Effective Date: May 25th, 2018
Data privacy and security is fundamental to MantisHub's operation. We’re committed to partnering with MantisHub customers and users to help them understand and prepare for the General Data Protection Regulation (GDPR). The GDPR is the most comprehensive EU data privacy law in decades, and will go into effect on May 25, 2018.
Besides strengthening and standardizing user data privacy across the EU nations, it will require new or additional obligations from all organizations that handle EU citizens’ personal data, regardless of where the organizations themselves are located. On this page, we’ll explain our methods and plans to achieve GDPR compliance, both for ourselves and for our customers.
MantisHub is a data Processor with respect to the GDPR and its relationship to your Content.
As a MantisHub customer, you will typically act as a data Controller for any Personal Data made available to MantisHub through use of our Service. The data Controller determines the purposes and means of processing personal data, while the data Processor processes data on behalf of the data Controller.
Personal Data in the context of the GDPR is quite broad and can be include anything which can identify a customer such as their name, email address, postal address, username and in some cases even their IP address.
MantisHub, as the data Processor, will process Personal Data on your behalf in connection with your use of our Service. If you or any of your users are located in the European Economic Area (EEA), your use of MantisHub will most likely involve transferring some of their Personal Data to our Service.
MantisHub has made a number of changes in readiness for the GDPR to come into effect.
As MantisHub can process your team & customers personal data, security is a core concern in all parts of our infrastructure. We've invested heavily into our security systems.
We use a third party enterprise-class web application firewall to restrict access to our services. All communication with our service is performed through a secure connection. We do not provide any non-SSL endpoints. Data encryption is applied wherever possible which means that even in transit between our servers, your data is kept encrypted.
All our servers are firewalled and kept updated with the latest security patches. All security keys and passwords stored by our application on your behalf are kept encrypted at rest.
Answers to other security related FAQs can be found here.
Also known as the 'right to erasure', the GDPR clarifies the rights of people to have their data removed from the services they use. There's two key aspects of this;
The changes MantisHub has made allow us to comply with these requirements. We now automatically delete all account data once you are no longer using our service. This includes all reasons for deactivation, such as an expired trial, cancelled account or any other kind of suspension.
We offer machine readable (SQL) downloads of all data in your account. You can access these downloads by navigating to the Manage page, selecting the Backup tab on your account and triggering the creation of the point-in-time backup of your data as described here.
MantisHub uses sub-processors to assist in providing the MantisHub Service. A sub-processor is a third party data processor engaged by MantisHub, who has or potentially will have access to or process service data (which may contain personal data). MantisHub evaluates the security, privacy and confidentiality practices of proposed sub-processors that have access to or process service data both before they are engaged and on an ongoing basis.
The following is an up-to-date list (as of May 2018) of the names and locations of MantisHub sub-processors:
|Amazon Web Services, Inc - https://aws.amazon.com/compliance/gdpr-center/||Hosting and email notifications||United States||https://aws.amazon.com|
|Mailgun Technologies, Inc - https://www.mailgun.com/gdpr||Reporting tickets via email||United States||https://www.mailgun.com|
|Chargify, Inc - https://help.chargify.com/my-account/gdpr.html||Subscription and billing management||United States||https://www.chargify.com|
|Stripe, Inc - https://stripe.com/guides/general-data-protection-regulation||Payment processing||United States||https://www.stripe.com|
|Drip, Inc - https://www.drip.com/privacy||Transactional and marketing emails||United States||https://www.drip.com|
|SpamHero, Inc - https://www.spamhero.com/privacy||Spam filtering for tickets reported via email||United States||https://www.spamhero.com|
If you have any questions about any of the details on this page, or any other part of our GDPR compliance, please email firstname.lastname@example.org and we'll be happy to help.