Privacy by Design: How ShortPoint Complies with the General Data Protection Regulation

At ShortPoint, your user privacy matters to us. We're committed to keeping the limited personal data we collect (license and usage information) safe, in accordance with the General Data Protection Regulation (GDPR). This guide explains how we handle your data.

NOTEShortPoint does not access, store, transmit, or process customer SharePoint content or any data created inside your Microsoft 365 environment. All references to “personal data” in this article refer only to the limited account, license, and usage information ShortPoint collects for activation, support, and product improvement.

TABLE OF CONTENTS

• What Is GDPR?
• What are Your Rights Under GDPR?
• ShortPoint and GDPR Compliance
  • Assigning a Data Protection Officer
  • Collecting Only What is Needed
  • Keeping Your Data Only For a Specified Period
  • Following Strict Security Policies
• You're in Control of Your Data
  • Access, Fix, or Download Your Data
  • Delete Your Data
  • Object to Processing or Request Restrictions
• Our Commitment to You

What Is GDPR?

Have you ever signed up for an app or some kind of website? If you have, you've probably had to provide personal information like your name or email address. But what happens to the data you give? Is it safe and protected?

This is where the General Data Protection Regulation, or simply GDPR, comes in! It is a comprehensive privacy law that came into effect on May 25, 2018, across the European Union. Think of it like a rulebook that tells data controllers and organizations how they must handle your personal information. While it's a European law, its impact reaches far beyond Europe's borders, affecting any company that deals with EU residents' data, including data processors and those involved in international organisations.

The main goal of GDPR is simple: to give you more control over your personal data and to make sure organizations handle it responsibly by implementing effective measures and respecting your fundamental rights.

What are Your Rights Under GDPR?

GDPR gives you several important rights over your personal information and ensures data protection.  Let's go through each privilege you have over your data.

• First, you have the right to know. Companies must tell you clearly what data they're collecting, why they need it, and how they'll use it. This ensures transparency and compliance with the data protection principles.
• Second, you have the right to access the data collected. You can ask any organization what personal data they have about you, and they must provide it to you free of charge. This supports your data subject rights under GDPR.
• Third, you have the right to remove the data. If you want a company to delete your data, you can request it. In most cases, they must comply, respecting your right to erasure.
• Fourth, you can move your data. You can ask for your data in a format that lets you move it to another service.
• Fifth, you have the right to refuse data collection. You can say no to your data being used for certain purposes, like direct marketing or automated decision-making.
• And finally, you can correct any misinformation. If a company has wrong information about you, you can ask them to fix it, ensuring data accuracy.

ShortPoint and GDPR Compliance

Transparency and data security matter to us. This is exactly why we ensure GDPR compliance at all times. Here's how we do it:

Assigning a Data Protection Officer

To make sure your personal data protection stays strong, we've designated specific people to serve both as our GDPR lead and Data Protection Officer (DPO). They serve as your privacy advocates within our business practices. They're here to ensure we're meeting our data protection obligations and legal compliance when it comes to your information.

Collecting Only What is Needed

Here's the good news: we keep data collection to a minimum. We only gather data that is necessary to activate your ShortPoint license and help you when you need support. When you use ShortPoint, we collect some basic usage information to keep things running smoothly:

• Your name and email (so we can communicate with you)
• License details (to activate your account)
• Browser information (helpful when troubleshooting issues and assessing privacy risks)
• Basic usage stats like which page you're on, your ShortPoint version, and how often you use features like the Page Builder or Design Elements.

Here's something important: we don't touch your actual content. Nothing you create in SharePoint or Microsoft 365 gets sent to us or stored on our servers. That stays entirely in your environment, under your control.

Keeping Your Data Only For a Specified Period

We don't keep your information forever. We hold onto it only as long as necessary. Depending on regulatory requirements and legal frameworks, this typically takes three to seven years. After that, we securely delete it using technical and organizational measures to ensure data security.

Following Strict Security Policies

Security isn't just a buzzword for us. We have clear procedures in place for handling the limited personal data we collect (license and usage information) and for managing any internal security incidents. Since ShortPoint does not store or process customer SharePoint content, no customer content is ever involved in these processes. Here are a few of them:

• SOC 2 Type II Reporting - An independent audit verifies our security practices, providing independent verification of our technical implementation and organizational measures.
• Continuous Monitoring - We use an automated system that keeps an eye on compliance and performs ongoing risk assessment.
• Regular Testing - We perform annual penetration tests that help us find and fix vulnerabilities. This ensures end-to-end security throughout the processing lifecycle.
• Strong Encryption - All personal data collected by ShortPoint (such as license and usage information) is encrypted in storage and during transmission. ShortPoint does not store or encrypt customer SharePoint content, as all customer content remains fully within your Microsoft 365 environment.
• Smart Architecture - No SharePoint or Microsoft 365 content ever leaves your environment. ShortPoint does not access, transmit, or store any customer content created in your sites.

You're in Control of Your Data

At ShortPoint, you can rest assured that you have complete control over your data. Here's what you can do to exercise your rights according to GDPR:

Access, Fix, or Download Your Data

Want to see what information we have about you? Need to correct something that's wrong? Just reach out to us at privacy@shortpoint.com. You can also request your personal data in a format that's easy to read and transfer to another service if you'd like.

Delete Your Data

You have the right to ask us to delete your information at any time. Simply email privacy@shortpoint.com, and we'll remove your data from our systems in such a way that ensures data security and respects your user privacy.

Object to Processing or Request Restrictions

If you're not comfortable with how we're processing your data, you can ask us to just store your data without actively using it.

You can also stop product usage data collection by blocking access to the activation.shortpoint.com domain. Just remember that blocking this domain means some features won't work, including automatic license updates and user assignments. Certain Design Elements and Connections (like Teams, Power Apps, Power BI, and Outlook events) may also not function properly. It's a trade-off between privacy safeguards and functionality, and the choice is yours.

Our Commitment to You

Privacy by design: that is our commitment to you. Through proper data collection and continuous GDPR compliance, we ensure that our organization operates securely and transparently.

If you have any questions about how we handle your data or want to exercise any of your rights, don't hesitate to reach out to us at privacy@shortpoint.com. We're here to help and are happy to explain anything in more detail.

Related articles:

• How ShortPoint Classifies and Encrypts Data
• Continuous Defense: ShortPoint’s Program for Proactive Data Security
• Security by Design: How ShortPoint Protects Data
• Zero Trust Access: How ShortPoint Keeps Data Safe with Smart Security
• Security in Software Development Life Cycle: How ShortPoint Keeps the Development Lifecycle Safe and Secure
• Organizational Resilience: How ShortPoint Ensures Business Continuity
• Creating a Company Culture for Security: How ShortPoint Builds a Culture of Compliance
• SOC Compliance: How ShortPoint is Committed to Validating its Security Measures