All about personal data and data protection at Kundo (GDPR)
We are asked many questions about personal data and data protection. Here you can find out more about Kundo’s role, how we operate and how we are complying with legislation.
What is Kundo’s role?
As the customer, you are, according to GDPR, the data controller with responsibility for and control over the information saved in our system. Kundo acts as the data processor and in this capacity it is our job to manage personal data according to your instructions and as required by law. In a purely legal sense you can from this perspective regard Kundo as one of your own systems.
Does Kundo comply with GDPR?
Yes, Kundo’s products and activities fulfill all GDPR requirements.
Do we need to sign a data processing agreement with Kundo?
Yes, when you become a customer of ours, you always sign a data processing agreement (DPA agreement) as an appendix to your basic agreement. If you have an agreement dated earlier than January 2018, we will instead have contacted you to sign a supplementary agreement.
We are sometimes asked if we can sign your DPA agreement instead of you signing ours. This is possible, but the typical DPA agreements often need to be adapted to be suitable for us as a provider of cloud services. The agreement you have already signed with us is GDPR compliant, and so there is no particular need for an additional agreement. If you require specific additions or amendments, the simplest option therefore is to do this using our standard agreement as a starting point.
Have any questions regarding DPA agreements? You can always e-mail firstname.lastname@example.org if you would like to contact us about such matters!
Who owns the information at Kundo?
As the customer, you always own the information at Kundo. Kundo is not entitled to use the information in any way other than as specified in our agreement.
Where does Kundo process data and personal data?
Kundo processes* personal data (and all other data) on servers within the EU.
What personal data does Kundo process?
Depending on which module from Kundo you are using Kundo normally processes the following data:
IP address (if applicable)
In addition, data may include unstructured personal data, such as telephone number, postal address or similar, which your customers/users have provided in running text in dialogue with you or that has been entered by your own editors.
If you have customised fields in Kundo Forum that allow your customers to enter a customer number or similar, for example, Kundo will also process this data.
What sub-processors does Kundo use?
We have an updated list of the sub-processors that Kundo works with on this page.
As a customer, you cannot explicitly approve or reject individual sub-processors. We select our sub-processors with care and only work with skillful and reputable parties. However, should you not agree with our choice of sub-processors, you are entitled to terminate your account with Kundo. Further information on this process can be found in your agreement.
What actions has Kundo taken after Schrems II?
After the Schrems II verdict Kundo has taken explicit action to make sure that we can manage our data in accordance with GDPR. All sub-processors that processed data outside of the EU/EEA area has been removed and we have made sure to update our DPA's so follow the latest version of the Standard Contract Clauses in accordance with the recommendations from EDBP (European Data Protection Board).
For sub-processors with headquarters in a third country, regardless of the place of data processing, we have also dona a risk analysis - a so called Data Transfer Impact Assessment. Please contact us at email@example.com if you want access to the document for further details.
What security measures does Kundo have in place to protect personal data?
You can find out more about Kundo’s overall work involving information security in our services on this page. There is also further information about security for personal data in an appendix to your agreement.
What is meant by processing?
* Processing = Every operation performed with respect to personal data, e.g. storage, collection, recording, organisation, adaptation, alteration or disclosure by transmission. Find out more from the Swedish Authority for Privacy Protection (IMY).
Have any questions?
Contact firstname.lastname@example.org or your Kundo Success Manager.