Jostle’s compliance with GDPR

The General Data Protection Regulation (GDPR) provides a privacy framework that forms the foundation for privacy regulations in many jurisdictions, including in the EU, the UK, and Switzerland. Jostle is committed to helping our customers comply with the GDPR through our robust privacy and security protections.

As a Canadian Corporation, Jostle also complies with the Canadian Personal Information Protection and Electronic Documents Act (“PIPEDA”).

Obligations on Controllers and Processors

The GDPR differentiates between controllers, the entity that determines the purpose and means of the processing of personal data, and processors, the entity that processes personal data on behalf of the controller. As it is you that is determining the information on your Jostle platform, you are the controller, and Jostle is the processor.

Data Processing addendum

If you require formal compliance with the GDPR, a contract is required between the controller and the processor stipulating the conditions under which the data processing is to be conducted. Our standard Data Processing Addendum (DPA) serves this purpose. If you want a formal DPA in place, download, sign, and return it to privacy@jostle.me.

Download the Data Processing Addendum Download the DPA

Sub-processors

Jostle utilizes best-in-class sub-processors to provide its infrastructure services, and has entered into agreements with each Sub-processor containing data protection that meets the requirements of the GDPR and DPA.

Download Jostle’s current sub-processors Download the list

If you want an email notification when this list of Sub-processors is updated, please subscribe here.

Lawfulness of processing

Jostle’s basis for the processing of personal data of your people is that the processing is necessary for the operation of the Jostle platform (the Jostle Service you subscribe to). As the controller, you are ultimately responsible for ensuring that you have a valid reason for the processing of personal private information within Jostle. Reasonable reasons include:

  1. Obtaining consent from each of your people
  2. Considering that the processing is necessary for the performance of employment contracts or other contracts with your people
  3. Considering that the processing is necessary for the purposes of the legitimate interests pursued by You, namely the main business reason for using Jostle

It is likely that you need to make similar assessments for other business systems, so choose the one that works best for your organization.

Security and privacy by design

The security and privacy of the data that customers entrust to us has always been of the utmost importance. Jostle has established appropriate technical and organizational safeguards to ensure that this continues. Jostle undergoes annual third-party reviews of the security and privacy measures that it has put in place, and can provide customers copies of the most recent certifications subject to reasonable confidentiality terms.

Breach Notification

Jostle has security incident management policies and procedures in place that include the requirement to notify customers without undue delay after becoming aware of a data breach.

Right to be Forgotten

Jostle respects the right of an individual to be forgotten, but at the same time understands that the decision to erase the personal data of any individual really lies with the organization that individual is a part of. As such, Jostle provides tools that allow the designated administrators of our customers to remove the personal data for one of their users should they decide to do so. It should be noted that Jostle considers the content and data outside of an individual’s personal profile to be the property of the organization that individual is a part of, and that information will continue to exist after the individual’s personal data has been removed.

Data Portability

Similar to above, Jostle provides tools that allow designated administrators to extract the information in an individual’s profile and provide that to them. An individual themselves can download any files or other information that they have added to their personal profiles. Once again, Jostle considers the data and content outside of an individual’s profile to be the property of the organization and not the individual and as such does not provide an automated way of extracting that content per individual.

International transfers

When you first subscribe to Jostle you will choose the data domicile (US, EU, Canada, or Australia) that you want Jostle to keep your data in, including any personal private information that is added to the platform. Any transfer of data out of this data domicile by Jostle will be for processing only, per the terms of the DPA.

Data Protection Officer

Jostle has determined that we are not required to designate an official data protection officer based on the nature of the data in Jostle and the fact that no systemic monitoring is performed.

Questions or concerns?

Jostle is committed to both fully complying with the GDPR itself, and assisting our customers in achieving compliance in their use of Jostle. Should you have any questions or concerns, please reach out to us at privacy@jostle.me