Where is Report Post on mobile? We've made a slight change, see here
Have your say on the future of the 'Save Draft' feature in this poll
MODs please see this information notice in the mod's forum. Thanks!
How to add spoiler tags, edit posts, add images etc. How to - a user's guide to the new version of Boards

GDPR, and Vanilla, how does this work?

  • 26-07-2021 12:05pm
    Administrators, Employee Posts: 11,814 ✭✭✭✭✭ Niamh Community Manager

    Hi all, 

    We’re aware that the absence of a working Cookie Policy link and Privacy Notice link is justifiably causing some worries and issues. Hands up here, we absolutely should have them up and will do so at the first opportunity - all going well they will be there this week. The only changes on them from our previous policies have been to add Vanilla services to the Third Party Cookies (Cookie Policy) and to Third Parties we work with (on Privacy Notice) but we will get them live asap. 

    GDPR, and Vanilla, how does this work? 

    We have signed a DPA - Data Processing Agreement - with Vanilla. Both parties have agreed to enter into this DPA to ensure adequate safeguards are put in place with respect to protection of everyone’s Personal Data as required by the GDPR.

    “Personal Data” means all data which is defined as ‘personal data’ under EU Data Protection Laws and to which EU Data Protection Laws apply and which is provided by the Customer to Vanilla, and accessed, stored or otherwise processed by Vanilla as a data processor as part of its provision of the Service to Customer (Boards).

    Where and to the extent that Vanilla processes data which is defined as ‘personal data’ under EU Data Protection Laws, Vanilla will comply with applicable EU Data Protection Laws in respect of that processing.

    With respect to all Personal Data, Vanilla warrants that it shall only process Personal Data in order to provide the Service, and shall act only in accordance with: (i) this DPA, (ii)'s written instructions, and (iii) as required by applicable laws.

    They will implement appropriate technical and organizational measures to ensure a level of security appropriate to the risks that are presented by the processing of Personal Data, in particular protection against accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to Personal Data. 

    Vanilla will take reasonable steps to ensure that only authorized personnel have access to such Personal Data and that any persons whom it authorizes to have access to the Personal Data are under obligations of confidentiality.


    Some questions answered for us by Vanilla’s Information Security Analyst:

    Vanilla is a processor of our data, what exactly happens with that data? 

    Vanilla will operate as the Data Processor, following the instructions of the Data Controller (Boards) as defined in the DPA or as given in writing. We will use the data only to provide the service. See above re: DPA. 

    When a user signs up with their email address and on a specific IP, what happens to this data, where and how is it stored? 

    Data is stored within Vanilla’s private cloud, operated in a SOC and ISO certified Data Center. This Data Center is located in Canada, a country that has been recognised by the EU as having Adequate Data Protection laws. “The effect of such a decision is that personal data can flow from the EU (and Norway, Liechtenstein and Iceland) to that third country without any further safeguard being necessary. In other words, transfers to the country in question will be assimilated to intra-EU transmissions of data.”

    Further details here:

    Who has access to the database? 

    Access to all data collected is limited internally to staff who require access in order to provide the service, and is strictly monitored, logged and secured. All staff undergo background checks as allowed by law.

    Is the hosting happening physically with Vanilla or in the cloud? 

    Hosted with a hosting company that provides us dedicated hardware – Vanilla have a DPA in place with them, and include them as one of our Sub Processors under GDPR

    Have Vanilla conducted an audit regarding the data stored and for how long? 

    Vanilla has undertaken internal reviews of data processing and storage – data is stored until contract termination. Our processes involved in this have been audited by external Auditors as part of our SOC 2 Type 1 Certificate. 

    Data security for those of you who want to know these details:

    In transit encryption: All data in transit is encrypted using HTTPS (TLS 1.2 and 1.3), and a secure cipher. 

    Vanilla ourselves are SOC 2 Type 1 audited, and busy finalising our SOC 2 Type 2 Audit. The Data Centers we use are all either SOC audited and/or ISO 27001 certified

    At rest encryption: Data is stored in a physically secured data center with Biometrics, 24/7 Monitoring and security, Background checks on all staff, and man-traps at entrance and exit. 


    Once the Cookie Policy and Privacy Notice are live and the Cookie Consent pop up has been re-enabled, we will update here.



Leave a Comment

Rich Text Editor. To edit a paragraph's style, hit tab to get to the paragraph menu. From there you will be able to pick one style. Nothing defaults to paragraph. An inline formatting menu will show up when you select text. Hit tab to get into that menu. Some elements, such as rich link embeds, images, loading indicators, and error messages may get inserted into the editor. You may navigate to these using the arrow keys inside of the editor and delete them with the delete or backspace key.