Discuss.io supports and assists its clients in meeting their own obligations under the GDPR.

To comply with GDPR, companies who handle EU-based residents' data need to keep in mind the following important requirements:

  • Protect personal data using appropriate security

  • Notify authorities of personal data breaches

  • Obtain appropriate consents for processing data

  • Have transparent policies regarding how they process data

  • Train employees based on the type of data they handle

  • Audit and update data policies

  • Employ a Data Protection Officer (if required)

  • Create and manage compliant vendor contracts

  • Provide clear notice of data collection

  • Outline processing purposes and use cases

  • Define data retention and deletion policies

How Discuss.io Handles GDPR for MR Professionals

Discuss.io is staying ahead of the GDPR changes, both in its role as a data processor and in support of data controllers. Discuss.io efforts include:

  • Providing a great software platform that allows client companies to comply with the GDPR requirements while maintaining a superior user experience.

  • Deploying industry-standard technical processes and procedures that protect data, both when it is in transmission and while we are hosting it.

  • Providing a hosting center and data collection network. We selected world-class service provider Amazon Web Services (US-East). Their stringent standards for data protection and security made them our choice for all of our customer data, including customers in the United States and the EU.

  • Working with EU and US legal counsel to develop a Data Protection Agreement (DPA) that complies fully with the GDPR. This DPA, which will be the contract with all clients who are data controllers under the GDPR, also incorporates the European Model Clauses, also known as the Standard Contractual Clauses. (The Model Clauses were approved by the European Commission and are the industry standard for when personal data is transferred outside of the European Economic Area.)

  • Being certified under the EU-U.S. and Swiss-U.S. Privacy Shield Frameworks. This certification also ensures that we comply with data protection requirements when transferring personal data from the EU and Switzerland to the United States.

  • Ensuring that we recognize that our clients own their data and that we process that data only in accordance with their instructions. This acknowledgment resides in our Terms of Service and Privacy Policy found at https://www.discuss.io/terms and https://www.discuss.io/privacy/, respectively. 

  • Following the GDPR definition of acceptable timelines when processing data subjects requests, whether it’s consent withdrawal, restricting processing, providing access, transferring their data, or erasing it. We will also provide prompt notification in the event of a data breach.

  • Staying abreast of continuing GDPR developments and guidance, to support our clients’ compliance efforts.

What you can do to protect your MR data under the GDPR

While it’s always a great time to think about improving data security, the GDPR deadline provides a good target for reviewing your organization’s privacy and security policies and evaluating how you put them into practice. While Discuss.io has yet to have a data breach from hacking, there have been instances where individual customers have been careless with their login credentials or access permissions.

The best protection of personal information comes from a combination of continuously updated technology, thorough training for employees who handle and have access to personal data, and seamless communication about new requirements. Discuss.io addresses each of these concerns with our features and support, and we will continue to support our clients as regulations evolve.

For more information on the upcoming GDPR changes, visit the official EU homepage.

Frequently Asked Questions

How does Discuss.io handle system, project, and meeting room access?

The Discuss.io application is restricted to registered users only. Moderators and support role users must be authenticated in order to join a session. Other roles allow guest access by unauthenticated users. 

Project access in the application is restricted to the project owner and their authorized collaborators, in addition to system administrators.

Unauthenticated users consent to the processing of their data prior to joining a session. Authenticated users consent to data processing during account creation. This consent is timestamped and stored in our database.

Users in any role joining a session via phone are directed to review our Privacy Policy and Terms of Service prior to being connected to a meeting room. Phone users must confirm consent to data processing prior to joining a call. This consent is also timestamped and stored in our database.

Where is the platform hosted and where is data stored?

The platform is hosted, and data is stored, in the US. We are a member of the EU-US and Swiss-US Privacy Shield program governing the transfer of data outside the European Economic Area. Privacy Shield was the subject of a recent court ruling, which impacted thousands of tech companies working in the EU. We remain compliant with the guidelines of Privacy Shield and will work to provide new agreements and methods that give our clients and research participants the privacy and security they deserve. More information can be found at https://www.discuss.io/platform/security-and-data-privacy/

What is your data retention policy?

Data required only for the organization and execution of the session, such as respondent Personal Data and screening responses, will be destroyed upon project completion. At any time, EU data subjects may request the deletion of their data, and Discuss.io will do following the GDPR guidelines, as well as notify all project owners and project collaborators of the need to destroy any downloaded copies of the project materials. To request data removal, please email compliance@discuss.io. For more information about data retention, please visit https://support.discuss.io/en/articles/4561418-data-retention

What is your data backup and archival policy?

Our database is a multi-AZ Amazon AWS RDS instance for resiliency with a separate read replica for availability. Automated backups are taken daily and retained for 7 days, as well as at the time of a production release. Video data is stored in AWS S3. We retain the source composite as well as the processed video and clips.  Retention policy is per GDPR or customer request, whichever is sooner.

What data is provided to us as a client and how is it transferred to us?

Respondent screening information is currently stored using Google Cloud Services and sent via email, using the latest standard email encryption protocols. We do not further encrypt or restrict access to this information. Clients never have access to Respondent contact information or surnames.

Our entire application is served via HTTPS -ie. all traffic is encrypted via TLS. The application does not send data to customers - customers must make requests for data. Customers are able to view and download data via the application (HTTPS-secured). Data stored in Amazon AWS S3 is encrypted at rest, as is our database. 

Did this answer your question?