DOKI and the GDPR

Data Privacy Lead

Benjamin Borowski
privacy@doki.io

537-2818 Main Street
Vancouver, BC V5T 0C1
Canada

As part of our ongoing efforts and our commitment to protect the security and privacy of our users, we at Oki Doki Digital, Inc. are working towards complying with the EU General Data Protection Regulation (“GDPR”) for the Doki Service.

This site (at gdpr.doki.io) contains information on what steps we are taking, features we're implementing, and who to contact for any privacy or security concerns. This site is our central point of communications between our data partners, users, regulators, and auditors.

Data Processing Addendum

If you are a Doki Customer and you are using Doki to sell Courses to Students in the European Economic Area, and you need a signed DPA, please use the button below to sign our DPA.

Make A Subject Access Request

If you are a Doki Customer and you’re using Doki to sell Courses to Students in the European Economic Area (“EEA”), you have the right to know data is being used, as us export it, or request that it be deleted.

Service Providers

We rely on a number of trusted third-parties to assist with our operations. Depending on the exact nature of your account and what you've requested we do, your data may be shared with one or more of these partners. We carefully evaluate each to make sure they're handling your personal data with the utmost of respect, security, and privacy.

These Service Providers have access to your Personal Data only to perform these tasks on our behalf and are obligated not to disclose or use it for any other purpose.

Wherever possible and as necessary, we anonymize your Personal Data before we share it with our Service Partners.

1. Core Sub-Processors
Partner Locale Data Shared Purpose
Amazon Web Services, Inc. All Data

Web hosting, static file hosting, storage, backups.

Heroku by Salesforce.com, Inc. All Data

Infrastructure, Secure Cloud Service Platform for Database Storage.

Papertrail by SolarWinds Worldwide, LLC Application Logs Usage Data Email Name IP Address

Server-side log management, debugging.

2. Ancillary Services
Partner Locale Data Shared Purpose
Drip by Avenue 81, Inc. Email Name IP Address

Marketing and educational emails.

Filestack, Inc. Uploaded Files that may contain Personal Data

File upload and storage.

Google Universal Analytics by Google LLC Anonymized IP Address

Analytics and metrics.

Help Scout, Inc. Name Email Company Name IP Address Anything Emailed to Support

Customer support and documentation.

Intercom, Inc. Email Name Company Name IP Address

In-app customer messaging and customer support.

Mandrill by The Rocket Science Group, LLC Email IP Address

Transactional email delivery.

Raygun Limited Email IP Address Web Browser Details

Error, crash, and performance monitoring.

Slack Technologies, Inc. Email Name Company Name Comments Sent to Support

Application support dashboard and company internal messaging.

SoundCloud IP Address Web Browser Details

Provides hosted audio embedding.

Stripe, Inc. Email Payment Information IP Address

Secure payment processing and subscription billing. Stripe has been audited by a PCI-certified auditor and is certified to PCI Service Provider Level 1.

Typekit IP Address

Hosting web fonts.

3. Business Services (No Personal Data sent to these service unless you submit to us)
Partner Locale Data Shared Purpose
GDPR Page Email Address Name Company Details Signature

GDPR Page shows our GDPR compliance documentation and allows our customers to subject Subject Access Requests and sign Data Processing Addendums.

G Suite by Google LLC Anything Emailed to Us

Internal email provider.

Typeform Email Name Payment Information

Hosts our business inquiry forms.

Compliance Tasks

GDPR compliance requires maintenance and ongoing work. We are tracking our efforts here.

Application Site Security
Status Name
Completed Restrict Personal Data at Signup to the Minimum Necessary
Completed SSL (TLS) Deployed on App Site
Completed Redact Logs from Writing Unneeded Personal or Sensitive Data
Completed Ensure Intrusion Detection Systems are in Place
Completed Ensure Web Application Firewall enabled and blocking common attacks
Completed Ensure Access to Backups is Restricted
Completed Ensure Backups are Stored in on Encrypted File Storage
Completed Personal Data in File Storage is Encrypted
Completed Personal Data in Databases is Encrypted
Completed HSTS (HTTP Strict Transport Security) added to SSL/TLS of App Site
Data Mapping
Status Name
Completed Add Typeform to Service Providers
Completed Add GDPR Page to Service Providers
Completed Add Internal Email Service to Service Providers List
Completed Add Analytics Provider to Service Providers List
Completed Add Performance Monitoring Applications to Data Providers
Completed Add Hosting and Database Provider to Service Providers List
Completed Add Customer Support Services to Service Providers List
Completed Add Transactional Email Service to Service Providers List
Completed Add Email Newsletter Service to Service Providers List
Completed Add CDN Provider to Service Providers List
Completed Add File Collaboration Service to Service Providers
Marketing Site Security
Status Name
Completed HSTS (HTTP Strict Transport Security) added to SSL/TLS of Marketing Site
Completed Reviewed list of users with access to site
Completed SSL (TLS) Deployed on Marketing Site
Privacy Procedures
Status Name
Completed Briefed all Staff on GDPR Impact to the organization
Completed Inform Users about the GDPR Page
Completed Informed all Employees and Contractors about GDPR Compliance
Completed Affirmative Consent mechanism added to User Signup
Completed Privacy Policy Updates
Completed Procedure established to allow for people to request that inaccuracies in their data are fixed.
Completed Process established for Subject Access Requests
Completed Nominate a Data Protection Lead or Data Protection
Completed Get Management Approval for GDPR Efforts
Completed Developed a Data Processing Addendum
In Progress Procure fresh consents for application users
Security Procedures
Status Name
Completed Data Breach Notification Policy has been established
Completed Publish statement on public website on how to report security and data issues.

Frequently Asked Questions

If you have any concerns not answered here, please send an email to privacy@doki.io or contact us at the contract information listed near the top of this page.

How Do I Report a Security Issue?

The protection of Personal Data is very important to us, and we are prepared to take appropriate and timely steps in the event of any incidents in accordance with applicable privacy laws. Please report any security incidents to privacy@doki.io.

Do Non EU Companies need to comply with the GDPR?

While it remains to be seen if the EU has the legislative power to levy fines and enforcement against organizations around the globe, GDPR compliance is being sought by non EU companies for a variety of reasons.

  • Customers and Prospects are making it a requirement
  • It's a solid framework for improving the handling of personal information and complying with the GDPR requirements improves our own security.

What's the GDPR?

The General Data Protection Regulation (GDPR) is a new piece of privacy legislation enacted by the European Union. It represents a significant change in how personal (IP Addresses, Emails, Names) and sensitive (religion, ethnic origin, health, orientation) data is handled by companies.