GrowSurf and the GDPR

Privacy and Security Contact

Kevin Yun
legal@growsurf.com

1900 E. Golf Rd.
Ste 950A
Schaumburg, IL 60173

As part of our ongoing efforts to protect the security and privacy of our users, we are working to meet or exceed the GDPR (General Data Protection Regulation). This site contains information on what steps we are taking, their progress, and who to contact for any security concerns. Please see our FAQ at the bottom of the page for more information.

Data Processing Addendum

In order to use our products and services, you need to accept our DPA.

Make A Data Request

We respect the rights of individuals to know how their data is being used, export it or request that it be deleted.

Data Processing Partners

We rely on a number of trusted 3rd parties to assist with our operations. Depending on the exact nature of your account and what you've requested we do, your data may be shared with one of these partners. We carefully evaluate each to make sure they're handling your personal data with the utmost of respect, security, and privacy.

Services
Partner Locale Data Shared Purpose
Atlassian (Trello) Email Address

Project management

AWS (S3) IP Address

Image storage

Calendly IP Address

Meeting schedule setup widget.

Capterra IP Address

Software tracking system and badge.

CDN JS IP Address

CloudFlare's CDN with popular javascript frameworks available.

ChartMogul Email

Revenue analysis

Cloudflare IP Address

Automatically optimizes the delivery of your web pages so your visitors get the fastest page load times and best performance.

Cloudflare Hosting IP Address

Supercharged web hosting service.

Cloudinary IP Address

Image management & delivery solution.

Databox IP Address

Business analytics platform & KPI dashboards

Datadog IP Address Email First Name Last Name

Logging (errors and monitoring)

Delighted IP Address Email First Name Last Name

NPS survey forms

Dialpad (Uberconference) Email Address First Name Last Name

Video conferencing

Digital Ocean IP Address

Managed databases (Redis) and hosted servers

Elastic.co IP Address

Managed Elasticsearch hosting

Facebook Conversion Tracking IP Address

Conversion tracking functionality from Facebook, allows a user to track advertisement clicks.

Facebook Pixel IP Address

Facebook Pixel is Facebooks conversion tracking system for ads on Facebook to websites.

Firebase IP Address Email First Name Last Name

Managed authentication and database hosting

Global Site Tag IP Address

Google's primary tag for Google Measurement/Conversion Tracking, Adwords and DoubleClick.

Google Analytics IP Address

Google Analytics offers a host of compelling features and benefits for everyone from senior executives and advertising and marketing professionals to site owners and content developers.

Google Apps for Business IP Address

Web-based email, calendar, and documents for teams. Renamed to Google Apps for Work, but now known as G Suite From Google Cloud.

Google Cloud Platform IP Address Email First Name Last Name

Managed database hosting

Google Tag Manager IP Address

Tag management that lets you add and update website tags without changes to underlying website code.

Google Universal Analytics IP Address

The analytics.js JavaScript snippet is a new way to measure how users interact with your website. It is similar to the previous Google tracking code, ga.js, but offers more flexibility for developers to customize their implementations.

GrowSurf IP Address Email First Name Last Name

Referral tracking

GStatic Google Static Content IP Address

Google has off-loaded static content (Javascript/Images/CSS) to a different domain name in an effort to reduce bandwidth usage and increase network performance for the end user.

HeadwayApp IP Address

Changelog

Heap IP Address

Heap automatically captures every user action in your web app and lets you measure it all.

HelpScout IP Address Email First Name Last Name

Customer support and sales communication

Heroku IP Address

Application hosting

Hubspot IP Address

Hubspot provides marketing information and leads via inbounding marketing software.

Hubspot Forms IP Address

Marketing automation form feedback into Hubspot tool.

Mailerlite IP Address Email First Name Last Name

Marketing email and automation forms

MongoDB Atlas IP Address Email First Name Last Name

Managed database hosting

Postmark IP Address

Email service provider

Profitwell Email

Revenue analysis

Rewardful IP Address Email

Affiliate tracking

Sendgrid IP Address

SendGrid's cloud-based email infrastructure provides businesses with email delivery management.

Sentry IP Address Email First Name Last Name

Error logging

Slack Email First Name Last Name

Real-time team communication

Stripe IP Address

Stripe makes it easy for developers to accept credit cards on the web.

Stripe v3 IP Address

Version 3 of Stripe Integration.

Tango Card IP Address Email

Gift card rewarding

Twilio IP Address Email First Name Last Name

Email service provider

Typekit IP Address

Typekit is the easiest way to use real fonts on the web. It's a subscription-based service for linking to high-quality Open Type fonts from some of the worlds best type foundries.

Zapier Email First Name Last Name

Business automation platform

Compliance Tasks

GDPR Compliance requires maintenance and ongoing work. We are tracking our efforts here.

Application Site Security
Status Name
Completed Ensure internal employees and contractors behaviors around personal data are documented.
Completed Inform Users about the GDPR Page
Completed Affirmative Consent mechanism added to User Signup
Completed Redact Logs from Writing Unneeded Personal or Sensitive Data
Completed Ensure Web Application Firewall enabled and blocking common attacks
Completed Registered with HaveIBeenPwned Domain Notification
Completed Ensure Access to Backups is Restricted
Completed Ensure Backups are Stored in on Encrypted File Storage
Completed Ensure Database Backups of Personal Data are working
Completed Establish Development Environment Data Handling Guidelines
Completed Personal Data in File Storage is Encrypted
Completed Personal Data in Databases is Encrypted
Completed Added External Javascript Files to Data Partners
Completed HSTS (HTTP Strict Transport Security) added to SSL/TLS of App Site
Completed Restrict Personal Data at Signup to the Minimum Necessary
Completed SSL (TLS) Deployed on App Site
Data Mapping
Status Name
Completed Add Performance Monitoring Applications to Data Providers
Completed Add Exception/Error Reporting Services to Data Partners
Completed Add Web Analytics Service to Data Partners
Completed Add Internal Email Service to Data Partners
Completed Add Hosting Provider to Data Partners
Completed Add Social Embeds to Data Partners
Completed Add Third Party Web Font Services to Data Partners
Completed Add Customer Support (Helpdesk) Service to Partners
Completed Add Transactional Email Service to Partners
Completed Add Email Newsletter Service to Partners
Completed Add CDN Provider to Data Partners
Completed Add File Collaboration Service to Data Partners
Completed Add Database Provider to Data Partner
Marketing Site Security
Status Name
Completed HSTS (HTTP Strict Transport Security) added to SSL/TLS of Marketing Site
Completed Reviewed list of users with access to site
Completed SSL (TLS) Deployed on Marketing Site
Privacy Procedures
Status Name
Completed Informed all Employees and Contractors about GDPR Compliance
Completed Privacy Policy Updates
Completed Procedure established to allow for people to request that inaccuracies in their data are fixed.
Completed Process established for subject data requests
Completed Get Management Approval for GDPR Efforts
Completed Data Protection Policy Created
Completed Developed a Data Processing Agreement
Completed Briefed all Staff on GDPR Impact to the organization
Completed Nominate a Data Protection Lead or Data Protection
Security Procedures
Status Name
Completed Data Breach Notification Policy has been established
Completed Publish statement on public website on how to report security and data issues.

Frequently Asked Questions

If you have any concerns not answered here, please reach out to our contact (listed above) and we'll be happy to assist.

How does GrowSurf enable me to be GDPR compliant?

GrowSurf enables customers to be GDPR compliant. Briefly stated, that means GrowSurf:

  • Provides sufficient guarantees to the controller to implement appropriate technical and organizational measures designed to safeguard customer data
  • Processes data (that could include personal data) only to fulfill its obligations as related to the Services
  • Enables users to modify and delete their account
  • Enables users to gain informed consent from participants
  • Enables users to modify and delete all participant data
  • Enables users to adhere to privacy standards by masking specific participant data in GrowSurf elements
  • Provides security documentation that describes the processes and procedures for safeguarding the data, outlined at https://growsurf.gdprpage.com

How do I request a DPA?

In order to use our products and services, you need to accept our DPA, which we have provided a link to here: Data Processing Agreement.

By agreeing to our Terms of Service, you are automatically accepting our DPA and do not need to sign a separate document.

What's the GDPR?

The General Data Protection Regulation (GDPR) is a new piece of privacy legislation enacted by the European Union. It represents a significant change in how personal (IP Addresses, Emails, Names) and sensitive (religion, ethnic origin, health, orientation) data is handled by companies.

How Do I Report a Security Issue?

We take all security reports seriously. Please email our security contact (information listed above) with any information you have regarding any potential data breaches, vulnerabilities or concerns.

Do Non EU Companies need to comply with the GDPR?

While it remains to be seen if the EU has the legislative power to levy fines and enforcement against organizations around the globe, GDPR compliance is being sought by non EU companies for a variety of reasons.

  • Customers and Prospects are making it a requirement
  • It's a solid framework for improving the handling of personal information and complying with the GDPR requirements improves our own security.