Oki Doki and the GDPR

Data Privacy Lead

Benjamin Borowski
privacy@weareokidoki.com

OKI DOKI DIGITAL INC
PO Box 412
Sechelt, BC V0N 3A0
Canada

As part of our ongoing efforts and our commitment to protect the security and privacy of our users, we at Oki Doki Digital, Inc. are working towards complying with the EU General Data Protection Regulation (“GDPR”)

This site contains information on what steps we are taking, features we're implementing, and who to contact for any privacy or security concerns. This site is our central point of communications between our data partners, users, regulators, and auditors.

Make A Subject Access Request

If you are a customer in the European Economic Area (“EEA”), you have the right to know data is being used, as us export it, or request that it be deleted.

Service Providers

We rely on a number of trusted third-parties to assist with our operations. Depending on the exact nature of your account and what you've requested we do, your data may be shared with one or more of these partners. We carefully evaluate each to make sure they're handling your personal data with the utmost of respect, security, and privacy.

These Service Providers have access to your Personal Data only to perform these tasks on our behalf and are obligated not to disclose or use it for any other purpose.

Wherever possible and as necessary, we anonymize your Personal Data before we share it with our Service Partners.

1. Core Sub-Processors
Partner Locale Data Shared Purpose
Amazon Web Services, Inc. All Data

Web hosting, static file hosting, storage, backups.

CircleCo, Inc. Name Email

Notion Mastery community hosting

Notion Labs, Inc. Name Email

Delivery of Notion Mastery program and related programs. We use Notion to store basic details about our students and the course itself is delivered in Notion.

2. Ancillary Services
Partner Locale Data Shared Purpose
Google Universal Analytics by Google LLC Anonymized IP Address

Analytics and metrics.

Help Scout, Inc. Name Email Company Name IP Address Anything Emailed to Support

Customer support and documentation.

Slack Technologies, Inc. Email Name Company Name Comments Sent to Support

Application support dashboard and company internal messaging.

Stripe, Inc. Email Payment Information IP Address

Secure payment processing and subscription billing. Stripe has been audited by a PCI-certified auditor and is certified to PCI Service Provider Level 1.

Typekit IP Address

Hosting web fonts.

3. Business Services (No Personal Data sent to these service unless you submit to us)
Partner Locale Data Shared Purpose
GDPR Page Email Address Name Company Details Signature

GDPR Page shows our GDPR compliance documentation and allows our customers to subject Subject Access Requests and sign Data Processing Addendums.

G Suite by Google LLC Anything Emailed to Us

Internal email provider.

Compliance Tasks

GDPR compliance requires maintenance and ongoing work. We are tracking our efforts here.

Application Site Security
Status Name
Completed Ensure Backups are Stored in on Encrypted File Storage
Completed Personal Data in Databases is Encrypted
Completed Ensure Intrusion Detection Systems are in Place
Completed Ensure Web Application Firewall enabled and blocking common attacks
Completed HSTS (HTTP Strict Transport Security) added to SSL/TLS of App Site
Completed Personal Data in File Storage is Encrypted
Completed Ensure Access to Backups is Restricted
Completed SSL (TLS) Deployed on App Site
Completed Redact Logs from Writing Unneeded Personal or Sensitive Data
Completed Restrict Personal Data at Signup to the Minimum Necessary
Data Mapping
Status Name
Completed Add Email Newsletter Service to Service Providers List
Completed Add Customer Support Services to Service Providers List
Completed Add Hosting and Database Provider to Service Providers List
Completed Add File Collaboration Service to Service Providers
Completed Add CDN Provider to Service Providers List
Completed Add Performance Monitoring Applications to Data Providers
Completed Add Transactional Email Service to Service Providers List
Completed Add Analytics Provider to Service Providers List
Completed Add Internal Email Service to Service Providers List
Completed Add GDPR Page to Service Providers
Completed Add Typeform to Service Providers
Marketing Site Security
Status Name
Completed SSL (TLS) Deployed on Marketing Site
Completed Reviewed list of users with access to site
Completed HSTS (HTTP Strict Transport Security) added to SSL/TLS of Marketing Site
Privacy Procedures
Status Name
Completed Developed a Data Processing Addendum
Completed Get Management Approval for GDPR Efforts
Completed Briefed all Staff on GDPR Impact to the organization
Completed Process established for Subject Access Requests
Completed Affirmative Consent mechanism added to User Signup
Completed Nominate a Data Protection Lead or Data Protection
Completed Privacy Policy Updates
Completed Procedure established to allow for people to request that inaccuracies in their data are fixed.
Completed Inform Users about the GDPR Page
Completed Informed all Employees and Contractors about GDPR Compliance
Security Procedures
Status Name
Completed Data Breach Notification Policy has been established
Completed Publish statement on public website on how to report security and data issues.

Frequently Asked Questions

If you have any concerns not answered here, please send an email to privacy@weareokidoki.com or contact us at the contract information listed near the top of this page.

What's the GDPR?

The General Data Protection Regulation (GDPR) is a new piece of privacy legislation enacted by the European Union. It represents a significant change in how personal (IP Addresses, Emails, Names) and sensitive (religion, ethnic origin, health, orientation) data is handled by companies.

Do Non EU Companies need to comply with the GDPR?

While it remains to be seen if the EU has the legislative power to levy fines and enforcement against organizations around the globe, GDPR compliance is being sought by non EU companies for a variety of reasons.

  • Customers and Prospects are making it a requirement
  • It's a solid framework for improving the handling of personal information and complying with the GDPR requirements improves our own security.

How Do I Report a Security Issue?

The protection of Personal Data is very important to us, and we are prepared to take appropriate and timely steps in the event of any incidents in accordance with applicable privacy laws. Please report any security incidents to privacy@doki.io.