Privacy & GDPR
- How we integrate our products. We’re always improving our products to give you a frictionless and customized experience. The updates to our policy describe the tools we’ve built to make our products smarter and allow you to move seamlessly from one Fundwave product to another.
- More control over your information. We make it easy for you to control the information you provide to us. Our policy explains how you can make choices about your information, and the measures we’ve put in place to keep your information secure.
- Using our products for work. Many users have access to our services through their organizations (e.g., their employers), who control their accounts or use of our services. The updated policy clarifies our relationship to these users and explains the tools available to administrators of these users.
2. What is GDPR, and what is Fundwave doing to comply?
GDPR stands for the General Data Protection Regulation and is effective as of May 25th, 2018. GDPR replaces national privacy and security laws that previously existed within the EU with a single, comprehensive EU-wide law that governs the use, sharing, transfer and processing of any personal data that originates from the EU.
Our policy is to respect all laws that apply to our business and this includes GDPR. We also appreciate that our customers have requirements under GDPR that are directly impacted by their use of Fundwave products and services. We are committed to helping our customers stay in compliance with GDPR and their local requirements.
In addition, here are a few things that Fundwave is committed to doing to ensure our compliance with GDPR and that of our customers:
- We use a top-tier, third-party data hosting provider (Amazon Web Services) to host your Fundwave instance. For more information about their approach to compliance with the GDPR, see https://aws.amazon.com/compliance/gdpr-center/
- Where we are transferring data outside of the EU, Fundwave commits to having the appropriate data transfer mechanisms in place as required by GDPR.
- Fundwave commits to follow appropriate security measures and precautions in accordance with GDPR.
- Fundwave will assist with notifying regulators of breaches and promptly communicating any breaches to customers and users.
- We will ensure that employees authorized to process personal data have committed to confidentiality.
- We will hold any subprocessors that handle personal data, including our data center partners, to the same data management, security, and privacy practices and standards to which we hold ourselves.
- Funndwave commits to carrying out data impact assessments and consulting with EU regulators where a data impact assessment indicates a high risk associated with processing without an appropriate mitigating strategy.
- Where appropriate, we will offer contractual language documenting our commitments to our customers to support their GDPR obligations.
- Fundwave will assist our customers, insofar as possible, to respond to data subject requests our customers may receive under the GDPR.
3. Does Fundwave process personal data?
4. Can Fundwave assist my company with responding to an Individual Rights Request (Subject Access Request)?
As a processor of personal data for many of our customers, we will assist our customers with responding to individual rights requests that they receive under the GDPR. In many cases, customers may be able address these types of requests by logging into the applicable product and using settings available within such product or your account. Where this is not possible, please contact us to request assistance with any such individual rights requests.
5. Where does Fundwave store and send my data?
Our goal is to provide our customers with secure, fast, and reliable services. As a provider of global services, we run our services with common operational practices and features across multiple jurisdictions. Today, We use data hosting service providers worldwide, including the United States, Europe, Asia & Australia to host the information we collect. Data is stored in the data center closest to the location of the majority of users accessing an instance. Sometimes, often at the time of registering with us, you may be asked to choose your choice of hosting and backup location. In such cases, we will store the corresponding information in the region of your choice.
6. Can you host my data in the EU?
Sometimes, often at the time of registering with us, you may be asked to choose your choice of hosting and backup location. In such cases, we will store the corresponding information in the region of your choice. However, this choice may not be available at all times and for all information. When available, your administrator or the billing contact may be responsible for making this choice and individual users need to contact the relevant person in your organisation to find out where your data is hosted.
7. How does Fundwave handle onward transfers of data outside of the EU?
We need to transfer your personal data to other organizations to help us provide you the service. For example, we use Amazon Web Services data centers to assist us in storing your data. In some instances, these are other companies within the Fundwave family. Whenever we share your data, we remain accountable to you for how it is used by any of these organizations.
When personal data is hosted or processed outside of the European Economic Area by Fundwave, GDPR requires that it remains protected by appropriate safeguards in line with EU law. We rely on a combination of measures to ensure compliance with EU data export rules, including Model Clauses.
8. What is Privacy Shield and is Fundwave certified?
In order to legally transfer data outside of the EU, the GDPR requires such data be transferred in accordance with an “adequate transfer mechanism.” The Privacy Shield Program is a framework agreed to by the U.S. Department of Commerce and the European Commission that provides an “adequate transfer mechanism” for participating companies. Companies certifying to the Privacy Shield framework agree to apply specific privacy and security protections to personal data when it is transferred from the EU to the U.S.
Fundwave is a Singapore-headquartered company, with offices all over the globe – we are not a US-headquartered company. Privacy Shield is only one of a few available mechanisms to transfer data outside of the EU, and certification against the Privacy Shield is not a legal requirement. We rely on a combination of measures to ensure compliance with EU data export rules, including Model Clauses.
9. Will Fundwave sign Standard Contractual Clauses (also known as Model Clauses)?
When we process EU customer data in other territories, like the United States of America or Singapore, we ensure “appropriate safeguards” are in place that are prescribed by GDPR – i.e., by entering into the European Commission’s Standard Contractual Clauses with the entity the data is transferred to, or by ensuring the entity is Privacy Shield certified (for transfers to US based entities).
10. Do you offer your customers a Data Processing Addendum?
Yes! We understand that our customers, and in particular, our European customers, will require that, where Fundwave is a processor of EU personal data, we execute additional terms that meet GDPR obligations with respect to the processing of that EU personal data. The Fundwave Data Processing Addendum is available upon request for all Cloud customers to review and use to meet your onward transfer requirements under GDPR. To obtain a copy of our DPA please reach out to privacy [AT] getfundwave.com.
11. Can I make changes to the Fundwave DPA?
The Fundwave DPA is an extension of our Customer Agreement and reflects our compliance with GDPR requirements (including those specifically set forth under Article 28) as applicable to our products and services. Just as with our Customer Agreement, we’re unable to make any changes to our DPA on a customer-by-customer basis.
12. Can I opt out of having my data collected or shared?
13. How does Fundwave secure my data?
Protecting our customers’ data is fundamental to everything we do.
We use a top-tier, third-party data hosting provider (Amazon Web Services) to host your Fundwave instance. AWS’ industry-leading security has a long list of internationally recognized certifications and accreditations, such as ISO 27017 for cloud security, ISO 27018 for cloud privacy, SOC 1, SOC 2 and SOC 3, PCI DSS Level 1 and others. For more information about their approach to compliance with the GDPR, see https://aws.amazon.com/compliance/gdpr-center/
For further information on the approach Fundwave takes to protect your data, please refer to Section 3 of our Implementation Guide.
14. Does Fundwave use sub-processors to further process customer data?
A list of our subprocessors can be found on our Sub-Processors page.
15. Who can I contact with questions regarding GDPR?