How AudioStack complies with GDPR

A guide to our GDPR compliance

At AudioStack, we work hard to comply for EU General Data Protection Regulation (GDPR), to ensure that we comply with our obligations and maintain transparency about customer messaging and how we use data.
Here’s an overview of GDPR, and how we achieve compliance at AudioStack:
What’s GDPR?
The GDPR is a comprehensive data protection law that came into effect on May 25, 2018. It replaced existing EU law to strengthen the protection of “personal data” and the rights of the individual data subject. It's a single set of rules which governs the processing and protection of the personal data of people in the EU.

Does it affect me?
Yes, most likely. If you hold or process the data of any person in the EU, the GDPR will apply to you, whether you’re based in the EU or not.

How AudioStack complies with GDPR
AudioStack helps you meet your data processing portability requirements; you can easily export all of your data linked to an individual and permanently delete all data linked to an individual user.
We have robust data retention policies and procedures that automatically expire data on visitors that have not been seen in 9 months, to ensure we comply with GDPR retention requirements.

GDPR – Requests for Personal Data
AudioStack carefully considers all third party requests for data, including requests from law enforcement and national security agencies.
As a policy, we do not provide third parties with information that does not belong to them and we only respond to requests where we are legally required to do so. This means that AudioStack will only provide data in response to a court order, subpoena, warrant or other valid legal request that compels us to provide data from a customer account.
Where we are legally permitted to do so, we will always notify you of the requests we receive and work with you should you wish to challenge a request or limit disclosure.

Our Data Processing Agreement (DPA)
It is a requirement under the GDPR to have a written DPA with all our processors. The European Commission has set up a resource (GDPR.eu) which has issued a template DPA, the terms of this template are incorporated into the Terms of Service under which your AudioStack services are governed and no separate signature is needed.
Our DPA sets out the terms for AudioStack and our customers to fully comply with all GDPR requirements. This is available for customers to sign upon request.
If you have specific questions on the DPA, please reach out to us via support[at]audiostack[dot]ai

Bespoke DPAs with customers
AudioStack's policy is that we only contract on the basis of our GDPR DPA.
​
This established approach is based on sound legal and operational reasons and reflects common practice for SaaS suppliers.
​
From a legal perspective, the GDPR requires a processor like AudioStack to flow down to its sub-processors certain data protection obligations contained in its customer contracts. We have prepared our DPA for GDPR compliance and, as such, to contain obligations which can be flowed down to our sub-processors. Quite simply, we would not be able to meet the GDPR's flow down requirement if we enter into bespoke DPAs with customers. This is particularly the case in relation to large scale sub-processors, such as Amazon Web Services, where there is little to no flexibility to negotiate their standard terms.
​
From an operational perspective, AudioStack has thousands of customers, and is a rapidly expanding business. We simply don't have the bandwidth or operational flexibility to enter into different DPAs with different terms for each and every customer. This would create overly burdensome commitments for AudioStack and is not scalable. By using the AudioStack GDPR DPA, we can better manage our data protection obligations and thereby focus our activities on processing personal data in a compliant manner and providing customers with a streamlined service.

Our Data Protection Officer
We’ve a dedicated Data Protection Officer to oversee and advise on our data management. Get in touch through the messenger or by emailing [email protected]
Coordination with our Vendors
Where appropriate, we require all of our third-party vendors to enter into data processing agreements that ensure customer data will remain protected in accordance with the GDPR and our obligations to you.
Encryption
All data sent to or from AudioStack is encrypted in transit using 256 bit encryption. Our API and application endpoints are TLS/SSL only and score an “A/A+” rating on Qualys SSL Labs‘ tests. This means we only use strong cipher suites and have features such as HSTS and Perfect Forward Secrecy fully enabled. We also encrypt data at rest using an industry-standard AES-256 encryption algorithm.
Our security measures
Security is a priority for us. We have regular external audits, penetration testing and bug bounty programmes. We’ve built a robust security framework, achieving International Compliance standards (SOC2) and reviewed our internal access design to ensure the right people have access to the right level of customer data. More details are available on our Security page.

We continue to help our customers and prospective customers be compliant. Some steps you can take are:

  • Get familiar with the GDPR requirements and how they affect your company.
  • Ensure you provide customers with a suitable privacy notice, advising them of their rights and how their data will be processed.
  • Map out everywhere you process data and carry out a gap analysis.
  • See how you can leverage AudioStack to help with your GDPR compliance. Our audit reports, penetration tests and security docs are available to customers on request.
  • Look at your product roadmap, think about privacy when you’re planning.
  • Chat to your lawyer about what your company needs to do.
  • Keep an eye on the developing guidelines from the European Data Protection Board.
  • We will also continue to monitor new and emerging guidance to determine whether we need to make any additional changes to our data practices as a result of the CJEU's ruling.