Privacy Regulations Reference
Last Updated on May 24, 2021
European Union General Data Protection Regulation (GDPR)
B2B Ninja is an American company and our data infrastructure is currently based in the US. That means if you are in another country in the world and you use our products, your data is transferred to the US. The EU has stronger privacy laws than the US and a core tenet of the GDPR is that if you transfer any personal data of EU residents out of the EU, you must protect it to the same level as guaranteed under EU law. There are two factors to this:
The practices that businesses take handling personal data; and
The laws of the countries where you transfer the EU personal data to
Practices we have at B2B Ninja
We never have and never will sell customer data.
We limit the data we collect: if we don’t need it, we don’t ask for it.
We limit the permissions our apps request on your devices.
We put a lot of security measures into place including in-transit encryption, encryption at-rest, and requiring employees and contractors to sign non-disclosure agreements.
When you email us at [email protected], someone from our Privacy Working Group will get back to you. You are always speaking with a human! No bots.
We do work with sub-processors. We’ve listed links to our current sub-processors at the end of this page. With each vendor, we assess their commitment to privacy and we sign a data processing addendum with them that include the controller-processor Standard Contractual Clauses.Last but not least, we know privacy regulations are constantly evolving. We root for stronger consumer privacy laws! We use IAPP resources alongside legal counsel to stay aware of relevant changes in the regulatory landscape.
Relevant US laws
The US does not have a national consumer privacy law akin to GDPR. We’d love to see one put in place and until then, shout out to California for leading with the California Consumer Privacy Act (“CCPA” — more information following this GDPR section) and Illinois for its Biometric Information Privacy Act.There are national US security laws that are relevant to GDPR. Chief amongst them are: the Foreign Intelligence Surveillance Act (FISA) and Executive Order 12-333. FISA establishes ways for US law enforcement and intelligence agencies to gather information within the US about non-US entities suspected of espionage or terrorism. Executive Order 12-333 sets out how US intelligence agencies can gather information, including outside the borders of the US.Virtually every American software service is subject to FISA. That includes all the American big tech companies you can think of as well as any European service that uses cloud infrastructure from Amazon Web Services, Microsoft Azure, or Google Cloud Computing. It also includes small tech American companies like us, Quote Ninja LLC. However to date, Quote Ninja has never been served a FISA order or National Security Letter.Even so, these laws are relevant for why extra mechanisms need to be in place to allow the legal transfer of personal data from the EU to the US. Since GDPR went into effect in 2018, B2B Ninja has offered such a mechanisms: a data processing addendum.
Data processing addendum
As of May 24, 2021, we have incorporated a Data Processing Addendum (DPA) to our Terms of Service. You can request our DPA via email at [email protected]. This addendum is in effect when the General Data Protection Regulation applies to your use of B2B Ninja Services to process Customer Data as defined in the DPA. The DPA includes the European Commission’s Standard Contractual Clauses (both controller-processor and controller-controller) to extend GDPR privacy principles, rights, and obligations everywhere personal data is processed. If you would like to have a signed copy of the DPA for your records, please email us at [email protected]. We provide the same privacy rights and protection to all customers, regardless of whether they choose to execute a DPA. The European Commission recently proposed updates to these Standard Contractual Clauses and if officially adopted, we will update our DPA to incorporate the updated clauses within the granted transition period.On July 16, 2020, the Court of Justice of the European Union (CJEU) made a ruling, colloquially called “Schrems II”. The CJEU ruled that when you use the Standard Contractual Clauses as the basis for the transfer of personal data from the EU to the US (and a few other countries) on the basis of Standard Contractual Clauses, extra scrutiny and safeguards must be in place. This ruling has opened up a lot of questions, including what qualifies as those extra safeguards. This crowdsourced webpage lists statements made by different Data Protection Authorities to date. Following the Schrems II ruling, we went back over our data flows and our obligations under the Standard Contractual Clauses. We wanted to make sure we can live up to those obligations, and we can. We also researched the means of recourse we could take in the theoretical event we are served a FISA warrant (which again, has not happened to date).
California Consumer Privacy Act (CCPA)
US Health Insurance Portability and Accountability Act (HIPAA)
Our products are currently not HIPAA-compliant and we do not have immediate plans to become so.
B2B Ninja uses third party subprocessors, such as cloud computing providers and customer support software, to provide our services. We enter into data processing agreements including GDPR Standard Contractual Clauses with each subprocessor, and require the same of them.We also use other software as a company that are not part of providing our services but may collect your personal information for other purposes. You can view this list of processors in the following page: Company Processors
Adapted from the Basecamp open-source policies / CC BY 4.0