Privacy Regulations

The data privacy regulatory landscape is undergoing significant change. We've written this reference document to put helpful information regarding our products and privacy regulations in one place.

The EU General Data Protection Regulation (GDPR) went into effect on May 25, 2018. SSLforSaaS is compliant.

GDPR strengthens and unifies data protection for all individuals within the European Union. It also addresses the export of personal data outside the EU and EEA areas.

If you're based in the EU or do business in the EU, yes. GDPR has a long reach. If you have any EU personal data in your SSLforSaaS account — names, email addresses, ID numbers, or anything personally identifiable — then GDPR applies.

You are a Controller of personal data under GDPR, so you need to enter into GDPR-compliant data processing agreements with any online services and third party vendors you rely on, including SSLforSaaS. These agreements are commonly called a Data Processing Addendum, or DPA.

We take the security of your data very seriously. Protecting our customers' information and their users' privacy is extremely important to us. These are the measures we've taken to ensure that SSLforSaaS meets GDPR requirements:

• Policy updates — We updated our Privacy Policy, Terms of Service and other policies to adhere to GDPR and to ensure we are transparent with what we do with your data.
• Data Processing Addendum — We offer a DPA to all customers who require one for GDPR compliance.
• Notifications — If and when any further changes are made to our policies, we will notify you about the updates.

As a data processor, we have released features and tools that will help you comply with data requests from your users.

For your compliance:

• Ability for you or your team members to delete customer domain records

For our compliance:

• Automated application endpoint deletion
• Data export tool

SSLforSaaS uses third party subprocessors, such as cloud computing providers and customer support software, to provide our services. We enter into GDPR-compliant data processing agreements with each subprocessor, and require the same of them.

Under the CCPA, SSLforSaaS is a "service provider." That means when we process data you provide, we do so solely for the purpose you signed up for.

Our business model is simple: we enable businesses to provision SSL certificates for their customers' vanity domain names. We do not sell personal information or use your data for any other commercial purposes unless with your explicit permission.

The US does not have a national consumer privacy law akin to GDPR. There are however national US security laws that are relevant to GDPR.

Chief amongst them are: the Foreign Intelligence Surveillance Act (FISA) and Executive Order 12-333. Virtually every American software service is subject to FISA.

To date, SSLforSaaS has never been served a FISA order or National Security Letter. We are committed to transparency and will notify users of any such requests to the fullest extent permitted by law.

We take security seriously, and it has been our focus from day one. As part of GDPR compliance we continue to review our security measures and responses on an ongoing basis to remain compliant.

• All data is encrypted in transit using TLS 1.3
• Data at rest is encrypted using AES-256
• Access to customer data is logged and audited
• Regular security reviews and penetration testing
• Incident response procedures in place