GDPR (General Data Protection Regulation) is the European Union’s new regulation on data protection and privacy for all individuals within EU, which is effective from May 25, 2018. This article gives information about YAMM compliance with GDPR and the answers to your key questions during your review of YAMM as your data processor.
Awesome Gapps (your service provider) is committed to respecting your privacy and your customers privacy by complying to GDPR policy. Yet Another Mail Merge (YAMM) (the service), an add-on based on Google Apps technologies that provides automation of sending mass emails, would be considered a Data Processor.
YAMM commitment towards GDPR
Here are the key information (as FAQ) of our commitment towards GDPR compliance, safety/protection of your data, and features that may support the compliance of our customers. You may want to consult these while reviewing or choosing YAMM as your data processor:
Is YAMM GDPR compliant?
Yes. Yet Another Mail Merge (YAMM) is GDPR compliant as on May 25, 2018.
Does our Data Processing Agreement (DPA) confirm YAMM compliance with GDPR?
Which Data Transfer mechanisms does YAMM rely on? Standard Clauses or Privacy Shield?
YAMM DPA has been updated to confirm our compliance with the GDPR.
As detailed in the DPA, the application of lawful data transfer mechanisms for our customers who wish to transfer personal data to a third country (outside the EEA) in accordance with Article 45 or 46 of the GDPR, relies on entering into Standard Contractual Clauses or offer any alternative transfer solution if requested (for example, the EU-U.S. Privacy Shield).
Where is YAMM data stored?
YAMM is built over and run entirely on Google Cloud environment. All data is stored and hosted on Google servers. The data is NEVER stored or transferred to any entity other than Google.
Please note that Google is committed to complying with the GDPR for G Suite and Google Cloud Platform Services.
Is YAMM data ever moved out of the EEA or EU?
No. We do not transfer data.
Do you have a Data Protection Officer (DPO)?
No. Considering the nature and the scale of personal data being processed by YAMM, appointing a DPO is not applicable to us.
What data controls do you have in place?
YAMM, as an add-on for Google Sheets, requires you to login with your Google account credentials to install and use it.
The authentication entirely relies on Google authentication services to allow you to login. YAMM does NOT have access to your Google account or your password at any time. All data that are sent from/to YAMM is transmitted securely.
The first time you install YAMM, it requests your authorization to access certain services in your Google account and to act on your behalf. YAMM requests the permissions that are absolutely necessary to offer its functionality to you. Your authorization is limited to the functionality of the service. YAMM neither propagates these permissions nor allows access to your files/folders to anyone (including YAMM support team) automatically.
Who can access my data, under what circumstances and what can they see? Is this access tracked?
Only you have access to your data or your customers' data (data subjects) at any point in time, except for only one instance where you will explicitly grant access to your files when you seek any technical assistance from YAMM support team.
YAMM, being a bulk emailing solution, relies entirely on Gmail API to send emails. We do not have any email servers ourselves. YAMM only fetches data from your Google Sheet, and transfers it to Gmail/Google servers. At no time are we storing a copy of the content of your emails or your mailing lists.
Do you have in place a security breach notification process?
Yes. As detailed in our DPA, in the event of a data incident, we will notify the affected customers promptly and without undue delay and take reasonable steps to minimize harm and secure customer data. The notification will be delivered to the notification email address of the customers. Please note that you (the customer) are solely responsible for ensuring that the notification email address is current and valid.
What risk management processes do you have in place?
Our risk management processes include a robust monitoring system (Google Stackdriver) and an active monitoring by our Security Review Board. Our practices are governed by our Incident Response Policy (effective since November 1, 2017).
If an issue is detected by the monitoring system, by our Security Review Board, or by notifications from our service provider (like Google Firebase), the severity of the incident is assessed immediately and is directly reported to the developers team.
The Incident Response Plan includes reporting any major impact incidents and the measures in our YAMM status page: http://status.yet-another-mail-merge.com. In case of incidents impacting a small number of specific customers, they will be contacted privately.
Regardless of the incident severity level, customer support tickets sent to firstname.lastname@example.org that are related to the incident will be updated with the incident status.
Do you currently adhere to Binding Corporate Rules (BCR)?
What third party organisations do you work with that may also have access to the data we share with you?
Do you provide offer any legal advice or guidance for YAMM customers (data controllers)?
No. We do not and cannot offer any legal advice or guidance on what actions and how you (a data controller) may need to take to comply with GDPR. However, please be ensured that we are committed to provide you with the tool that may help you comply with the regulations.
We have a series of detailed articles on your data security and confidentiality with YAMM. We invite you to consult with these articles which can provide you explanations of what, why and how your data is processed by YAMM:
- [DATA ACCESS] What permissions are needed to use YAMM?
- [DATA ACCESS] Why share your Google Sheets with Edit access?
- [DATA PROCESSING] How are your bulk emails sent with YAMM?
- [DATA STORAGE] What data is stored by YAMM and how?
- [DATA STORAGE] How does YAMM email tracking work?
- [GDPR] How to collect consent from your recipients?
If you have specific questions other than these in FAQ, please do not hesitate to send them to us at email@example.com