DOKI and the GDPR
Data Privacy Lead
Benjamin Borowski
privacy@doki.io
537-2818 Main Street
Vancouver, BC V5T 0C1
Canada
As part of our ongoing efforts and our commitment to protect the security and privacy of our users, we at Oki Doki Digital, Inc. are working towards complying with the EU General Data Protection Regulation (“GDPR”) for the Doki Service.
This site (at gdpr.doki.io) contains information on what steps we are taking, features we're implementing, and who to contact for any privacy or security concerns. This site is our central point of communications between our data partners, users, regulators, and auditors.
Data Processing Addendum
If you are a Doki Customer and you are using Doki to sell Courses to Students in the European Economic Area, and you need a signed DPA, please use the button below to sign our DPA.
Make A Subject Access Request
If you are a Doki Customer and you’re using Doki to sell Courses to Students in the European Economic Area (“EEA”), you have the right to know data is being used, as us export it, or request that it be deleted.
Service Providers
We rely on a number of trusted third-parties to assist with our operations. Depending on the exact nature of your account and what you've requested we do, your data may be shared with one or more of these partners. We carefully evaluate each to make sure they're handling your personal data with the utmost of respect, security, and privacy.
These Service Providers have access to your Personal Data only to perform these tasks on our behalf and are obligated not to disclose or use it for any other purpose.
Wherever possible and as necessary, we anonymize your Personal Data before we share it with our Service Partners.
| 1. Core Sub-Processors | ||||
|---|---|---|---|---|
| Partner | Locale | Data Shared | Purpose | |
 |
Amazon Web Services, Inc. |  |
All Data | Web hosting, static file hosting, storage, backups. |
 |
Heroku by Salesforce.com, Inc. | |
All Data | Infrastructure, Secure Cloud Service Platform for Database Storage. |
|
Papertrail by SolarWinds Worldwide, LLC | |
Application Logs Usage Data Email Name IP Address | Server-side log management, debugging. |
| 2. Ancillary Services | ||||
|---|---|---|---|---|
| Partner | Locale | Data Shared | Purpose | |
| Drip by Avenue 81, Inc. | |
Email Name IP Address | Marketing and educational emails. |
|
|
Filestack, Inc. | |
Uploaded Files that may contain Personal Data | File upload and storage. |
| Google Universal Analytics by Google LLC | |
Anonymized IP Address | Analytics and metrics. |
|
|
Help Scout, Inc. | |
Name Email Company Name IP Address Anything Emailed to Support | Customer support and documentation. |
|
Intercom, Inc. | |
Email Name Company Name IP Address | In-app customer messaging and customer support. |
|
Mandrill by The Rocket Science Group, LLC | |
Email IP Address | Transactional email delivery. |
|
Raygun Limited | |
Email IP Address Web Browser Details | Error, crash, and performance monitoring. |
|
Slack Technologies, Inc. | |
Email Name Company Name Comments Sent to Support | Application support dashboard and company internal messaging. |
|
SoundCloud |  |
IP Address Web Browser Details | Provides hosted audio embedding. |
|
Stripe, Inc. | |
Email Payment Information IP Address | Secure payment processing and subscription billing. Stripe has been audited by a PCI-certified auditor and is certified to PCI Service Provider Level 1. |
| Typekit | |
IP Address | Hosting web fonts. |
|
| 3. Business Services (No Personal Data sent to these service unless you submit to us) | ||||
|---|---|---|---|---|
| Partner | Locale | Data Shared | Purpose | |
|
GDPR Page |  |
Email Address Name Company Details Signature | GDPR Page shows our GDPR compliance documentation and allows our customers to subject Subject Access Requests and sign Data Processing Addendums. |
| G Suite by Google LLC | |
Anything Emailed to Us | Internal email provider. |
|
|
Typeform | |
Email Name Payment Information | Hosts our business inquiry forms. |
Compliance Tasks
GDPR compliance requires maintenance and ongoing work. We are tracking our efforts here.
| Application Site Security | |
|---|---|
| Status | Name |
| Completed | Restrict Personal Data at Signup to the Minimum Necessary |
| Completed | SSL (TLS) Deployed on App Site |
| Completed | Redact Logs from Writing Unneeded Personal or Sensitive Data |
| Completed | Ensure Intrusion Detection Systems are in Place |
| Completed | Ensure Web Application Firewall enabled and blocking common attacks |
| Completed | Ensure Access to Backups is Restricted |
| Completed | Ensure Backups are Stored in on Encrypted File Storage |
| Completed | Personal Data in File Storage is Encrypted |
| Completed | Personal Data in Databases is Encrypted |
| Completed | HSTS (HTTP Strict Transport Security) added to SSL/TLS of App Site |
| Data Mapping | |
|---|---|
| Status | Name |
| Completed | Add Typeform to Service Providers |
| Completed | Add GDPR Page to Service Providers |
| Completed | Add Internal Email Service to Service Providers List |
| Completed | Add Analytics Provider to Service Providers List |
| Completed | Add Performance Monitoring Applications to Data Providers |
| Completed | Add Hosting and Database Provider to Service Providers List |
| Completed | Add Customer Support Services to Service Providers List |
| Completed | Add Transactional Email Service to Service Providers List |
| Completed | Add Email Newsletter Service to Service Providers List |
| Completed | Add CDN Provider to Service Providers List |
| Completed | Add File Collaboration Service to Service Providers |
| Marketing Site Security | |
|---|---|
| Status | Name |
| Completed | HSTS (HTTP Strict Transport Security) added to SSL/TLS of Marketing Site |
| Completed | Reviewed list of users with access to site |
| Completed | SSL (TLS) Deployed on Marketing Site |
| Privacy Procedures | |
|---|---|
| Status | Name |
| Completed | Briefed all Staff on GDPR Impact to the organization |
| Completed | Inform Users about the GDPR Page |
| Completed | Informed all Employees and Contractors about GDPR Compliance |
| Completed | Affirmative Consent mechanism added to User Signup |
| Completed | Privacy Policy Updates |
| Completed | Procedure established to allow for people to request that inaccuracies in their data are fixed. |
| Completed | Process established for Subject Access Requests |
| Completed | Nominate a Data Protection Lead or Data Protection |
| Completed | Get Management Approval for GDPR Efforts |
| Completed | Developed a Data Processing Addendum |
| In Progress | Procure fresh consents for application users |
| Security Procedures | |
|---|---|
| Status | Name |
| Completed | Data Breach Notification Policy has been established |
| Completed | Publish statement on public website on how to report security and data issues. |
Frequently Asked Questions
If you have any concerns not answered here, please send an email to privacy@doki.io or contact us at the contract information listed near the top of this page.
How Do I Report a Security Issue?
The protection of Personal Data is very important to us, and we are prepared to take appropriate and timely steps in the event of any incidents in accordance with applicable privacy laws. Please report any security incidents to privacy@doki.io.
Do Non EU Companies need to comply with the GDPR?
While it remains to be seen if the EU has the legislative power to levy fines and enforcement against organizations around the globe, GDPR compliance is being sought by non EU companies for a variety of reasons.
- Customers and Prospects are making it a requirement
- It's a solid framework for improving the handling of personal information and complying with the GDPR requirements improves our own security.
What's the GDPR?
The General Data Protection Regulation (GDPR) is a new piece of privacy legislation enacted by the European Union. It represents a significant change in how personal (IP Addresses, Emails, Names) and sensitive (religion, ethnic origin, health, orientation) data is handled by companies.