1 E Erie St
Chicago, IL 60611
As part of our ongoing efforts to protect the security and privacy of our users, we are working to meet or exceed the GDPR (General Data Protection Regulation). This site contains information on what steps we are taking, their progress, and who to contact for any security concerns. Please see our FAQ at the bottom of the page for more information.
In order to use our products and services, you need to accept our DPA.
We rely on a number of trusted 3rd parties to assist with our operations. Depending on the exact nature of your account and what you've requested we do, your data may be shared with one of these partners. We carefully evaluate each to make sure they're handling your personal data with the utmost of respect, security, and privacy.
|Atlassian (Trello)||Email Address||
Project management and bug tracking
Image management & delivery solution.
|Cohere.so||IP Address Email First Name Last Name||
Screenshare and debugging
|Customer.io||IP Address Email First Name Last Name||
With Customer.io, send targeted emails, push notifications, and SMS to lower churn, create stronger relationships, and drive subscriptions.
|Datadog||IP Address Email First Name Last Name||
Logging (errors and monitoring)
|Delighted||IP Address Email First Name Last Name||
NPS survey forms
|Digital Ocean||IP Address||
Managed databases and hosted servers
Managed Elasticsearch hosting
|Facebook Conversion Tracking||IP Address||
Conversion tracking functionality from Facebook, allows a user to track advertisement clicks.
|Facebook Pixel||IP Address||
Facebook Pixel is Facebooks conversion tracking system for ads on Facebook to websites.
|Firebase||IP Address Email First Name Last Name||
Managed authentication and database hosting
|Global Site Tag||IP Address||
Google's primary tag for Google Measurement/Conversion Tracking, Adwords and DoubleClick.
|Google Analytics||IP Address||
Google Analytics offers a host of compelling features and benefits for everyone from senior executives and advertising and marketing professionals to site owners and content developers.
|Google Apps for Business||IP Address||
Web-based email, calendar, and documents for teams. Renamed to Google Apps for Work, but now known as G Suite From Google Cloud.
|Google Cloud Platform||IP Address Email First Name Last Name||
Managed database and backups hosting service
|Google Tag Manager||IP Address||
Tag management that lets you add and update website tags without changes to underlying website code.
|Google Universal Analytics||IP Address||
|GrowSurf||IP Address Email First Name Last Name||
Heap automatically captures every user action in your web app and lets you measure it all.
|HelpScout||IP Address Email First Name Last Name||
Customer support and sales communication
|Hubspot||IP Address Email First Name Last Name||
Sales and customer success software
|Mailerlite||IP Address Email First Name Last Name||
Marketing email and automation forms
|Postmark||IP Address Email First Name Last Name||
Email service provider for sending transactional emails
|Retool||IP Address Email First Name Last Name||
Internal tool for customer support and troubleshooting support
|Rewardful||IP Address Email||
|Slack||Email First Name Last Name||
Real-time team communication and internal notifications
|Stripe||IP Address Email First Name Last Name||
Processing payments and managing subscriptions
|Tango Card||IP Address Email||
Gift card rewarding
|Twilio (SendGrid)||IP Address Email First Name Last Name||
Email service provider for sending transactional emails
|Zapier||IP Address Email First Name Last Name||
Automating business workflows and notifications
GDPR Compliance requires maintenance and ongoing work. We are tracking our efforts here.
|Application Site Security|
|Completed||SSL (TLS) Deployed on App Site|
|Completed||Establish Development Environment Data Handling Guidelines|
|Completed||HSTS (HTTP Strict Transport Security) added to SSL/TLS of App Site|
|Completed||Restrict Personal Data at Signup to the Minimum Necessary|
|Completed||Personal Data in File Storage is Encrypted|
|Completed||Personal Data in Databases is Encrypted|
|Completed||Ensure Access to Backups is Restricted|
|Completed||Registered with HaveIBeenPwned Domain Notification|
|Completed||Ensure Web Application Firewall enabled and blocking common attacks|
|Completed||Ensure Backups are Stored in on Encrypted File Storage|
|Completed||Ensure Database Backups of Personal Data are working|
|Completed||Redact Logs from Writing Unneeded Personal or Sensitive Data|
|Completed||Inform Users about the GDPR Page|
|Completed||Affirmative Consent mechanism added to User Signup|
|Completed||Ensure internal employees and contractors behaviors around personal data are documented.|
|Completed||Add Customer Support (Helpdesk) Service to Partners|
|Completed||Add Exception/Error Reporting Services to Data Partners|
|Completed||Add Web Analytics Service to Data Partners|
|Completed||Add Internal Email Service to Data Partners|
|Completed||Add Hosting Provider to Data Partners|
|Completed||Add Social Embeds to Data Partners|
|Completed||Add Third Party Web Font Services to Data Partners|
|Completed||Add Transactional Email Service to Partners|
|Completed||Add Email Newsletter Service to Partners|
|Completed||Add CDN Provider to Data Partners|
|Completed||Add File Collaboration Service to Data Partners|
|Completed||Add Database Provider to Data Partner|
|Completed||Add Performance Monitoring Applications to Data Providers|
|Marketing Site Security|
|Completed||Reviewed list of users with access to site|
|Completed||SSL (TLS) Deployed on Marketing Site|
|Completed||HSTS (HTTP Strict Transport Security) added to SSL/TLS of Marketing Site|
|Completed||Nominate a Data Protection Lead or Data Protection|
|Completed||Get Management Approval for GDPR Efforts|
|Completed||Process established for subject data requests|
|Completed||Procedure established to allow for people to request that inaccuracies in their data are fixed.|
|Completed||Briefed all Staff on GDPR Impact to the organization|
|Completed||Developed a Data Processing Agreement|
|Completed||Data Protection Policy Created|
|Completed||Informed all Employees and Contractors about GDPR Compliance|
|Completed||Publish statement on public website on how to report security and data issues.|
|Completed||Data Breach Notification Policy has been established|
If you have any concerns not answered here, please reach out to our contact (listed above) and we'll be happy to assist.
While it remains to be seen if the EU has the legislative power to levy fines and enforcement against organizations around the globe, GDPR compliance is being sought by non EU companies for a variety of reasons.
We take all security reports seriously. Please email our security contact (information listed above) with any information you have regarding any potential data breaches, vulnerabilities or concerns.
The General Data Protection Regulation (GDPR) is a new piece of privacy legislation enacted by the European Union. It represents a significant change in how personal (IP Addresses, Emails, Names) and sensitive (religion, ethnic origin, health, orientation) data is handled by companies.
In order to use our products and services, you need to accept our DPA, which we have provided a link to here: Data Processing Agreement.
By agreeing to our Terms of Service, you are automatically accepting our DPA and do not need to sign a separate document.
GrowSurf enables customers to be GDPR compliant. Briefly stated, that means GrowSurf: