Feedback
Compliance & Security

Compliance & Security 101: GDPR, data protection and HIPAA

  • 22 December 2021
  • 6 replies
  • 511 views
Compliance & Security 101: GDPR, data protection and HIPAA
Userlevel 2

Hello Typeform community, 

 

This is Rai from the Typeform Compliance Support team. This article is the second part of our four-piece Compliance & Security 101 series. This time we’re looking at the areas of GDPR, data protection and HIPAA.

 

Data protection is a common topic in the tickets our users and customers are contacting us with. At Typeform we know the protection of your data is very important and we wanted to provide the community with the basics to get a better understanding of how it works at Typeform. 

 

As you may already know the so called GDPR (General Data Protection Regulation) is a big thing. It was first introduced in the EU in 2018 and now is applied, or at least used as a guideline, for data protection in many other countries worldwide. 

 

HIPAA is an important regulation in the USA that organisations and users of data collection platforms like Typeform need to comply with when collecting health related data from their respondents. 

 

Here’s a short introduction to the topic, along with details of where you can find support on these topics on our Help Center.

 

 

Now, let's take a look at the data protection and HIPAA-related questions we get asked about lot…

 

 

GDPR & data protection 

 

Is Typeform GDPR compliant?

 

Yes absolutely, at Typeform, all our customers’ data is processed complying with this framework, no matter which country it belongs to. Please read more about this here and here

 

Is Typeform CCPA compliant?

 

Our Privacy Policy was prepared in accordance with the GDPR, which has similar obligations as the California Consumer Privacy Act (CCPA). You can find the DPA and CCPA sections of our documentation here.

 

Where are Typeform's servers located and where is the data stored/processed?

 

Typeform’s infrastructure is hosted by Amazon Web Services (AWS). Our main servers are located in Virginia, USA. They are compliant with security and privacy standards.

 

Can I decide where my data is stored?

 

Currently this is not an option, however it may be considered in the future. Rest assured that the security and integrity of your data is critically important for us, and we’ve built our services around this idea.

 

Typeform is transferring data between Europe and the US, does this mean you are still GDPR compliant?

 

Yes, we are. So-called SCCs (Standard Contractual Clauses) are being used for this. You can read more about this in our Data Processing Agreement (DPA - section 4) here as well as in this Help Center article here.

 

Who owns/is responsible for the data that is collected in my forms?

 

The data collected in forms created by you is owned by you and you are also responsible for any requests from your respondents to remove data they submitted via your form. These responses can be deleted from the responses section of the typeform. This article explains how to do it.

 

What can I do when my respondents request their form data to be deleted?

 

See above. Responses can be deleted from the Responses section of each typeform they submitted data to. Also see GDPR rights for respondents.

 

Do you share your data with other companies / 3rd parties?

 

On this page you can see all third parties we share data with, what and why. It also offers you to sign-up to our newsletter to get notified of any changes to this page here.

 

Can I sign a custom Data Processing Agreement (DPA)?

 

This is currently being offered to Enterprise customers only. Customers on our prepaid subscriptions can access the DPA they agree to when signing up to Typeform here.

 

HIPAA & Business Associate Agreements (BAA)

 

Is Typeform certified in HIPAA/ HIPAA compliant?

 

Short answer, YES! As mentioned in this Help Center article Typform successfully passed the compliance assessment, and as a result, this allows the company to sign a Business Associate Agreement (BAA) with its clients when needed.

 

I work for a healthcare provider/organisation and/or need to collect health-related data from US-based respondents through my typeforms, do I need to / how can I comply with HIPAA?

 

In order to comply with HIPAA regulations you can sign a BAA with us. Please contact our legal team via the form on this Help Center page.

 

I am not based in the US and my respondents aren't based there either. What if I want to collect health-related data from them?

 

In principle you do not need to sign a BAA, however we strongly recommend checking in your local jurisdiction the requirements in order to be able to collect health-related data with your typeforms.

 

I need to collect Social Security numbers, do I need to comply with HIPAA or sign a BAA?

 

Yes, it is a requirement to sign a BAA with us in order to collect SSNs via your forms.

 

I hope this FAQ has helped with any questions you may have had about this topic, but if there's something you're still wondering let us know.

 

 

 


6 replies

Userlevel 7
Badge +5

That's amazing! A lot of people get confused about this subject so it's great to have some clarity! Thank you a lot @Rai:blue_heart:

Userlevel 7
Badge +6

@Rai - thanks for laying this out so clearly. Data Governance is a huge issue for many organizations and ‘understanding’ is difficult at the best of times. This post provides both tactics and links to strategic resources to assist firms. Thank you for this

 

des

Userlevel 2

@Rai - thanks for laying this out so clearly. Data Governance is a huge issue for many organizations and ‘understanding’ is difficult at the best of times. This post provides both tactics and links to strategic resources to assist firms. Thank you for this

 

des

Thank you John, glad this is useful!

Userlevel 3
Badge

Thank you so much for sharing this info @Rai! The article is great :grinning: Good job! 

Good FAQ! What are your thoughts on:

 

The SCHREMS II judgement, and that the new SCC’s aren’t enough for a transfer to a country such as the US, or companies under FISA?
Specifically the European Data Protection Board that states:

Is it really true that everything on AWS is encrypted with cryptography keys that you hold, and that AWS never has anything in plaintext? Even when sending “Thanks for responding” emails?

 

The fact that your new SCC’s aren’t complete

The new SCC’s state pretty explicitly that each subprocessor must be listed along with the list of transfers and the technical safeguards for each transfer
 

While you have a list of subprocessors on your website, the technical and organisational measures per-subprocessor aren’t listed anywhere.

Userlevel 2

 

Hi @Gustav

Thanks for responding to the original post and sending us your questions! Also thanks for your patience while we were looking at this :)

Please find below the answers to each point:
 

  1. The SCHREMS II judgement, and that the new SCC’s aren’t enough for a transfer to a country such as the US, or companies under FISA? 
    To the best of our knowledge, Typeform is not subject to FISA and neither our US subsidiary can be subject to any obligation requiring it to cooperate with US authorities and, thus, breach its obligations under the SCCs in force between both companies. We can confirm that Typeform US has never shared data with US authorities under FISA laws, and that a more detailed analysis is being conducted to assess any potential risk. Having said that, we can assure you that all transfers of data meet the guarantees and measures required by the GDPR, and additionally to SCCs in place with all our processors, we have implemented most of the recommendations from the EDPB (there are a few of the recommendations that we are analyzing how to implement with our providers). You can find more information regarding our security measures here.
     
  2. Is it really true that everything on AWS is encrypted with cryptography keys that you hold, and that AWS never has anything in plaintext? Even when sending “Thanks for responding” emails?
    Yes, all our data is encrypted at rest using the KMS service which AWS is providing for each service, with Keys we manage even for the specific case of email communication. We confirm that we are implementing the measures required under section 32 of the GDPR and, more in particular, all data in transit is being encrypted by using TLS cryptographic protocols (TLS 1.2) - you can find more information about how we are protecting data in transit on this website.
     
  3. The fact that your new SCC’s aren’t complete The new SCC’s state pretty explicitly that each subprocessor must be listed along with the list of transfers and the technical safeguards for each transfer. While you have a list of subprocessors on your website, the technical and organisational measures per-subprocessor aren’t listed anywhere.
    Thanks for raising this point. We are working on it and updates will be soon published on our website. 

    I hope this helps! If there is anything else please let us know. 

Reply