Oki Doki and the GDPR
Data Privacy Lead
Benjamin Borowski
privacy@weareokidoki.com
OKI DOKI DIGITAL INC
PO Box 412
Sechelt, BC V0N 3A0
Canada
As part of our ongoing efforts and our commitment to protect the security and privacy of our users, we at Oki Doki Digital, Inc. are working towards complying with the EU General Data Protection Regulation (“GDPR”)
This site contains information on what steps we are taking, features we're implementing, and who to contact for any privacy or security concerns. This site is our central point of communications between our data partners, users, regulators, and auditors.
Make A Subject Access Request
If you are a customer in the European Economic Area (“EEA”), you have the right to know data is being used, as us export it, or request that it be deleted.
Service Providers
We rely on a number of trusted third-parties to assist with our operations. Depending on the exact nature of your account and what you've requested we do, your data may be shared with one or more of these partners. We carefully evaluate each to make sure they're handling your personal data with the utmost of respect, security, and privacy.
These Service Providers have access to your Personal Data only to perform these tasks on our behalf and are obligated not to disclose or use it for any other purpose.
Wherever possible and as necessary, we anonymize your Personal Data before we share it with our Service Partners.
| 1. Core Sub-Processors | ||||
|---|---|---|---|---|
| Partner | Locale | Data Shared | Purpose | |
 |
Amazon Web Services, Inc. |  |
All Data | Web hosting, static file hosting, storage, backups. |
 |
CircleCo, Inc. | |
Name Email | Notion Mastery community hosting |
|
Notion Labs, Inc. | |
Name Email | Delivery of Notion Mastery program and related programs. We use Notion to store basic details about our students and the course itself is delivered in Notion. |
| 2. Ancillary Services | ||||
|---|---|---|---|---|
| Partner | Locale | Data Shared | Purpose | |
| Google Universal Analytics by Google LLC | |
Anonymized IP Address | Analytics and metrics. |
|
|
Help Scout, Inc. | |
Name Email Company Name IP Address Anything Emailed to Support | Customer support and documentation. |
|
Slack Technologies, Inc. | |
Email Name Company Name Comments Sent to Support | Application support dashboard and company internal messaging. |
|
Stripe, Inc. | |
Email Payment Information IP Address | Secure payment processing and subscription billing. Stripe has been audited by a PCI-certified auditor and is certified to PCI Service Provider Level 1. |
| Typekit | |
IP Address | Hosting web fonts. |
|
| 3. Business Services (No Personal Data sent to these service unless you submit to us) | ||||
|---|---|---|---|---|
| Partner | Locale | Data Shared | Purpose | |
|
GDPR Page |  |
Email Address Name Company Details Signature | GDPR Page shows our GDPR compliance documentation and allows our customers to subject Subject Access Requests and sign Data Processing Addendums. |
| G Suite by Google LLC | |
Anything Emailed to Us | Internal email provider. |
|
Compliance Tasks
GDPR compliance requires maintenance and ongoing work. We are tracking our efforts here.
| Application Site Security | |
|---|---|
| Status | Name |
| Completed | Ensure Backups are Stored in on Encrypted File Storage |
| Completed | Personal Data in Databases is Encrypted |
| Completed | Ensure Intrusion Detection Systems are in Place |
| Completed | Ensure Web Application Firewall enabled and blocking common attacks |
| Completed | HSTS (HTTP Strict Transport Security) added to SSL/TLS of App Site |
| Completed | Personal Data in File Storage is Encrypted |
| Completed | Ensure Access to Backups is Restricted |
| Completed | SSL (TLS) Deployed on App Site |
| Completed | Redact Logs from Writing Unneeded Personal or Sensitive Data |
| Completed | Restrict Personal Data at Signup to the Minimum Necessary |
| Data Mapping | |
|---|---|
| Status | Name |
| Completed | Add Email Newsletter Service to Service Providers List |
| Completed | Add Customer Support Services to Service Providers List |
| Completed | Add Hosting and Database Provider to Service Providers List |
| Completed | Add File Collaboration Service to Service Providers |
| Completed | Add CDN Provider to Service Providers List |
| Completed | Add Performance Monitoring Applications to Data Providers |
| Completed | Add Transactional Email Service to Service Providers List |
| Completed | Add Analytics Provider to Service Providers List |
| Completed | Add Internal Email Service to Service Providers List |
| Completed | Add GDPR Page to Service Providers |
| Completed | Add Typeform to Service Providers |
| Marketing Site Security | |
|---|---|
| Status | Name |
| Completed | SSL (TLS) Deployed on Marketing Site |
| Completed | Reviewed list of users with access to site |
| Completed | HSTS (HTTP Strict Transport Security) added to SSL/TLS of Marketing Site |
| Privacy Procedures | |
|---|---|
| Status | Name |
| Completed | Developed a Data Processing Addendum |
| Completed | Get Management Approval for GDPR Efforts |
| Completed | Briefed all Staff on GDPR Impact to the organization |
| Completed | Process established for Subject Access Requests |
| Completed | Affirmative Consent mechanism added to User Signup |
| Completed | Nominate a Data Protection Lead or Data Protection |
| Completed | Privacy Policy Updates |
| Completed | Procedure established to allow for people to request that inaccuracies in their data are fixed. |
| Completed | Inform Users about the GDPR Page |
| Completed | Informed all Employees and Contractors about GDPR Compliance |
| Security Procedures | |
|---|---|
| Status | Name |
| Completed | Data Breach Notification Policy has been established |
| Completed | Publish statement on public website on how to report security and data issues. |
Frequently Asked Questions
If you have any concerns not answered here, please send an email to privacy@weareokidoki.com or contact us at the contract information listed near the top of this page.
What's the GDPR?
The General Data Protection Regulation (GDPR) is a new piece of privacy legislation enacted by the European Union. It represents a significant change in how personal (IP Addresses, Emails, Names) and sensitive (religion, ethnic origin, health, orientation) data is handled by companies.
Do Non EU Companies need to comply with the GDPR?
While it remains to be seen if the EU has the legislative power to levy fines and enforcement against organizations around the globe, GDPR compliance is being sought by non EU companies for a variety of reasons.
- Customers and Prospects are making it a requirement
- It's a solid framework for improving the handling of personal information and complying with the GDPR requirements improves our own security.
How Do I Report a Security Issue?
The protection of Personal Data is very important to us, and we are prepared to take appropriate and timely steps in the event of any incidents in accordance with applicable privacy laws. Please report any security incidents to privacy@doki.io.