policies and procedures to ensure adherence to these laws, including conducting data protection impact assessments, privacy impact assessments, and incident response plans. We also have representation in the EU and UK to ensure compliance with regional regulations.
Commitment to Security and Privacy
Maintaining a robust security and privacy posture is of utmost importance at Tapper. We regularly review and update our security and privacy controls and practices to align with appropriate compliance standards and regulations, ensuring the confidentiality, integrity, and availability of our users' data.
We take data privacy seriously and are dedicated to complying with all relevant data protection laws, including the EU's GDPR and the California Consumer Privacy Act. To outline our privacy policies and procedures and answer frequently asked questions about GDPR and CCPA compliance, we have prepared this Privacy Posture Document.
Legal Framework
Tapper operates in compliance with the EU General Data Protection Regulation (GDPR) and the California Consumer Privacy Act (CCPA). We also comply with other relevant privacy laws and regulations as applicable. We have implemented appropriate technical and organizational measures to ensure that personal data is processed in accordance with these laws and regulations.
Personal Data Collection
Tapper uses the IP address, along with other data points, to determine whether a session is fraudulent and block access to the customer's website. The IP address is considered personal data under the GDPR, and the other data points may also be considered personal data depending on their nature. To comply with GDPR, Tapper obtains explicit consent from its customers to collect and process personal data for this purpose.
However, GDPR Article 6(1)(f) provides the legal basis for processing personal data, including IP addresses and cookies, without obtaining explicit consent, provided that the processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject, which require protection of personal data.
If a customer opts to use Tapper's product to track fraudulent services, the data collected will be used only for this purpose, and in compliance with GDPR and CCPA. Tapper is classified as a "Processor" under GDPR and a "Service Provider" under CCPA, meaning that Tapper processes personal data it collects only as necessary to provide its services to the applicable Tapper customers who authorized the collection of such data.
Tapper takes appropriate technical and organizational measures to ensure the security of personal data, including the IP address and other data points it collects. Individuals have the right to access, rectify, and delete their personal data collected by Tapper. Tapper will promptly respond to any request to exercise these rights, as required by GDPR and CCPA.
Data Protection Measures
Tapper takes appropriate technical and organizational measures to protect personal data from unauthorized access, disclosure, alteration, or destruction. We use industry-standard security measures, such as encryption and access controls, to safeguard personal data. We also conduct regular security assessments and audits to identify and mitigate potential security risks.
Third-Party Service Providers and Sub-Processors
Tapper may share data collected through its product with a limited number of third-party service providers as necessary for the operation of the services, specifically our hosting provider. Certain optional features of the Tapper service offering, which are not part of Tapper’s core offering, may involve additional transfers of data, as described in the relevant feature documentation. Before sharing any data with third-party providers, Tapper ensures that appropriate safeguards are in place to protect the privacy and security of the data in compliance with GDPR requirements. Additionally, Tapper has entered into data processing agreements with its third-party providers to ensure they comply with GDPR and any other applicable data protection laws.
Personal Data Transfer and Hosting
PII-included data will be stored and processed either in the EU, AWS Europe (London) eu-west-2. However, this data is not used to infringe on GDPR, and it is stored in accordance with European regulations. Our employees may access personal data as necessary to provide the services, and they will do so from our offices located either in the EEA or or in Dubai, UAE and Tbilisi, Georgia, which has received an adequacy decision from the European Commission. We take appropriate technical and organizational measures to ensure the security of personal data, including data stored in AWS. Individuals have the right to access, rectify, and delete their personal data collected by Tapper. We will promptly respond to any request to exercise these rights, as required by GDPR and CCPA.
Data Breach Response
Tapper has implemented a data breach response plan to detect, respond to, and recover from data breaches. In the event of a data breach, we will promptly notify affected individuals and authorities as required by law. We have established a dedicated incident response team that is responsible for managing data breaches, and we conduct regular training and simulations to ensure that our team is prepared to respond to data breaches.
We have also implemented appropriate technical and organizational measures to prevent, detect, and respond to data breaches, such as intrusion detection systems and firewalls. We conduct regular vulnerability assessments and penetration testing to identify and mitigate potential security risks.
Data Protection Officer and GDPR Representation
Tapper has partnered with Drata to ensure compliance with data protection laws and regulations. Drata is responsible for advising on data protection matters, monitoring compliance with data protection laws and regulations, and acting as a point of contact for individuals and authorities regarding data protection issues. Drata assists Tapper in maintaining adherence to GDPR standards and ensuring the confidentiality, integrity, and availability of personal data.
If you have any questions or concerns regarding Tapper’s GDPR compliance, you can contact Drata through the following means:
By using Drata's online request form: Drata Request Form
By writing to Drata at 4660 La Jolla Village Dr. Suite 100, San Diego, CA, 92122, USA
This representative acts as a point of contact for individuals and supervisory authorities in the EU and the UK regarding matters relating to the processing of personal data.
Rights and Freedoms of Data Subjects
Individuals have the right to access, rectify, and delete their personal data collected by Tapper. We also respect individuals' rights to data portability, restriction of processing, and objection to processing. We provide individuals with mechanisms to exercise their rights, such as self-service portals and email requests, and we respond promptly to all requests.
We have implemented appropriate procedures to verify the identity of individuals making requests to ensure that personal data is not disclosed to unauthorized persons. We also provide individuals with information on their rights and the procedures for exercising them through our privacy policy and other communications.
Privacy by Design and Default
Tapper incorporates privacy by design and default principles into our products and services. We implement appropriate technical and organizational measures to ensure that personal data is protected from the outset and that data protection is embedded into all aspects of our data processing activities.
Privacy Policy
Tapper maintains a privacy policy that provides individuals with information on our data processing activities, their rights, and how to exercise them if they access our corporate website. Our privacy policy is regularly reviewed and updated to ensure compliance with data protection laws and regulations and to provide transparency and clarity on our data processing activities.
Data Processing Agreement
We enter into a Data Processing Agreement with all our customers located in the EEU and can be found here: Tapper Data Processing Agreement. The DPA defines the role of Tapper as "Processor” and our customers as “Controller” and describes the respective rights and obligations.
Training and Awareness
Tapper provides regular training and awareness programs to all employees and contractors on data protection laws and regulations, our privacy policies and procedures, and best practices for protecting personal data. We also conduct regular audits and assessments to ensure that our employees and contractors are complying with our data protection policies and procedures.
Our Commitment
Tapper is committed to protecting the privacy and personal data of our customers, partners, and users. We believe that privacy is a fundamental human right and that it is our responsibility to ensure that personal data is collected, processed, and used in a transparent, lawful, and responsible manner. We will continue to monitor and update our privacy posture to ensure that we are compliant with applicable data protection laws and regulations and that we are providing the highest level of privacy protection to our stakeholders.
Updated on: 19/08/2024
Thank you!