General data protection regulation (GDPR)

Kinde is compliant with the GDPR and here’s how we do this.

The list below are based on the key issues provided by GDPR-Info. They summarize the key issues facing companies in regard to data privacy protection. More information on the GDPR can also be found at GDPR.EU.

Please note that this document is for guidance purposes only and is only updated occasionally. For the most up to date representation of our privacy stance, please refer to our privacy policy.

If you have questions or need more information, contact us via live chat or email privacy@kinde.com.

Key issues

Link to this section

Consent

Link to this section

Processing personal data is generally prohibited, unless it is expressly allowed by law, or the data subject has consented to the processing.

Kinde processes personal data as part of our authentication product. Specifically first name, last name, and email address. Note that there may be less information provided depending on the type of authentication integration being used by our customers. For example, some social providers only provide the email or only provide a custom identifier without revealing any personal details. The consent for this is part of the terms between data subjects and Kinde’s customers. Kinde’s customers are the data controller, where as Kinde is only a data processor on behalf of our customer.

With respect to marketing efforts, Kinde uses a legitimate interest assessment internally to determine broad scopes of marketing activities.

More specifically with consent would be the topic of cookies. Kinde’s marketing website does not use any tracking or third party cookies. All website analytics is done anonymously using a tool called Plausible.io. Both Kinde’s marketing website and production services use first party cookies to help maintain functionality such as session authentication. This cookie stance does not apply when leaving Kinde’s website to external services such as LinkedIn or Twitter.

Data Protection Officer

Link to this section

The GDPR has established the concept of a Data Protection Officer.

Kinde has nominated a Data Protection Officer internally, whose core responsibilities include ensuring Kinde is aware of, and trained on, all relevant privacy obligations, conduct audits to ensure compliance, address potential issues proactively, and act as a liaison with the public on privacy matters. You can reach out Data Protection Officer by emailing privacy@kinde.com.

Email marketing

Link to this section

Newsletter mailings and e-mail marketing are a fixed part of the online marketing universe.

All marketing emails are sent with an opt-out link in the event that customers don’t want to receive products updates from us. Membership to the email marketing lists is collected when users voluntarily provide details to us, such as signing up for our product, registering for the newsletter, or signing up to blog post or product updates.

Encryption

Link to this section

Companies can reduce the probability of a data breach and thus reduce the risk of fines in the future, if they chose to use encryption of personal data.

All customer data, including personal data, is encrypted at rest in Kinde’s production database using AES256. We use AWS’s RDS and KMS to facilitate most of this work. More information can be found on the Security at Kinde page. Access to Kinde customer data and the back-end infrastructure is strictly limited and controlled.

Privacy by Design

Link to this section

The term “Privacy by Design” means nothing more than “data protection through technology design.” Technical and organisational measures must be taken already at the time of planning a processing system to protect data safety.

One of Kinde’s product principles is Privacy by Design. In this effort, we have made a commitment to never sell our customer data. In addition to this, we’ve included privacy related checks throughout our software lifecycle to ensure that Kinde only collects the bare minimum amount of personal data to successfully run the product.

Privacy impact assessment

Link to this section

This refers to the obligation of the controller to conduct an impact assessment and to document it before starting the intended data processing.

Kinde has completed privacy impact assessments for our key processing activities, which internally we’ve called a Data Protection Impact Assessments (DPIA), based on a template provided by the UK’s Information Commissioners Office. They’re long and thorough, and have been extremely useful in mapping out the personal data being handled, but also influencing the business and technical strategies in protecting that data.

Processing

Link to this section

The GDPR offers a uniform, Europe-wide possibility for so-called ‘commissioned data processing’, which is the gathering, processing or use of personal data by a processor in accordance with the instructions of the controller based on a contract.

As Kinde is a business to business (B2B) company, we handle personal data on behalf of our customers, which makes us a data processor. Our customers are the data controllers. As a result, Kinde takes instruction from the customers about what to do with the personal data. With respect to the customer, Kinde is a sub-processor for them.

Records of processing activities

Link to this section

Written documentation and overview of procedures by which personal data are processed. Records of processing activities must include significant information about data processing, including data categories, the group of data subjects, the purpose of the processing and the data recipients. This must be completely made available to authorities upon request.

One of the outputs from the DPIA mentioned earlier is a privacy data map, which includes records of processing activities (RoPA). Privacy surveys are conducted with each department to identify their own activities and what personal data is being handled. This captures information across user types such as customers, users, and employees. Once the surveys are done, the information is collated back into our RoPA and then updated as needed.

Right of access

Link to this section

The right of access plays a central role in the GDPR. On the one hand, because only the right of access allows the data subject to exercise further rights (such as rectification and erasure). On the other hand, because an omitted or incomplete disclosure is subject to fines.

Due to Kinde being a processor of data and not the controller, the right of access for a data subject should be directed at Kinde’s customers. These companies should handle the privacy request and forward onto Kinde if there’s anything that we can do to assist. For the most part, Kinde will allow customers to view, adjust, or remove personal data for their users, such as user’s names or emails.

Right to be forgotten

Link to this section

For the first time, the right to be forgotten is codified and to be found in the GDPR in addition to the right to erasure.

Refer to Right of access.

Right to be informed

Link to this section

There is a need for transparency regarding the gathering and use of data in order to allow EU citizens to exercise their right to the protection of personal data.

Refer to Right of access.