We have signed a DPA - Data Processing Agreement - with Vanilla. Both parties have agreed to enter into this DPA to ensure adequate safeguards are put in place with respect to protection of everyone’s Personal Data as required by the GDPR.
“Personal Data” means all data which is defined as ‘personal data’ under EU Data Protection Laws and to which EU Data Protection Laws apply and which is provided by the Customer to Vanilla, and accessed, stored or otherwise processed by Vanilla as a data processor as part of its provision of the Service to Customer (Boards).
Where and to the extent that Vanilla processes data which is defined as ‘personal data’ under EU Data Protection Laws, Vanilla will comply with applicable EU Data Protection Laws in respect of that processing.
With respect to all Personal Data, Vanilla warrants that it shall only process Personal Data in order to provide the Service, and shall act only in accordance with: (i) this DPA, (ii) Boards.ie's written instructions, and (iii) as required by applicable laws.
They will implement appropriate technical and organizational measures to ensure a level of security appropriate to the risks that are presented by the processing of Personal Data, in particular protection against accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to Personal Data.
Vanilla will take reasonable steps to ensure that only authorized personnel have access to such Personal Data and that any persons whom it authorizes to have access to the Personal Data are under obligations of confidentiality.
Some questions answered for us by Vanilla’s Information Security Analyst:
Vanilla is a processor of our data, what exactly happens with that data?
Vanilla will operate as the Data Processor, following the instructions of the Data Controller (Boards) as defined in the DPA or as given in writing. We will use the data only to provide the service. See above re: DPA.
When a user signs up with their email address and on a specific IP, what happens to this data, where and how is it stored?
Data is stored within Vanilla’s private cloud, operated in a SOC and ISO certified Data Center. This Data Center is located in Canada, a country that has been recognised by the EU as having Adequate Data Protection laws. “The effect of such a decision is that personal data can flow from the EU (and Norway, Liechtenstein and Iceland) to that third country without any further safeguard being necessary. In other words, transfers to the country in question will be assimilated to intra-EU transmissions of data.”
Further details here: https://ec.europa.eu/info/law/law-topic/data-protection/international-dimension-data-protection/adequacy-decisions_en
Who has access to the database?
Access to all data collected is limited internally to staff who require access in order to provide the service, and is strictly monitored, logged and secured. All staff undergo background checks as allowed by law.
Is the hosting happening physically with Vanilla or in the cloud?
Hosted with a hosting company that provides us dedicated hardware – Vanilla have a DPA in place with them, and include them as one of our Sub Processors under GDPR
Have Vanilla conducted an audit regarding the data stored and for how long?
Vanilla has undertaken internal reviews of data processing and storage – data is stored until contract termination. Our processes involved in this have been audited by external Auditors as part of our SOC 2 Type 1 Certificate.
Data security for those of you who want to know these details:
In transit encryption: All data in transit is encrypted using HTTPS (TLS 1.2 and 1.3), and a secure cipher.
Vanilla ourselves are SOC 2 Type 1 audited, and busy finalising our SOC 2 Type 2 Audit. The Data Centers we use are all either SOC audited and/or ISO 27001 certified
At rest encryption: Data is stored in a physically secured data center with Biometrics, 24/7 Monitoring and security, Background checks on all staff, and man-traps at entrance and exit.
How can I? User's guide to some features on the new site
If you have an issue you can contact us on [email protected]
Sounds good. Is the data actually stored in Canada? Or some of it.
1 very simple question: Where is our data being hosted?
I have a question on this @Boards.ie: Niamh
How do you account for special categories of data (a lot of user post about, inter alia, health, political and religious information). You have given your sub processors access to this (joining statements with the backend personal data). How do you protect this?
While this statement is welcome, it is worrying that GDPR and privacy issues appear to be an afterthought. I really hope that the following statement is adhered to:
"Access to all data collected is limited internally to staff who require access in order to provide the service, and is strictly monitored, logged and secured. All staff undergo background checks as allowed by law."
As per my profile privacy post, what setting on my profile page should I tick to ensure profile privacy - am I better off leaving the 2 options unticked? Who are the authorized users?
So the data was moved to Canada without giving users a choice in advance ?
The data is in canada.
In order to allow for the proper administration of boards.ie we make use of third party moderators and administrators. And in order for them to properly carry out their functions as moderators and administrators they require access to personal information concerning you, your boards.ie account and your activity on the site. Such data is only permitted to be used by our third party moderators and administrators for the purposes of administering the site and cannot be used by them for any other purpose.
This has not changed. The Data Protection Agreement in place with Vanilla ensures that anyone with access to the database from their end also only accesses it in order to provide a service to Boards and for no other reason.
Yes the data is stored in Vanilla’s private cloud which is operated in a SOC and ISO certified Data Centre. The Data Centre is located in Canada, a country that has been recognised by the EU as having Adequate Data Protection laws. As far as GDPR is concerned, there are what are known as 'Third Countries'. Secure third countries are those for which the European Commission has confirmed a suitable level of data protection on the basis of an adequacy decision. In those countries, national laws provide a level of protection for personal data which is comparable to those of EU law. Canada is one of these countries.
Now that it has been confirmed that my data has been moved out of Ireland to Canada without informing me of same, I wish to exercise my Article 17 GDPR rights. Please acknowledge receipt of this message soonest.
Has been said a few times...
You email your request
Email [email protected]@Boards.ie
A search, funnily enough. I've came across it in the main feedback thread but there's also a specific thread..
One last power trip eh?
Delete our data now.
What all of the data? The website would not work and nobody could login.
To get your data deleted you would have to delete your account.
This has been flagged at least a week ago and still is not fixed. Not really acceptable for such a site.
What are you on about?
Aye, I understand. I guess there's a lot being pulled from the team and there's very few in said team.
I'm on about wanting my data wiped from this site. I've requested a few times now, and a request is a request.
Making people jump through hoops to access their basic rights is abominable.
With respect, that isn't quite an answer.
I'm not worried about mods, as unless Mod Utils has radically changed in the last while, they can't see my personal information. I've always been comfortable with the Boards.ie team being able to link my identity to the special data categories. Now this Canadian company, along with some other Canadian company have access to this as well? On the basis of 'they promise they won't look'?
Can you confirm that:
a) Vanilla have access to user's personal information; and
b) This un-named third party hosting company also have access to the plain-text of user's personal information;
c) Assuming a) and b) are correct, you have performed a DPIA with regard to the processing by these parties of both the special categories and ordinary data?
d) Care to publish this DPIA?
Agreed with all above. I would also like to re-iterate a question above that has gone unanswered.
Why was our data moved outside of EU without prior consent?
Irrespective of the DP laws in Canada [and ignoring Five Eyes for the moment, for pretty must the same reason why Privacy Shield was deemed inadequate], we should have been informed that our data would be migrated to Canada BEFORE it was moved. Giving us time to delete our accounts before hand.
I think it's poor form on boards stakeholders to make this unnecessary decision without informing it's users. Regardless of the legalities of the law as opposed to the spirit of GDPR, it shows an attitude towards data security that appears to be, at best, a secondary concern.
I've no doubt that there were/are plenty of hosting solutions in Ireland or wider EU that were as suitable. I'd be very interested in a transparant report detailing why a self hosted solution or even Irish data center hosted solution wasn't deemed preferable over any Third Country.
Was it just a cost reduction exercise? I'm sure it's cheaper to have a SaaS product than employ a handful or techs to handhold the infrastructure. But why outside EU?
To be fair, I've only seen your request once. And I wouldn't have considered posting in a random thread the formal way.
As has been said a few times, email them. And job done. Your data doesn't get wiped though, never has.
Both requests have been added to GDPR account closure requests.
If anyone else wants to request the same, please email [email protected] thanks.
might also remove the lie saying the sites hosted by digiweb at the bottom of the page
Just to be clear, emailing is now the way to delete an account? Right?
So my email address (with my full name in it) and my IP logs won't be deleted is that right?
Dont you need to inform all of us explicitly - i.e. 1:1 under GDPR 13:(1)(f) that you are doing this beforehand ?
Here, I'm only trying to be helpful. Tone down the bad attitude and relax a little. Its an online forum. Not your bank.
Send the email and it'll be sorted along with any other questions. I wouldn't want to reply further if that's the tone I'll be treated with for trying to help.
Excuse me but I asked a pertinant question, in text form.. If you have a problem with me asking pertinant questions than that's your problem.
For more information on GDPR and your statutory rights, visit:
Rich Text Editor.
To edit a paragraph's style, hit tab to get to the paragraph menu. From there you will be able to pick one style. Nothing defaults to paragraph.
An inline formatting menu will show up when you select text. Hit tab to get into that menu.
Some elements, such as rich link embeds, images, loading indicators, and error messages may get inserted into the editor. You may navigate to these using the arrow keys inside of the editor and delete them with the delete or backspace key.