GDPR compliance

alexxlee · October 24, 2022, 1:19am

In what jurisdictions is Softr data processing located? Does this include CDNs?
How are data deletion requests handled for Softr apps?
Do apps built with Softr gather proper explicit user consent? Including not just for cookies, but for broader privacy compliance including data processing.

Thank you.

Marine.Hovhannisyan · October 24, 2022, 8:27am

Hi @alexxlee, please have a look at the following docs. They will answer all your mentioned questions:

johntreadway · October 24, 2022, 3:12pm

Could we get a straightforward GDPR FAQ to read?

Also, there are two parts to this.

What does Softr do for us (your clients)?
What support does Softr provide that we can leverage for our clients/users and how should we communicate our GDPR compliance?

artur · October 24, 2022, 3:17pm

@johntreadway GDPR is typically hard to interpret and courts even go case by case (e.g. latest case by Munich court, classifying google fonts served via google non complaint).

Back to your question: we do offer cookie consent management solution Iubenda (which has good free tier too), we do host google fonts so client doesn’t reach to google servers for fonts, our own data is stored in AWS EU servers and most importantly when it comes to data deletion you can do it from Softr and Airtable directly.

–Artur

dcoletta · October 24, 2022, 3:55pm

I would add a question about data sovereignty as well – I know there’s no feature for specifying countries where data can or can’t be housed, but it might still be helpful if the FAQ stated which regions the data centers were in. (Is EU the only one?)

alexxlee · October 24, 2022, 3:56pm

@Marine.Hovhannisyan Thank you, I wasn’t able to figure out the first and second questions, however. The answers are, as @johntreadway suggests, not as straightforward (as with some other platforms).

As a German company, we take data security and privacy very seriously, and we therefore keep as much data storage as possible inside the borders of the EU. The datacenter is therefore located in Germany and is SOC 1, SOC 2, and ISO 27001 certified with 24/7 operations and enterprise-grade security.

Are CDNs or other globally distributed processing/storage never in use?

For data deletion requests, how can Softr makers ensure that all stored data associated with a user is purged, in all of the places where it is cached or materialized?

artur · October 24, 2022, 4:12pm

@dcoletta at Softr we use AWS eu-central (Frankfurt)

dcoletta · October 24, 2022, 4:13pm

Excellent! Now when do we get active-active multi-region support?

artur · October 24, 2022, 4:13pm

We don’t yet put any user data into CDN e.g. when you upload image it’s still in AWS EU (Might change over time).

When it comes to user deletion, don’t think we have distribution out of our own services/aws-eu

cooper · August 4, 2023, 2:15pm

The easy way to understand GDPR is to know the 8 rights an EU citizen has & that you have the measures in place.

1 Right to be informed
2 Right of access
3 Right to rectification
4 Right to be forgotten
5 Right to restrict processing
6 Right to data portability
7 Right to object to direct marketing
8 Rights in relation to automated decision making and profiling