Pudding App ("Pudding") is committed to compliance with the General Data Protection Regulation (GDPR), the EU data privacy regulation that went into effect May 25, 2018 & UK Data Protection Act GDPR that went into effect on Jan 01, 2021.
In our continued effort to help our customers with their GDPR compliance, we hope that this page will be useful for our customers to better understand Pudding’s commitment to privacy.
Our legal and security experts have closely analyzed the requirements of the GDPR and continue to monitor new guidance on best practices for implementing the requirements of the GDPR.
What Pudding is doing
Pudding has implemented its company-wide GDPR compliance strategy. Below are a few examples of initiatives Pudding has committed to in order to satisfy GDPR requirements that apply to both Pudding and our customers:
- We are maintaining an information security policy comparable with ISO27000 series standards.
- We are maintaining security in the delivery of our Services in accordance with SOC2 standards (or any successor standards). These standards mirror many of the security and privacy requirements of GDPR and will help give our customers a transparent framework to measure our development and data management practices. Assurance that Pudding maintains and follows these standards are affirmed through our annual SOC 2-type 2 audit. For more detailed information, review our security practices.
- When processing personal data regulated under GDPR, we commit to follow any additional security and privacy measures required under GDPR. For more detailed information, review our security practices.
- Where we are transferring personal data outside of the EU, we are committing to implement appropriate data transfer mechanisms as required by GDPR.
- We are committed to provide our authorized users with the ability to access, update, rectify, export and erase their personal information.
- We are holding vendors that handle personal data to required data management, security, and privacy practices and standards.
- We are carrying out data impact assessments and consulting with EU and UK regulators where appropriate.
- We are ensuring that Pudding staff that process Pudding customer personal data have been trained in handling that data and are bound to maintain the confidentiality and security of that data.
General Data Protection Regulation FAQs
Does Pudding process the personal data of its customers?
What personal data does Pudding process when providing its Services?
For most users, this is limited to “business card” information of users that register for the service - meaning their names and e-mail addresses, and an IP address. We may obtain your phone number if we need to reach out for a support issue, and you can put your picture or avatar on your account if you would like to personalize your interactions with other users.
What is Pudding’s role?
Where you are using our Services and making decisions about the personal data that is being processed in the Services (for example when uploading and using Customer Content, or selecting the Third Party Services you wish to connect to the Services), you are acting as a data controller and Pudding is acting as a data processor.
Where does Pudding store and process my data?
We give our customer (your organization) a choice where they want to store the data. For example, US based companies, we currently host data in secure data centers via Amazon RDS in the United States.
For our EU based companies, we currently host data in secure data centers via Amazon RDS in the EU.
What is Pudding’s commitment to EU International Data Transfer following the recent CJEU Ruling?
The CJEU (in its judgment dated 16th July 2020) has upheld the Standard Contractual Clauses (SCCs) as a valid mechanism to transfer personal data outside of the EEA. This means that Pudding customers can continue to rely on the SCCs included in the Pudding Data Processing Addendum (Pudding DPA) as a valid transfer mechanism under GDPR.
The Pudding DPA with the SCCs is available for all Pudding customers transferring data outside of the EEA, including to the US. Pudding customers can therefore continue to use Pudding’s services in compliance with the GDPR.
Does Pudding enter into GDPR-compliant Data Processing Agreements (DPA)?
Pudding will enter into a DPA with our customers who are data controllers and have purchased a subscription to our presales collaboration platform via a written agreement. We provide a GDPR-compliant DPA that is tuned to our service, and we invite such customers to complete and execute our GDPR-compliant DPA—Pudding Customer Data Processing Addendum.