Including the CCPA, GDPR, and the UK GDPR.
At Qomon, we are committed to protecting your data and helping you stay in compliance with legal obligations and local privacy laws. This includes the General Data Protection Regulation (GDPR), the UK GDPR, and the California Consumer Protection Act (CCPA), amongst various others.
To do so, we utilize a variety of tools and processes which ensure that all data is securely stored, processed and documented. That being said, managing privacy law compliance and security is a never-ending process. With regular developments being made within this ever-evolving area comes with new guidance to follow and new measures to implement. That’s why we’re always improving!
In this article we’ll be outlining how we process your data to comply with the legal obligations of our customers, and our own.
Firstly, let’s differentiate between the types of personal data we handle by looking at the three main categories we deal with at Qomon (non-exhaustive list):
This is the data that is specific to Qomon operations. An example of this would be data on our employees and contractors. This data cannot be accessed by external parties without the express permission of Qomon.
This is the data we need for you to use our services. For example, this includes info required for logging into the Qomon web platform / mobile app, or info required to create your Qomon space, etc.
This is the data collected, imported or inputted by our users and stored in Qomon. This data is yours, whether imported in Qomon platform or collected through our tools.
Data and Insights Features
At Qomon, we develop data features (CrossAnalysis, ©Insights, etc.) in selected countries to not only allow your organization to easily and quickly make in-depth analyses about a territory, but also to better understand the profiles of your community and trigger your next action. These features are based on a mix of territorial / commercial data (depending on the country) but does not include personal data.
These features operate, directly or indirectly, at the aggregated / anonymized territorial unit level
and not the contact unit level.
1. Separated databases and reduced internal access
All data we collect is segmented in accordance with the purpose for which it was collected and the department responsible for collecting it. For example, the sales team’s database is utilized only by the sales team and is not in any way linked or combined with our customer support data or user files. It also exists independently of the databases built by other Qomon departments, and can be accessed only by those within the individual department to which the database applies.
Additionally, as a customer, your main account manager and the CTO of Qomon (if there are any security or technical problems) are the only people who can access your data.
It means access to your personal data is limited to only those who are authorized to process it by virtue of their role. This helps to secure the privacy of your personal data.
For example, a member of the support team replying to a ticket in our help chat can only see the volunteer or team members name who is contacting support, the organization they are attached to, and the device they are connected with.
2. Secure data storage & backups
In accordance with global standards & privacy laws, we are required to responsibly store your personal data. We have endeavored to do this by implementing data storing processes that meet the data storage requirements of the country in which you are based.
We run daily backups of our clients’ data and encrypting the associated data so that no external entity can access it.
3. Download your data anytime
At Qomon, we are very clear on this: You are the ultimate owner of your personal data, you are entitled to obtain a complete copy of your personal data at any time. In acknowledgement of this, with Qomon, you can download your data whenever you wish. This can be done in a variety of different formats, and allows you to track all your data-related activity with Qomon.
4. Access to the complete editing and deletion history of your contact list
As a SuperAdmin of a Qomon Space, you can access the complete history of edits made to your contacts. This includes access to a complete history of who has been editing and deleting contacts from your organization.
5. Technical Organizational Measures (TOMs)
As per Article 32 of the GDPR, technical, organizational measures must be implemented in order to guarantee the security of all personal data collected. At Qomon we have introduced a variety of TOMs to help prevent data breaches and to comply with the principle of Data Privacy by Design. All these measures are available in a document you can request from our team.
Even if it's only required by GDPR, every customer in every region benefits from enhanced security.
This outlines the exact purposes for which we collect and process our users’ data. We encourage you to review this document thoroughly and to take note of the key points.
7. Location of our servers
The secure storage and transfer of data to third parties is one of the more important aspects of privacy law compliance.
As a global company, our standard procedure is that we have dedicated, encrypted servers in areas that are accessible only by the local team, ensuring compliance with local laws.
For US customers, data is stored and processed exclusively in the US and by US companies (AWS).
For European Customers and non US customers, in order for our users to fulfill their obligations with regards to the GDPR, UK-GDPR or other privacy laws, we store and process their collected data within our two secured European cloud providers: OVH and Scaleway. We use servers located within the European Union - France and Germany.
8. Data Processing Agreement (DPA)
Processing essentially means anything you can do with data (such as storing it, downloading it, monetizing it, etc.). We are required to have a written Data Processing Agreement in place with all of our data processors. This agreement states the rights and obligations associated with data protection for the processor and is legally binding upon each party involved in the agreement (i.e., Qomon and the processor).
As processors ourselves in the name of our customers, you can find our Qomon Data Processing Agreement bellow.
9. Exercising your rights with us through a Privacy Portal
Exercising your privacy rights should be as straight-forward a process as possible. To keep the process simple, we created a privacy portal for exercising your rights. With this portal, you can easily navigate between your different privacy rights and exercise them in just a few clicks.
10. Respect for the right to opt-out
At Qomon, we respect your right to cease contact with us whenever you choose. Every form of communication we maintain with you can be opted-out of. If you do choose to opt-out, we will record all details of this retraction of consent to receive communication from us (from the department that sent you the communication), thereby ensuring a system of accountability.
11. Our use of privacy law compliance software
We use privacy law and GDPR compliance software with powerful compliance automation capabilities, which have been purpose-built for tech companies like us. The platform sets us up with air-tight compliance programs and enables us to manage all aspects of compliance from a single location.
We are able to identify and map the data and processing activities carried out by Qomon, manage our register of sub-processors, and automatically store all DPAs. Additionally, it helps us to establish all our security measures and map out our personal data-related risks.
12. Training our teams
Our Data Protection Officer (DPO) organizes regular challenges & training sessions for our staff members on data security and privacy law compliance. This is conducted through our privacy law and GDPR compliance software. This helps to deepen our team’s understanding of privacy laws and to keep them up-to-date on any major changes.
To protect the data stored on your Qomon user space, our users have the option to enable two factor authentication (2FA). This means that users will only be granted access to the Qomon user space after successfully presenting two pieces of evidence to affirm their right to access the web platform. With this option, our users can dramatically reduce the likelihood of account impersonation.
For each contact recorded on our web platform or mobile app, an individual funnel or checking box will be assigned to them. This funnel indicates the consent they have given to receiving future communications from you on one specific funnel. It also provides you with a system of accountability for managing consent levels as needed. *This feature can be enabled or disabled by the user upon request.
Privacy by Design means incorporating data processing and protection into technology when it is first created. We respect the principle of Privacy by Design and we incorporate privacy considerations and protection measures into the design and development of our products.
With both the Qomon web platform and mobile application, users have a variety of communication options to assign to each individual contact recorded. One of the most important of these options is the ‘do not contact again’ option. This ensures that those who opted out of receiving communications from you via email or SMS will not receive future contact from you and will enter your “Blacklist.”
As a Superadmin on the platform, you have the option to activate a double opt-in when adding a new contact. Single opt-in is where the contact consents to the retention and processing of their data by providing their contact details alone. Double opt-in, by comparison, means that any new contact is required to provide not only their contact details, but also give a second form of consent. With Qomon, this second form of consent is given through responding to a text message asking the contact to affirm their consent. Additionally, when double opt-in is enabled, contacts will receive an opt-out link. If the contact opts out, their consent will be updated accordingly on Qomon and their number will be automatically removed from any messaging from Qomon. By providing both options, users can manage the consent of their contacts in accordance with the needs of their organization, movement or campaign, and also the needs of their contacts.
The GDPR, the UK GDPR and the CCPA all recognize the existence of a right to be forgotten. This means that a person who has given their personal data to a company can at any point request to have this information deleted. To help our users honor this right, our web platform and mobile app allow for all personal data collected for any given profile to be easily deleted.