GDPR Is Kindly GDPR compliant? General Data Protection Regulation (GDPR) is a European Union regulation designed to protect the personal data and privacy of EU citizens
We're committed to GDPR compliance and have implemented robust measures to protect personal data. These include:
Comprehensive data management: We ensure all necessary terms are in place for processing customer data and maintain rigorous security protocols (ISO 27001 certified). Privacy-focused platform: Our platform is designed with privacy in mind, featuring automatic anonymization, chat log deletion, and user control over their data. Data breach preparedness: We have established procedures to handle any potential data breaches and provide ongoing training to our staff. Dedication to data protection: Our Data Protection Officer oversees compliance and offers expert guidance
Do you have a Privacy Governance Framework? We have implemented an Information Security Management System (ISMS) in line with the ISO/IEC 27001:2022 standard. Our ISMS encompasses a comprehensive Governance Framework that not only ensures the protection of information assets but also addresses privacy concerns, aligning with the GDPR requirements.
How do you prevent function creep in the chatbot? Kindly prioritizes a user-centric approach to ensure new features align with user needs and the chatbot’s core purpose. We actively involve stakeholders like product managers, designers, and subject matter experts in the decision-making process to ensure that any proposed enhancements are carefully evaluated from various perspectives.
To gain valuable insights into user preferences, we collect and analyze customer feedback . This helps us identify areas where new features could be beneficial and ensures that they align with user expectations.
To prevent the addition of unnecessary features, we limit the scope of the chatbot to specific use cases. By maintaining a clear focus on defined objectives , we ensure that any proposed functionalities contribute meaningfully to the chatbot’s overall purpose.
This comprehensive approach helps us maintain a focused and valuable platform for users, preventing function creep and ensuring that Kindly remains aligned with its core mission.
How do you ensure compliance with the data minimization principle? Kindly limits administrators registered in the platform to only adding relevant personal information to their profile.
Due to the nature of a chatbot, the end-user can message the service in free text. This opens up to the risk of end-users providing sensitive or other personal data to the chatbot unnecessarily. This can lead to breach of the data minimization principle.
To avoid it, Kindly enables the Data Controller to:
configure a filter that will anonymize specific types of personal data. configure the chatbot to proactively inform the end-user of what data they should not input into the chatbot.
What measures do you have for ensuring data quality? Kindly provides the Data Controller functionality which can be configured so end-users can update the information in the chat log by sending additional messages in the same session. This can be limited by the end-user ending the chat or from the session timing out. The duration before a session timeout is configured by the Customer.
How do you ensure accountability under the GDPR Kindly has a designated Data Protection Officer (DPO) who is responsible for overseeing data protection and privacy matters in the organization.
We also implemented and communicated a Data Protection Policy which is accepted by all employees.
Are you a Data Controller or Processor? The GDPR recognizes different roles in data handling: controllers and processors. Controllers decide how and why data is used, while processors handle data on the controller's behalf, following their instructions (often outlined in a contract).
Kindly is the data controller for personal data related to our customers' employees during the sales/marketing cycle but not chat visitors or end customers.
For data shared on our platform, the customer is the data controller, and Kindly acts as the data processor. We process data according to the Data Processing Agreement (DPA) agreed upon with our customers
Does Kindly provide a Data Processing Agreement for its customers? It's a requirement under the Art 28, of the GDPR to have a DPA in place which clearly defines everyone's role in relation to the personal data being handled. A DPA clarifies responsibilities, outlines data processing terms, and mitigates certain liabilities for data processors and controllers.
All of our customers are able to enter into a DPA with us.
Our DPA covers all of the main terms needed under the GDPR. It also describes our processes when it comes to informing customers aboutpotential breaches or subprocessor changes (for example if we want to update the product).
Who has access to customer data at Kindly? Our teams have access to customer data only when necessary for their jobs. We follow the principle of least privilege, granting access on a need-to-know basis.
As a data controller, we may share data with third-party providers to support our operations. For more information see our Privacy Policy page.
As a data processor, we use third-party sub-processors to deliver our services. See the full list here: https://www.kindly.ai/legal-policies/subprocessors
Where does Kindly store personal data? Data is securely stored in Google Cloud data centers in Belgium. Google Cloud is certified to meet high security standards, including ISO 27001, PCI, and SOC compliance.
How long does Kindly store personal data? Customer is able to configure how long the chat logs are stored.
Customer data is retained for as long as the account is in active status. When a user closes an account, all data linked to the account is anonymized. If the workspace the account is knit to is also deleted, no data is kept.
What types of personal data do you collect?
To allow our customers to log in to our platform and recover their password, and for administrators to provide customer support and account maintenance we collect the following data:
Email and password First name and last name Profile picture (optional) For end-users, a typical user is anonymous, so no personal identifiable information is stored. Chat logs and associated meta-data is stored, which typically includes:
- Message content
- Timestamps
Not explicitly stored by Kindly, provided by the cloud provider and accessible in aggregations:
- Location
In addition, some anonymized and filterable analytics data from interactions are stored for statistical purposes.
Does the chatbot support anonymization of personal data? Kindly Chatbot supports automatic anonymization of end-users and their personal data in the inquiries.
The chatbot identifies anonymous end-users using randomly generated identities, such as "Green Banana", so that the Customer can still keep track of end-users and their inquiries.
Personal data such as e-mail addresses, telephone numbers, credit card numbers, social security numbers, etc. can be detected automatically by the chatbot and immediately overwritten by asterisks.
If anonymization is turned on, the data gets anonymised in transit which means it's never stored on the platform and never sent to our subprocessors.
The Customer chooses which personal data is to be anonymized by the chatbot.
Does Kindly use subprocessors? Yes, see the full list of these sub-processors (with further information).
Does Kindly transfer personal data abroad? Kindly is located in the EEA and all customer account data is stored within the EU, however certain opt-in features like Kindly GPT might require processing personal data outside the EU. For details see subprocessor list: https://www.kindly.ai/legal-policies/subprocessors
If for processing purposes we have to transfer any data outside the EU, we always rely on lawful transfer mechanisms allowed by the GDPR.
This includes for example the decision made by the European Commission deeming some countries or organizations as having adequate measures to protect any personal data coming from the EU, the Data Privacy Framework (DPF), and Standard Contractual Clauses (SCCs).
Whenever engaging a third party vendor, we conduct careful due diligence to assess their GDPR compliance practices considering factors such as data security measures.
We also ensure that we have Data Processing Agreements with all vendors.
Have you considered Schrems III? Schrems III aims to undermine one of the mechanisms which currently permits the flow of data between the European Union and the United States - Data Privacy Framework , but the outcome remains to be determined.
We continuously monitor changes in legislation and regulatory guidelines to stay ahead of any new requirements that might affect us. Our priority is to maintain the highest standards of service for our clients while safeguarding the privacy and security of their data.
Does Kindly have a Data Protection Officer? Yes we do. Our DPO is Anna Wojcicka, who oversees the Privacy program at Kindly and can be contacted at dpo@kindly.ai
Questions specific to Kindly Plus What sub processors from the list are relevant to Kindly Plus? Entity Name: Google Cloud Services
Purpose: Hosting & infrastructure
Location: Belgium, EU
Applicable service: Bot platform
Subject matter: Platform users, chat messages
Duration: seconds
How does Kindly Plus use personal Data? The Kindly Plus model analyzes the user input (which may contain personal data) to identify their intention and match it with a predefined answer in the Kindly platform.
Chat messages from the end-users are analyzed using our machine learning technology for the purpose of suggesting how to improve the chatbot.
We do not use Customer Data to improve our Product, train or fine-tune any AI/ML models.
Questions Specific to Kindly GPT What sub processors are relevant to Kindly GPT? Depending on client configuration it will be one of the below.
Entity Name: OpenAI
Purpose: NLU functionality for KindlyGPT
Location: USA
Applicable service: Bot platform
Subject matter: Chat logs
Duration: 30 days
Entity Name: Microsoft Azure
Purpose: NLU functionality for KindlyGPT
Location: France or UK
Applicable service: Bot platform
Subject matter: Chat logs
Duration: 30 days
What does Kindly GPT do with user Data? Kindly GPT uses the customer's knowledge base and chat user's input to generate an answer. To do that, Kindly leverages generative AI models. Individual user messages are being processed without metadata or association to the chat log.
We do not use Customer Data to improve our Product, train or fine-tune any AI/ML models.
Is Kindly GPT GDPR compliant? Yes. If for processing purposes we have to transfer any data outside of the EU, we rely on lawful transfer mechanisms allowed by the GDPR including:
- Adequacy decisions
- Standard Contractual Clauses
- Data Privacy Framework
- and conduct careful due diligence of the sub processors involved to ensure commitment to data protection and security.
Organizational Security Measures Does Kindly have any security certifications? Kindly is ISO/IEC 27001:2022 certified which means we maintain an ISMS which encompasses policies, processes, and procedures that ensure regular testing, assessment, and evaluation of both technical and organizational aspects of our services related to information security.
Do you undertake IT security audits, vulnerability assessments and/or testing? Kindly undertakes all IT security audits, risk assessments, vulnerability assessments and testing necessary to ensure that it's ISMS in accordance with ISO/IEC 27001:2022. This includes yearly external and internal audits, yearly penetration tests performed by a third party and monthly vulnerability testing.
Furthermore, Kindly's security team is kept up to date on new and upcoming vulnerabilities through information security forums and newsletters to identify risks/threats.
What's your risk management process? Kindly has implemented a risk management process, which consists of the following:
1. Risk identification
We proactively identify potential threats and vulnerabilities across our operations and products, which lays the foundation for effective risk management.
2. Risk assessment
Each risk undergoes a detailed assessment to understand its impact and probability, which enables the prioritization and management of risks based on their severity.
3. Risk management
We use tailored strategies to mitigate identified risks, including implementing controls, transferring risks, avoiding high-risk activities, or accepting risks when appropriate.
4. Continuous improvement
Our risk management practices are subject to regular reviews and updates, ensuring they remain effective against evolving threats and changes in our operational environment.
5. Documentation and reporting
All aspects of our risk management process are thoroughly documented, providing a clear and accountable record of our actions and outcomes
How does Kindly manage employee access to client solutions Access Reviews
Access to all systems and services is reviewed and updated annually to ensure proper authorizations align with job functions. This process is regulated by role-based access control (RBAC) and adheres to the Principle of Least Privilege, ensuring that users are granted the minimum necessary access required for their job responsibilities.
Unique User Identification
Access to platform systems and applications is managed using unique User Login IDs and passwords for each individual user and developer. Password requirements enforce strong password controls, and all users are provided with unique, secure temporary authentication information that must be acknowledged upon receipt and changed upon first use.
Authentication and Authorization
Multi-Factor Authentication (MFA) is mandated for all administrative access accounts and enterprise assets, where supported. Internal access to the platform is secured with application keys that are rotated monthly. Developers use Bitwarden password manager for generating passwords, and two-factor authentication is required for logging into all production systems. All employee disks are encrypted with FileVault, BitLocker, and LUKS.
Monitoring of Access
System activities, including audit logs, access reports, and security incident tracking reports, are reviewed frequently, not exceeding a year. Internal access controls follow the principle of least privilege, ensuring that employees have only the necessary access to perform their required job functions.
Infrastructure Security
Kindly uses Identity and Access Management (IAM) to provide users and applications with the narrowest set of permissions necessary for accessing data. Permissions to access running production systems and databases are granted only to users with an explicit need. Internal accounts are managed using a Google Workspace domain with enforced two-factor authentication, and external services for internal use are authenticated using Single Sign-On (SSO) via SAML 2.0 to Google Workspace accounts.
Access Control for Employees
Access to systems and applications is formally managed and reviewed by the Compliance team. Annual access reviews ensure that proper authorizations are in place according to job functions. When an employee is offboarded, they lose access to all systems, which is logged in an offboarding checklist.
How do you handle Security Incidents or Personal Data Breaches? The procedures for handling security breaches involve several steps. When an information security breach is identified or discovered, employees must notify their immediate supervisor within 24 hours. The manager must immediately notify the on-call Information Security Manager (ISM) for an appropriate response. The notification must include a description of the incident, date, time, and location of the incident, the person who discovered the incident, how the incident was discovered, known evidence of the incident, and affected system(s).
Within 48 hours of the incident being reported, ISM conducts a preliminary investigation and risk assessment to review and confirm the details of the incident. If the incident is confirmed, ISM assesses the impact on the company and assigns a severity level, which determines the level of remedial work required.
If the incident is considered High or Medium, the ISM must work with the CEO and Product Manager to create and execute a communication plan that communicates the incident to users, the public and other stakeholders.
In the event of a personal data breach that poses a high risk to individuals' rights and freedoms, Kindly will immediately inform the relevant data controller. The notification will clearly and simply detail the nature of the breach, contact information for the data protection officer or other contact for further information, the potential consequences of the breach, and the measures taken or proposed by the controller to deal with the breach and mitigate any negative consequences.
Describe measures for event, error and security incident logging Kindly uses the Google Cloud Platform Audit Logging tool, which provides a complete record of all activity that occurs in the platform. All user activity, system activity, and data access are stored in a central location with a retention period of 400 days. Access to the audit logs are restricted on a "least-privilege" basis using RBAC (IAM)
System errors and security incidents are logged internally and are exposed on status.kindly.ai. Here, both real-time events and previous events are available, as well as status for all components of the platform.
All security incidents are logged with the event date.
What are your practices for secure software development? Secure coding principles
All developers are trained in secure coding principles based on OWASP, and these principles are implemented in software development.
Communication method
Whenever something is major and breaking, Kindly notifies all clients by email in advance and in status meetings. The notice will be sent 3 months in advance.
Otherwise, upgrades are communicated in the changelog.
Key activities and effort required from the Customer
The Kindly service lives in the cloud, meaning that the Customer will receive updates on the fly without the need to do anything.
Version control
It is possible to version control the chat service. Then the Customer would need to update the version number of the service that is being requested.
If the Customer wants to use a specific version, then you can follow our changelog or API changelog in order to know when you want to update to a given version. With major updates Kindly will notify the Customer by email in advance and in the status meetings, regardless if you use version control or subscribed to the latest changes.
Code implementation
Any change is reviewed by at least two developers, then auto-deployed to staging environment by CI/CD. This automatic process already runs pre-defined tests, however the staging environment is used for manual checks prior to triggering the deployment to production (we use Release tags for triggering this).
Code patches
Utilizing automated tools like Dependabot, we ensure the proactive generation of code patches in response to updates within open-source software frameworks. These patches, once generated, require formal approval through our code review process.
Additionally, Software Development Lifecycle Policy provides details on the process for secure development of software.
What are your physical access controls? Access to Kindly's offices is restricted to authorized personnel only. All access requires an active access card, and the access card must be used at all doors. Authorized visitors to the offices are always accompanied by Kindly employees.
All computers with sensitive information are locked with passwords, and login to services with files and other sensitive information, such as Google Drive (archiving and sharing files), Slack (internal communication), Trello (task delegation), and login to the Kindly platform itself is secured with two-factor authentication, where unknown attempts to log in require approval from the employee via their mobile phone.