GDPR Compliance

Here you can find all our policies on compliance and how we process your data. If you have any questions, write to us at contact@productive.io.

Productive Is GDPR Compliant

The European Union (EU) General Data Protection Regulation (GDPR), enforced from May 2018, is one of the biggest changes to data privacy regulation for businesses with customers from the European Union. We put security, privacy, and data protection at the core of our product. We are fully certified as GDPR compliant, and constantly strive to go above the minimum regulatory standards. We regularly update our Terms of Service to be in compliance with GDPR and other generally acceptable privacy law. 
 
Taking into account new case law (especially “Schrems II” decision of European Court of Justice) as well as Brexit, Productive took additional steps to be compliant with the EU and UK data protection law. 

EU Data Transfers

The European Data Protection Board (EDPB) advises that each EU entity which is data exporter conducts an assessment of whether or not it can transfer EU personal data on the basis of the EU Standard Contractual Clauses (EU SCCs). In particular, Productive recommends the following steps:

1. Consider the technical and organizational security measures included in the updated Data Processing Addendum. Based on the type of data you process on Productive, determine whether these are sufficient for your use.

2. Review Productive’s Data Processing Addendum, which includes the new supplemental clauses recommended by the EDPB and incorporates the new version of the SCCs approved by the European Commission.

3. Conduct a risk assessment for the transfer of personal data to the US in your use of Productive. Information on this page and the https://www.productive.io/security may be helpful for your review.

Can UK-based customers transfer UK personal data to Productive?

The Information Commissioner’s Office (ICO) advises that each UK entity conducts an assessment of whether or not it can transfer UK personal data on the basis of the UK Standard Contractual Clauses (UK SCCs). In particular, Productive recommends the following steps:

1. Consider the technical and organizational security measures included in the updated Data Processing Addendum. Based on the type of data you process on Productive, determine whether these are sufficient for your use.

2. Review Productive’s Data Processing Addendum, which includes the UK SCCs.

3. Conduct a risk assessment for the transfer of personal data to the US in your use of Productive. Information on this page and the https://www.productive.io/security may be helpful for your review.

Productive’s GDPR Commitment

As a business management platform, Productive has two kinds of relationships:

Productive <—> Customer (e.g. awesome branding agency) — an Organization using Productive

Productive <—> User (e.g. John Doe) —- a user that has a login to Productive

Everything you do in your Organization is data (e.g. projects, budgets, contacts, emails) owned by your Organization. Your Organization is the data controller (in certain cases it is possible that it can be data processor) of that data. Productive is data processor of that data and acts exclusively based on the instructions of your Organization as data controller.
 
To be fully compatible with GDPR we’ve added the option to destroy all data from your Organization on request. If an Organization decides to leave Productive they can request the complete deletion of all business data. 
 
In certain cases Productive can be data controller of your data (e.g. when we communicate directly, when you apply for a position in our company etc.).
 
Please check our Privacy Policy to learn how your data is being processed.

Productive’s Security Standards

We keep your data secure 100% of your time. We regularly review and update our security measures. 

Please check implemented security measures on our Security page.

Has Productive ever had to disclose data to US authorities?

Productive has not received any data access request from the US government under Section 702 of the Foreign Intelligence Surveillance Act or Executive Order 12333.

If such a request were received, Productive will use reasonable efforts: 

1. to have the governmental authority request such data directly from you; and 

2. to notify you of the request promptly, unless prohibited under the applicable law of the requesting government authority or Productive. If prohibited from notifying you, Productive will use reasonable efforts to obtain the right to waive the prohibition to communicate as much information to you as possible.

Also, please check Information on U.S. Privacy Safeguards Relevant to SCCs and Other EU Legal Bases for EU-U.S. Data Transfers after Schrems II (so-called White Paper), where powers of US public authorities are explained in detail. This document includes a more detailed interpretation of relevant US legislative and amendments that were made after Schrems II.

Where does Productive store data?

Productive stores data on Amazon Web Services servers located in the EU, specifically in Ireland.

Does Productive sell or market the data to third parties in any way? 

No, Productive does not sell or market your data to third parties.

Will Productive sign my company’s DPA?

Productive can’t sign DPAs from other companies. However, Productive’s DPA should be sufficient in any customer relationship with Productive. Productive’s DPA contains EU SCCs for EU and UK SCCs for UK data and includes terms specific to how Productive works.

Contacting Productive

If you would like to know more about our security measures and GDPR compliance, please contact us at contact@productive.io, or at our mailing address below. We’ll be happy to answer all your questions.

The Productive Company, Inc.
2093 Philadelphia Pike
#3280 Claymont, DE, 19703


You can also contact our DPO Jan Varljen at dpo@productive.io.

Automate Your Agency’s
Workflow

Switch from multiple tools and spreadsheets to one scalable agency management system.