General data protection regulation (GDPR)Link to this section
Kinde adheres to GDPR principles and here’s how we do this.
The issues listed below are a summary based on the GDPR-Info page by Intersoft Consulting. They summarize the key issues facing companies in regard to data protection.
If you have questions or need more information, contact us via live chat or email firstname.lastname@example.org.
Key issuesLink to this section
ConsentLink to this section
Processing personal data is generally prohibited, unless it is expressly allowed by law, or the data subject has consented to the processing.
Kinde processes personal data as part of our authentication product. Specifically first name, last name, and email address. Note that there may be less information provided depending on the type of authentication integration being used by our customers. For example, some social providers only provide the email or only provide a custom identifier without revealing any personal details. The consent for this is part of the terms between data subjects and Kinde’s customers. Kinde’s customers are the data controller, where as Kinde is only a data processor on behalf of our customer.
With respect to marketing efforts, Kinde uses a legitimate interest assessment internally to determine broad scopes of marketing activities.
More specifically with consent would be the topic of cookies. Kinde’s marketing website does not use any tracking or third party cookies. All website analytics is done anonymously using a tool called Plausible.io. Both Kinde’s marketing website and production services use first party cookies to help maintain functionality such as session authentication. This cookie stance does not apply when leaving Kinde’s website to external services such as LinkedIn or Twitter.
Data Protection OfficerLink to this section
The GDPR has established the concept of a Data Protection Officer.
Kinde has nominated a Data Protection Officer internally, whose core responsibilities include ensuring Kinde is aware of, and trained on, all relevant privacy obligations, conduct audits to ensure compliance, address potential issues proactively, and act as a liaison with the public on privacy matters.
Email marketingLink to this section
Newsletter mailings and e-mail marketing are a fixed part of the online marketing universe.
All marketing emails are sent with an opt-out link in the event that customers don’t want to receive products updates from us. Membership to the email marketing lists is collected when users voluntarily provide details to us, such as signing up for our product, registering for the newsletter, or signing up to blog post or product updates.
EncryptionLink to this section
Companies can reduce the probability of a data breach and thus reduce the risk of fines in the future, if they chose to use encryption of personal data.
All customer data, including personal data, is encrypted at rest in Kinde’s production database using AES256. We use AWS’s RDS and KMS to facilitate most of this work. More information can be found on the Security at Kinde page. Access to Kinde customer data and the backend infrastructure is strictly limited and controlled.
Privacy by DesignLink to this section
The term “Privacy by Design” means nothing more than “data protection through technology design.” Technical and organisational measures must be taken already at the time of planning a processing system to protect data safety.
One of Kinde’s product principles is Privacy by Design. In this effort, we have made a commitment to never sell our customer data. In addition to this, we’ve included privacy related checks throughout our software lifecycle to ensure that Kinde only collects the bare minimum amount of personal data to successfully run the product.
Privacy impact assessmentLink to this section
This refers to the obligation of the controller to conduct an impact assessment and to document it before starting the intended data processing.
Kinde has completed privacy impact assessments for our key processing activities, which internally we’ve called a Data Protection Impact Assessments (DPIA), based on a template provided by the UK’s Information Commissioners Office. They’re long and thorough, and have been extremely useful in mapping out the personal data being handled, but also influencing the business and technical strategies in protecting that data.
ProcessingLink to this section
The GDPR offers a uniform, Europe-wide possibility for so-called ‘commissioned data processing’, which is the gathering, processing or use of personal data by a processor in accordance with the instructions of the controller based on a contract.
As Kinde is a business to business (B2B) company, we handle personal data on behalf of our customers, which makes us a data processor. Our customers are the data controllers. As a result, Kinde takes instruction from the customers about what to do with the personal data. With respect to the customer, Kinde is a sub-processor for them.
Records of processing activitiesLink to this section
Written documentation and overview of procedures by which personal data are processed. Records of processing activities must include significant information about data processing, including data categories, the group of data subjects, the purpose of the processing and the data recipients. This must be completely made available to authorities upon request.
One of the outputs from the DPIA mentioned earlier is a privacy data map, which includes records of processing activities (RoPA). Privacy surveys are conducted with each department to identify their own activities and what personal data is being handled. This captures information across user types such as customers, users, and employees. Once the surveys are done, the information is collated back into our RoPA and then updated as needed.
Right of accessLink to this section
The right of access plays a central role in the GDPR. On the one hand, because only the right of access allows the data subject to exercise further rights (such as rectification and erasure). On the other hand, because an omitted or incomplete disclosure is subject to fines.
Due to Kinde being a processor of data and not the controller, the right of access for a data subject should be directed at Kinde’s customers. These companies should handle the privacy request and forward onto Kinde if there’s anything that we can do to assist. For the most part, Kinde will allow customers to view, adjust, or remove personal data for their users, such as user’s names or emails.
Right to be forgottenLink to this section
For the first time, the right to be forgotten is codified and to be found in the GDPR in addition to the right to erasure.
Refer to Right of access.
Right to be informedLink to this section
There is a need for transparency regarding the gathering and use of data in order to allow EU citizens to exercise their right to the protection of personal data.
Refer to Right of access.Trust center