Version 2.0 – December 18, 2019
Read Version 1.0 – October 8, 2018
The Data Controller of LeastAuthority.com and its associated services is Least Authority TFA GmbH, Thaerstraße 28a, 10249 Berlin, Germany (“Least Authority”, “we”, “us”).
Purpose of Data Collection and Processing
1. The provision of product and service information on the website.
We operate this website and blog in order to provide you with information about our products and services, and keep you up to date about Least Authority.
2. Statistical and Analytical Data
You can opt-out of tracking completely by enabling the Do-Not-Track option in your browser. Visit http://donottrack.us/ to learn how.
Least Authority uses an open-source analytics program with a strong privacy focus, called Matomo. It informs us about how visitors use our website. Least Authority collects anonymous statistical data about the use of its website to optimise its online presence and for marketing and sales purposes. Only the first 2 ‘bytes’ of your IP address are being stored.
The information Matomo collects is:
– 2 byte masked user IP address (see also: IP anonymization)
– Date and time of the request
– Title of the page being viewed (Page Title)
– URL of the page being viewed (Page URL)
– URL of the page that was viewed prior to the current page (Referrer URL)
– Screen resolution being used
– Time in local user’s timezone
– Files that were clicked and downloaded (Download)
– Links to an outside domain that were clicked (Outlink)
– Pages generation time (the time it takes for webpages to be generated by the webserver and then downloaded by the user: Page speed)
– Main Language of the browser being used (Accept-Language header)
– User Agent of the browser being used (User-Agent header)
3. Delivering the Simple Secure Storage Service (“S4”) to customers.
When you sign up for the S4 service, we only collect the bare minimum amount of information required to take payment, supply you with a service account and provide you with customer support. The data collected includes your email address, payment and transaction details, and country of residence (for VAT reasons).
When you sign up, a connection is made to our payment processor, Stripe, which holds your card information and email address on Least Authority’s behalf. LeastAuthority.com does not hold any credit card information on our servers. Additionally, your email address and location (for tax purposes) are sent to Chargebee which holds this information on Least Authority’s behalf to support ongoing subscription payments. Because of the nature of subscription billing, this also results in this service maintaining ongoing information about your subscription transactions. This information is necessary to process your payments and fulfil the obligations of our subscription service.
Stripe is certified to PCI Service Provider Level 1, the most stringent certification level. The connections to both leastauthority.com and the Stripe API are made over TLS (with forward secrecy in modern browsers), so the security of your card information is at least as good as for other e-commerce sites. Stripe is certified under Privacy Shield.
Chargebee is PCI-DSS Level 1 Service Provider. The Payment Card Industry Data Security Standard encompasses a set of practices and procedures required to be followed by companies (the ones that process, store, or transmit card details) to establish protection of their customers’ card data. Chargebee is also ISO certified. ISO 27001 is an information security management standard that specifies the requirements for information security management best practices within an organization. Chargebee has set up a GDPR Compliance Roadmap.
When you sign up, a connection is also made to our webservers. In order to ensure the integrity and safety of our systems, we store webserver-log files containing the following details about your signup web request:
date and time of the request, location of the request, access status, amount of data transferred, website from which the request originated, browser, operating system and its interface and the language and version of the browser software.
We store such data for no longer than 14 days, the legal base for processing this information is our legitimate interest (Art. 6(1)(f) GDPR) of keeping our systems and servers secure and optimising our web content.
S4 uses an Amazon S3-based backend for Tahoe-LAFS, and provides what is called the ‘provider-independent security’. The data you store on S4 is encrypted on your device before being stored on Amazon’s AWS servers, whether you are using Gridsync or the CLI (Command Line Interface). Amazon AWS is EU-US Privacy Shield certified.
We use ZenDesk to manage customer support requests. If you email email@example.com the email you send and any information you provide is transferred to ZenDesk. ZenDesk is certified under the EU-US Privacy Shield Framework, along with Binding Corporate Rules.
We store this data for the duration of providing the service to you plus a time period of 6 months, the legal base for this is the performance of a contract (Art. 6(1)(b)).
In addition we process your payment details and transactions for a period of 10 years. The legal base for this processing is the legal requirement of complying to financial regulations (Art. 6(1)(c)).
4. Informing the general public about privacy advocacy updates through a mailing list.
We collect information that you voluntarily provide to subscribe to our mailing list. This includes the email address you use to fill out and submit the signup form on the website.
We use Mailchimp to manage our mailing lists. MailChimp is certified under the EU-US and Swiss Privacy Shield Frameworks. More information about the EU-US privacy shield can be found at https://www.privacyshield.gov.
If you no longer wish to receive emails you can unsubscribe from our mailing lists using the link at the bottom of any email sent using Mailchimp, or contact us at firstname.lastname@example.org.
The email address you provide for the mailing list is not sold, shared or transferred to any other parties besides Mailchimp.
5. Concluding and performing the consultancy services for clients requesting this.
We process contact name and contact information in the process of communicating about desired services, and in order to be able to send proposals and contracts for signing. We delete this data within 6 months if no contract is concluded, or for the duration of the contract (until our services have been paid in full) plus 12 months in case a contract is concluded. The legal base for this processing is the performance of a contract (Art. 6(1)(b) GDPR).
We use DocuSign for the signing of our consulting contracts. DocuSign has approval for Binding Corporate Rules (BCRs) – both as a data processor and as a data controller – from the EU Data Protection Authorities (DPA). DocuSign is also committed to delivering world-class security that meets or exceeds US and international requirements, including the US ESIGN act, European Union Directive 1999/93/EC, and European Regulation 910/2014 (also known as eIDAS). DocuSign’s Security and Trust Assurance Packet (STAP) includes reports from third-party auditors and provides detail on DocuSign’s external certifications and compliance with industry standards. You can find more info about how DocuSign protects privacy under GDPR here.
In addition we process the company name and sometimes the contact name mentioned on the invoice for a period of 10 years. The legal base for this processing is the legal requirement of complying to financial regulations (Art. 6(1)(c)).
6. Ensuring compliance
Least Authority will have to comply with all applicable laws and regulations, including, but not limited to those of the European Union, Germany and the state of Berlin. For this reason we may have to collect, process and retain your details for an extended period of time as a legal obligation (Art 6c, GDPR). For example, one of the legal requirements in Germany is that trade invoices, which may include your name or email address, are kept for 10 years.
You also acknowledge that information required to track your choices and consent regarding the processing or use of your Personal Data or receipt of marketing materials may be stored to ensure compliance with the GDPR.
7. Internal communication required to deliver services
Internally, we use Google G Suite and Google Drive for our email service, calendar and internal document management. Google is certified under the EU-US and Swiss Privacy Shield Frameworks and their certifications can be viewed on the Privacy Shield list. Google is committed to complying with the EU General Data Protection Regulation (GDPR) for G Suite and Google Cloud Platform services. You can find GDPR-updated Data Processing Amendment for G Suite and Data Processing and Security Terms for Google Cloud Platform here.
We use Slack to internally communicate as a team to improve our services and be responsive to our clients’ needs. Slack is certified under the EU-US and Swiss Privacy Shield Frameworks. Slack has received internationally recognized security certifications for ISO 27001 (information security management system) and ISO 27018 (for protecting personal data in the cloud). You can learn more about Slack’s security policies and procedures by visiting their security page which also includes a white paper on how Slack ensures user data security in particular.
We delete this data within 12 months. The legal base for this processing is the performance of a contract (Art. 6(1)(b) GDPR).
Least Authority is designed for adults and we do not solicit any personal information from children. If you are not 16 years old or older, you are not authorized to use the Site.
Data Subjects’ rights
You can request from Least Authority at any time information about which Personal Data Least Authority processes about you and the correction or deletion of such Personal Data. Please note, however, that Least Authority can delete your Personal Data only if there is no statutory obligation or prevailing right of Least Authority to retain it.
If Least Authority uses your Personal Data based on your consent or to perform a contract with you, you may also request a copy of the Personal Data that you have provided to Least Authority, and you may request us to transfer this data in a common machine readable format to another provider as well. In this case, please contact us at email@example.com and specify the information or processing activities to which your request relates. Least Authority will carefully consider your request and discuss with you how it can best fulfill it.
Furthermore, you can request that we restrict your Personal Data from any further processing if:
- You are contesting the accuracy of the Personal Data we hold about your, for as long as we need to verify this claim.
- If you believe the processing of the data is unlawful, but you oppose the erasure of the data and request restriction of processing instead.
- If we no longer need your Personal Data for the original purpose, but you need them for the establishment, exercise or defence of legal claims.
- If you have objected to the use of your data according to Art. 21 GDPR, while we verify if our legitimate grounds for processing your data override yours.
Please direct any such request to firstname.lastname@example.org.
Right to lodge a complaint
We encourage you to contact us at email@example.com if you have a privacy related concern. You have the right to lodge a complaint about the improper processing/usage of your personal data by us with our supervisory authority, or with the data protection authority of the European member state you live or work in. The details of the supervisory authority responsible for Berlin, Germany are:
Berliner Beauftragte für Datenschutz und Informationsfreiheit
Phone: 030/138 89-0
Links to other websites
Least Authority website may contain links to foreign (companies or organizations other than Least Authority) websites. Least Authority is not responsible for the privacy practices or the content of the websites other than Least Authority. We would strongly recommend carefully reading the privacy statements of the foreign websites.
How We Protect Your Information
We are committed to protecting the information that we receive from you. We take appropriate security measures to protect your information against unauthorized access to or unauthorized alteration, disclosure or destruction of data.
Our products are built for privacy and security
At Least Authority our mission is to give the user a real alternative for control over their own data. Since the inception of the company, we Least Authoritarians have been continuously working to build products and provide services that protect your data and your right to privacy and self-determination.
Consistent with Article 25 of GDPR, “Data protection by design and by default”, we believe in security by design and security by default. Our software designs are inspired by end-to-end security and the “Principle of least authority”, an important design consideration which enhances the protection of data and functionality from faults (fault tolerance) and malicious behavior (computer security). We prefer secure by default and the encryption is turned on all the time, which does not allow insecure operation and any kind of privacy violation.
We process contact name and contact information in the process of communicating about desired service. We do not collect or process personal data when our interests are overridden by your fundamental rights and freedoms.
Version 1.0 – October 8, 2018