Loading the page...

Managing Director

Jesse Hanley

📧 [email protected]
📞 +1 512-817-0614

Make a data request

Submit Request  →

Data Processing Agreement (DPA)

View DPA Before Signing  →

Compliance Checklist

Lawful Basis and Transparency
Status Task Description
Completed Have a legal justification for your data processing activities.

Processing of data is illegal under the GDPR unless you can justify it according to one of six conditions listed in Article 6. There are other provisions related to children and special categories of personal data in Articles 7-11. Review these provisions, choose a lawful basis for processing, and document your rationale. Note that if you choose "consent" as your lawful basis, there are extra obligations, including giving data subjects the ongoing opportunity to revoke consent. If "legitimate interests" is your lawful basis, you must be able to demonstrate you have conducted a privacy impact assessment.

Completed Provide clear information about your data processing and legal justification in your privacy policy.

You need to tell people that you're collecting their data and why (Article 12). You should explain how the data is processed, who has access to it, and how you're keeping it safe. This information should be included in your privacy policy and provided to data subjects at the time you collect their data. It must be presented "in a concise, transparent, intelligible and easily accessible form, using clear and plain language, in particular for any information addressed specifically to a child."

Data Security
Status Task Description
Completed Take data protection into account at all times, from the moment you begin developing a product to each time you process data.

You must follow the principles of "data protection by design and by default," including implementing "appropriate technical and organizational measures" to protect data. In other words, data protection is something you now have to consider whenever you do anything with other people's personal data. You also need to make sure any processing of personal data adheres to the data protection principles outlined in Article 5. Technical measures include encryption, and organizational measures are things like limiting the amount of personal data you collect or deleting data you no longer need. The point is that it needs to be something you and your employees are always aware of.

Completed Have a process in place to notify the authorities and your data subjects in the event of a data breach.

If there's a data breach and personal data is exposed, you are required to notify the supervisory authority in your jurisdiction within 72 hours. A list of many of the EU member states supervisory authorities can be found here. The GDPR does not specify whom you should notify if you are not an EU-based organization. For those in English-speaking non-EU countries, you may find it easiest to notify the Office of the Data Protection Commissioner in Ireland. You are also required to quickly communicate data breaches to your data subjects unless the breach is unlikely to put them at risk (for instance, if the stolen data is encrypted).

Completed Encrypt, pseudonymize, or anonymize personal data wherever possible.

Most of the productivity tools used by businesses are now available with end-to-end encryption built in, including email, messaging, notes, and cloud storage. The GDPR requires organizations to use encryption or pseudeonymization whenever feasible.

In Progress Create an internal security policy for your team members, and build awareness about data protection.

Even if your technical security is strong, operational security can still be a weak link. Create a security policy that ensures your team members are knowledgeable about data security. It should include guidance about email security, passwords, two-factor authentication, device encryption, and VPNs. Employees who have access to personal data and non-technical employees should receive extra training in the requirements of the GDPR.

In Progress Know when to conduct a data protection impact assessment, and have a process in place to carry it out.

A data protection impact assessment (aka privacy impact assessment) is a way to help you understand how your product or service could jeopardize your customers' data, as well as how to minimize those risks. The UK Information Commissioner's Office (ICO) has a data protection impact assessment checklist on its website. The GDPR requires organizations to carry out this kind of analysis whenever they plan to use people's data in such a way that it's "likely to result in a high risk to [their] rights and freedoms." The ICO recommends just doing it anytime you're about to process personal data.

Accountability and Governance
Status Task Description
Completed Designate someone responsible for ensuring GDPR compliance across your organization.

Another part of "data protection by design and by default" is making sure someone in your organization is accountable for GDPR compliance. This person should be empowered to evaluate data protection policies and the implementation of those policies.

Completed Sign a data processing agreement between your organization and any third parties that process personal data on your behalf.

This includes any third-party services that handle the personal data of your data subjects, including analytics software, email services, cloud servers, etc. The vast majority of services have a standard data processing agreement available on their websites for you to review. They spell out the rights and obligations of each party for GDPR compliance. You should only use third parties that are reliable and can make sufficient data protection guarantees.

In Progress If your organization is outside the EU, appoint a representative within one of the EU member states.

If you process data relating to people in one particular member state, you need to appoint a representative in that country who can communicate on your behalf with data protection authorities. The GDPR and its official supporting documents do not give guidance for situations where processing affects EU individuals across multiple member states. Until this requirement is interpreted, it may be prudent to designate a representative in a member state that uses your language. Some organizations, like public bodies, are not required to appoint a representative in the EU.

Privacy Rights
Status Task Description
Completed It's easy for your customers to request and receive all the information you have about them.

People have the right to see what personal data you have about them and how you're using it. They also have a right to know how long you plan to store their information and the reason for keeping it that length of time. You have to send them the first copy of this information for free but can charge a reasonable fee for subsequent copies. Make sure you can verify the identity of the person requesting the data. You should be able to comply with such requests within a month.

Completed It's easy for your customers to correct or update inaccurate or incomplete information.

Do your best to keep data up to date by putting a data quality process in place, and make it easy for your customers to view (Article 15) and update their personal information for accuracy and completeness. Make sure you can verify the identity of the person requesting the data. You should be able to comply with requests under Article 16 within a month.

Completed It's easy for your customers to request to have their personal data deleted.

People generally have the right to ask you to delete all the personal data you have about them, and you have to honor their request within about a month. There are a five grounds on which you can deny the request, such as the exercise of freedom of speech or compliance with a legal obligation. You must also try to verify the identity of the person making the request.

Completed It's easy for your customers to ask you to stop processing their data.

Your data subjects can request to restrict or stop processing of their data if certain grounds apply, mainly if there's some dispute about the lawfulness of the processing or the accuracy of the data. You are required to honor their request within about a month. While processing is restricted, you're still allowed to keep storing their data. You must notify the data subject before you begin processing their data again.

Completed It's easy for your customers to receive a copy of their personal data in a format that can be easily transferred to another company.

This means that you should be able to send their personal data in a commonly readable format (e.g. a spreadsheet) either to them or to a third party they designate. This may seem unfair from a business standpoint in that you may have to turn over your customers' data to a competitor. But from privacy standpoint, the idea is that people own their data, not you.

Completed It's easy for your customers to object to you processing their data.

If you're processing their data for the purposes of direct marketing, you have to stop processing it immediately for that purpose. Otherwise, you may be able to challenge their objection if you can demonstrate "compelling legitimate grounds."

Completed If you make decisions about people based on automated processes, you have a procedure to protect their rights.

Some types of organizations use automated processes to help them make decisions about people that have legal or "similarly significant" effects. If you think that applies to you, you'll need to set up a procedure to ensure you are protecting their rights, freedoms, and legitimate interests. You need to make it easy for people to request human intervention, to weigh in on decisions, and to challenge decisions you've already made.

Subprocessors

In order to provide its services, Bento Software may engage third parties or other members of the Bento Software corporate group (affiliates) to carry out data-processing activities that involve access to customer data. These organizations, called “subprocessors,” are identified below with their locations and the types of services they provide to Bento Software.

Name Country Description Type of Service Mandatory
Cloudflare United States We utilize Cloudflare as a content delivery network (CDN) and web security service to enhance the performance and security of our website. Cloudflare assists us in delivering website content efficiently and protecting it from potential security threats such as DDoS attacks. As part of its services, Cloudflare may process personal data such as IP addresses, cookies, and other website visitor information. This data processing helps us improve website functionality, monitor traffic, and ensure a secure browsing experience for our users. We have taken appropriate measures to ensure that personal data processed through Cloudflare's services complies with applicable data protection laws, including the General Data Protection Regulation (GDPR). We encourage individuals to review our privacy policy to understand how their data is collected, processed, and protected when using our website in conjunction with Cloudflare's services. Hosting Provider Required
Heroku United States We utilize Heroku, a cloud platform, along with Heroku Postgres, a managed relational database service, to develop and deploy our applications. Heroku provides us with a flexible and scalable infrastructure to host our applications securely. Heroku Postgres serves as our backend database, storing and managing data required for our applications' functionality. As part of using Heroku and Heroku Postgres, we may process personal data provided by our users. This includes information such as usernames, email addresses, and any other data necessary for the proper functioning of our applications. We take appropriate measures to handle personal data securely, adhering to applicable data protection regulations, including the General Data Protection Regulation (GDPR). We are committed to protecting the privacy and security of our users' data. Our privacy policy outlines the types of personal data we collect, how we use and process it, and the rights individuals have over their data. We ensure that personal data processed through Heroku and Heroku Postgres is handled in accordance with our privacy policy and the requirements set forth by applicable data protection laws. Hosting Provider Required
Vercel United States We utilize Vercel, a cloud platform for deploying and hosting websites and applications. Vercel allows us to efficiently deploy and manage our web applications, ensuring a seamless user experience. As part of using Vercel, we may process personal data provided by our users. This may include information such as names, email addresses, and any other data necessary for the proper functioning of our applications. We handle personal data in accordance with applicable data protection regulations, including the General Data Protection Regulation (GDPR). We are committed to safeguarding the privacy and security of our users' data. Our privacy policy outlines the types of personal data we collect, how we use and process it, and the rights individuals have over their data. We ensure that personal data processed through Vercel is handled in accordance with our privacy policy and the requirements set forth by applicable data protection laws. By utilizing Vercel, we aim to provide our users with a secure and reliable experience while respecting their data protection rights. We encourage individuals to review our privacy policy to understand how their data is collected, processed, and protected when using our applications hosted on Vercel. Hosting Provider Required
Elastic United States We utilize Elastic.co, a powerful search and analytics engine, to enhance the search capabilities and data analysis within our applications. Elastic.co allows us to efficiently index, search, and analyze data, providing valuable insights for our users. As part of using Elastic.co, we may process personal data provided by our users. This may include information such as user preferences, search queries, and any other data necessary for delivering relevant search results and analytics. We handle personal data in compliance with applicable data protection regulations, including the General Data Protection Regulation (GDPR). We prioritize the privacy and security of our users' data. Our privacy policy outlines the types of personal data we collect, how we use and process it, and the rights individuals have over their data. We ensure that personal data processed through Elastic.co is handled in accordance with our privacy policy and the requirements set forth by applicable data protection laws. By utilizing Elastic.co, we strive to provide our users with powerful search capabilities and insightful data analysis while maintaining the highest standards of data protection. We encourage individuals to review our privacy policy to understand how their data is collected, processed, and protected when using our applications powered by Elastic.co. Cloud Services Required
Amazon Web Services United States We utilize Amazon Web Services (AWS), a comprehensive cloud computing platform, to power our infrastructure and deliver our services. AWS offers a wide range of scalable and reliable cloud services that enable us to efficiently store, process, and manage data. As part of using AWS, we may process personal data provided by our users. This can include information such as names, email addresses, and any other data necessary for providing our services. We handle personal data in accordance with applicable data protection regulations, including the General Data Protection Regulation (GDPR). We are committed to protecting the privacy and security of our users' data. Our privacy policy outlines the types of personal data we collect, how we use and process it, and the rights individuals have over their data. We ensure that personal data processed through AWS is handled in accordance with our privacy policy and the requirements set forth by applicable data protection laws. AWS provides a secure and reliable infrastructure for us to deliver our services, and we take advantage of the security features and controls offered by AWS to protect personal data. By utilizing AWS, we aim to provide our users with a high-quality and secure experience while respecting their data protection rights. We encourage individuals to review our privacy policy to understand how their data is collected, processed, and protected when using our services hosted on AWS. Cloud Services Required
Planetscale We utilize Planetscale as our database platform to effectively manage and scale our relational databases. Planetscale offers robust features and tools that enable us to store, organize, and query data efficiently. As part of using Planetscale, we may process personal data provided by our users or customers. This can include information such as user profiles, transactional data, or any other data necessary for the proper functioning of our applications or services. We handle personal data in compliance with applicable data protection regulations, including the General Data Protection Regulation (GDPR). We prioritize the privacy and security of our users' data. Our privacy policy outlines the types of personal data we collect, how we use and process it, and the rights individuals have over their data. We ensure that personal data processed through Planetscale is handled in accordance with our privacy policy and the requirements set forth by applicable data protection laws. Planetscale provides secure infrastructure and implements industry-standard security measures to protect data stored in their platform. By utilizing Planetscale, we aim to deliver reliable and efficient database management while safeguarding the confidentiality and integrity of personal data. We encourage individuals to review our privacy policy to understand how their data is collected, processed, and protected when using our applications or services powered by Planetscale. Cloud Services Required
Stripe United States We utilize Stripe as our payment processing service to facilitate secure online transactions. Stripe handles the collection, processing, and storage of payment-related data on our behalf. When using Stripe, personal data, such as payment card details, may be processed. We take data protection and privacy seriously and handle personal data in compliance with applicable data protection regulations, including the General Data Protection Regulation (GDPR). We have implemented appropriate security measures and data protection protocols to safeguard the personal data processed through Stripe. We only collect and retain the necessary personal data required for payment processing purposes and securely handle it in accordance with our privacy policy. Stripe itself is committed to GDPR compliance and provides tools and resources to assist businesses in meeting their GDPR obligations. They have implemented strong security measures to protect personal data and offer features that support data subject rights, such as access, rectification, and erasure requests. By using Stripe as our payment processing service, we aim to provide a seamless and secure payment experience for our customers while ensuring compliance with data protection regulations. For more details on how personal data is collected, processed, and protected, please refer to our privacy policy. Payments Required
SendGrid/Twilio United States We utilize SendGrid as our Email Service Provider (ESP) to efficiently manage and deliver our email communications. SendGrid helps us ensure that our emails reach the intended recipients' inboxes reliably and securely. When using SendGrid as our ESP, personal data such as email addresses and recipient engagement data may be processed. We handle personal data in compliance with applicable data protection regulations, including the General Data Protection Regulation (GDPR). Cloud Services Required
Close United States We utilize Close.com as our sales CRM platform to streamline and optimize our sales processes and customer interactions. Close.com helps us manage leads, track sales activities, and nurture relationships with our prospects and customers. As part of using Close.com, we may process personal data provided by our leads, prospects, and customers. This personal data can include contact details, communication history, and other relevant information necessary for effective sales engagement. We handle personal data in compliance with applicable data protection regulations, including the General Data Protection Regulation (GDPR). CRM Required
Gmail by Google United States Email hosting Required
Contentful United States CMS Not Required
Spamhaus United States Cloud Services Required

FAQs

Please see our frequently asked questions below. Please keep in mind that this is not legal advice and we recommend consulting with your internal compliance team or privacy attorney for guidance on compliance matters. Bento Software is committed to helping our customers comply with applicable laws, but we cannot guarantee that your use of our products will be fully compliant. As always, we recommend seeking professional legal counsel for any specific questions or concerns.

Should I get consent from a customer to collect their personal data?

While it is always good practice to receive explicit consent from your customer, certain laws and regulations (such as the GDPR) require consent prior to collecting personal data of certain individuals (such as those in the EU).

It is also important to note that under GDPR, consent is one of a number of legitimate interests for processing data. Others include the need to process for the performance of a contract, the need to process in order to comply with a legal obligation, and the need to process in order to protect the vital interests of the data subject or another natural person. Full details can be found in Article 6 of GDPR.

Can I modify a customer’s personal data?

Yes, you can modify all data to correct personal data as required by GDPR when you receive a Subject Access Request, or for other reasons. Simply contact us and we will work with you to make the adjustments.

Can I delete personal data?

Yes, you can delete any data, including data that contains personal data, as required by GDPR. You can also remove all other requested customer data by sending us a data request.

Is personal data permanently deleted when I remove it?

A deleted data or person is initially flagged for deletion, remove from search, and may be recovered by our team upon request. After 30 days, the deletion becomes permanent and unrecoverable.

How long is personal data retained in Bento Software if I don’t delete it?

Bento Software’s philosophy is that customers own and control all the data they collect. Any retention period required by law or your company policy is controlled by you.

You should ensure that all people and personal data are deleted prior to stopping your usage of Bento Software, especially if required by policy, law, or regulation.

Does my data get included in backups, and if so, for how long?

Yes. Bento Software backs up all customer data, and retains the backups for 30 days. After 30 days, the backup is deleted.

Can I delete customer’s personal data from Bento Software backups?

No. The backup dataset contains all customer data, and is used for disaster recovery purposes only. This is required for legal and compliance reasons related to availability obligations. Any personal data in these backups will be permanently deleted after 30 days.

If my data centre is located in the EU, does Bento Software transfer my personal data outside the EU at any point?

Our data centers are with Amazon Web Services in the United States. However, data transfer is covered by the EU-US Privacy Shield framework, of which we are a member, and allowed by GDPR as providing adequate safeguards.

Does Bento Software ensure that my data is accessed only by employees with reasonable justification for doing so?

As required by GDPR, only qualified Bento Software employees with a specific need are permitted to access your account. The typical reason for accessing your account would be upon your specific request for support.

Does Bento Software use sub-processors that process my data?

Bento Software presently uses sub-processors to provide the service. As required by GDPR, Bento Software maintains a list of those sub-processors here.

If a data breach occurs with the Bento Software platform that affects my data, how and when will I be notified?

If a confirmed data breach occurs that is caused by Bento Software’s actions or inactions, we will, without undue delay, notify the account owner. Information about the breach will be released as it becomes available, as allowed by GDPR. The account owner will be the main point of contact for all notifications, and will be kept aware of the investigation and remediation efforts as they progress.

How can I comply with a Subject Access Request and portability as required by GDPR?

As you know about the data you are collecting, you are responsible for handling any Subject Access Request (SAR). Bento Software only provides the platform and wouldn’t know the details about your customizations, properties, or your customers.

A SAR means that a customer is asking about information being collected about him or her. If you collected personal data of an EU citizen or a person residing in the EU, you may have a legal obligation to respond to a SAR.

Data may be downloaded in industry-standard formats for data portability to comply with GDPR.

If Bento Software receives a SAR, it will do its best to contact the owner. It may not always be possible to know what who the rightful owner is.

How do I comply with a Subject Access Request to “be forgotten?”

Similar to the above, you know what data you have. If you collected personal data of an EU citizen or a person residing in the EU, you may have a legal obligation to respond and comply with a request to delete all identifiable data.

As previously stated, you have the ability to delete a customer's data.

How does Bento Software comply with its GDPR obligations to return or destroy all EU personal data?

Bento Software provide easy ways to download all your data in industry-standard formats. And, as previously described, you may easily delete data, and entire histories for a customer.

How does Bento Software comply with its GDPR obligations to encrypt personal data?

All data stored in our primary databases and backups are encrypted using an industry standard strong cipher. All data transmitted to the Bento Software platform are encrypted using the industry standard TLS protocol.

How can I ensure my customers that Bento Software security meets applicable law and the GDPR (Article 32)?

Bento Software is committed to safeguarding your data. We use sophisticated controls during processing to maintain the confidentiality, integrity, availability, and resilience of your data. Our Security page outlines the details of our application security, network security, policies, and more.

As related to Article 28 in the GDPR, Bento Software will only process personal data according to your instructions. In other words, the commands you use in the product are the “instructions,” and Bento Software does not use personal data for any other means. In addition, it does not transfer personal data to a third party without your consent. If personal data is transferred from the EU to a third country, then adequate safeguards will apply to the transfer (such as the EU-US Privacy Shield Framework).

Bento Software has developed recovery procedures to minimize downtime related to a disaster, with the ability to restore access to personal data in a timely manner in the event of a physical or technical incident.

We regularly test, assess and evaluate the effectiveness of our technical and organizational measures to ensure the security of the processing.

GDPR compliance powered by ComplyDog