Last Updated: January 19, 2023
GDPR Compliance
Overview
Finpace has implemented processes and procedures to ensure we meet both our Data Controller and Data Processor obligations under the European Union's (EU) General Data Protection Regulation (GDPR).
To determine our readiness for GDPR, Finpace conducted a risk-based gap analysis of current capabilities and validated the assessment with an independent, third-party, GDPR expert. Our relevant policies are available upon request.
It's important to note: GDPR does not have an accredited certification method, which means there is no GDPR-approved way to demonstrate compliance. If you have questions regarding our compliance please reach out to team@finpace.com and our Data Privacy Officer (DPO) will gladly answer any questions you may have.
Security
- Finpace has strong data protection controls including encryption of data in transit and at rest, in order to safeguard Data Subject's data from unintended disclosure or misuse.
- Finpace follows industry standard best information security practices and rigorously tests its products to proactively remedy bugs and vulnerabilities.
- Finpace maintains incident response and notification processes which are reviewed and tested annually.
- Finpace has procedures in place to ensure data recovery and data integrity, so that customer data is not lost or inadvertently corrupted.
- Finpace provides assurances that the customer retains full control of their data.
- Finpace's key data sub-processors, e.g. Amazon Web Services (AWS), all maintain rigorous security standards (SOC2 and/or ISO 27001 certifications, where possible), and undergo annual vendor reviews.
Contractual Agreements
Finpace provides Data Processing Agreements to any customer who may need them. Included in the Data Processing Agreement are standard contractual clauses for data transfer to third-party countries. These clauses ensure our customers can transfer data to countries outside of the European Economic Area (EEA) in order to be able to use the Finpace platform. Furthermore, Finpace has Data Processing Agreements in place with all sub-processors where required by law.
Recommendations for Finpace Customers
We believe security and privacy are a shared responsibility between vendor and customer. Finpace is committed to helping you successfully meet your GDPR privacy requirements. It is important to understand your obligations related to the GDPR regardless of where your organization resides.
- Read through and understand the regulation. Multiple languages and formats are available here.
- Perform a gap, or impact, analysis to determine if there are any controls or processes which need to be put in place to adhere to the regulation. If necessary, implement those changes.
- Review the personal information shared with Finpace, including any integrations you may have, and ensure you are not sharing or storing any unneeded or sensitive (SSN, driver's license, credit card #, passport #, etc.) personal data.
- Determine if you require consent from Data Subjects in order to process their information. If so, update your consent collection and any forms or APIs if necessary.
- Review any processors, including Finpace, which may store or process sensitive information. Ensure they have the proper processes and controls in place and establish Data Processing Agreements where necessary.
- Update your privacy policy to reflect your use of Finpace as a data processor for the purpose of improving and managing your client engagement processes.
- Ensure you have the proper consent in order to track email opens or collect e-signatures. If not, we encourage you to configure those features appropriately.
- Make sure to include unsubscribe links or notices within any emails which are required by law.
- If you have received a Right to be Forgotten request from a Data Subject, simply delete the client record within Finpace and within 30 days that information will be completely removed from our systems.
- If you or your company wish to have their data completely removed from our systems please email team@finpace.com.
Data Removal Request
To submit a data removal request, please contact us at team@finpace.com with your name, email address, and details of your request. We will process your request in accordance with applicable data protection laws.