[✅ Solution] Privacy - Security

Hi all,
I was wondering what kind of privacy measures are set in place.

How can we make sure none of the info provided to Tape is going to be used?
On top of the monthly fees and/or besides, how can we make sure you are not going to sell the information and/or data regarding the usage of the platform?
How can we make sure you are not going to look into our data (snooping) and/or use to other purposes (AI training, or any other in the future…)?

How secure is our data (without security there isn’t privacy)? Are there any couter-ransomware measures in place?

I’m sorry for all these questions but I really value the privacy of my clients and their sensitive data. I just want to make sure we don’t put them at risk.

Thanks. Gary.

Is there any self-hosted version of Tape in the plans? (I’m not discussing about its potential price)
Maybe this could help with some concerns regarding the most sensitive data. Thanks. Gary.

Hi @Super_Gary, great to meet you!

I can understand your concerns very well. These are exactly the questions I would ask myself before giving my sensitive data to a platform.

That’s why one of our absolute key value propositions with Tape is data security and data privacy.
Firstly, one of our technical co-founders is a passionate security engineer and has invested a lot of time in this very sensitive topic. On the other hand, we have to meet the highest requirements with our customers in the public sector, which also includes foundations of the federal government in Germany.
That is why we have a comprehensive privacy compliance program that aligns our practices with regulations such as the DIN ISO/IEC 27001 and DIN ISO/IEC 27018 certified and guarantees the highest level of data protection security.

Within this program, most of the points you mentioned and many more are regularly audited by external auditors.

We have all the details publicly available on our website. You can find the page here.
If you have more detailed technical questions we can arrange a call with you.

Regarding your question about the self-hosted version of Tape. Currently we do not plan to do this, we have only had a few requests for it.
But you can create a feature request and if we get enough requests for it we can evaluate the topic in detail.

Cheers
Leo

Hi @Leo,
Nice to meet you and thanks for your fast reply.

It is nice to see we are on the same page and that you understand my concerns regarding the data privacy (and security).

I had a look at the link you gave me and then read the information requirements as well. I found some quite loose ends and would love you to help me tie them up.

I am writing all this because while on the one hand it seems that you really take our privacy “seriously”, on the other hand I found some rather lax and ambiguous open ends. I just want to know what to expect.

All the following quotes are directly taken from your information requirements page.

One of the first things that caught my attention was this (under “In addition, we also process the following other personal data” in section 2):

Information about the type and content of contract data, order data, sales and document data, customer and supplier history and consulting documents.

Is this all the information inside our Tape spaces?

Advertising and sales data- Information from your electronic communication with us (e.g. IP address, log-in data)

More on that one later on the advertising section.

Other data that we have received from you in the course of our business relationship (e.g. in discussions with customers)

This “other data that we have received from you” seems very broad.

Data that we generate ourselves from master/contact data and other data such as customer requirement and customer potential analyses"

What is this “customer potential analyses” all about?

Also on this section, although I know that this is not under customers, the “religious affiliation” thing also caught my attention initially.

But where I really started paying attention was under section 3, below " to safeguard legitimate interests (Art. 6 Para. 1 lit.f GDPR)":

• Advertising or marketing (see point 4)

More on this in the advertising section.

• Measures for business management and further development of services and products

This feels open (I can understand it in several different ways).

And also below this under “subject to your consent (Art. 6 Para. 1lit.a GDPR)”:

If you have given us permission to process your data, e.g. by sending us our newsletter, publishing photos, raffles, etc., we will not use your data for any other purpose.

What kind of permission or how explicit must this permission be? Written and/or really explicit? Or really a checkbox and/or general terms acceptance when signing up?

The doubts continue under section 4 (the advertising one):

You may at any time object to the use of your personal data for advertising purposes on the whole or to individual measures without incurring any costs other than the transmission costs according to the basic tariffs.

So, what is this “personal data” exactly? This could be our company name and general identification (as I believe you were trying to mean), but it also could be all user generated data, hence in this context all the data in created inside Tape by us (all our clients data). It is nice to have this object against this use but I don’t know why I felt this advertising thing won’t apply here. I mean that after all this “we take privacy seriously” that I read before this, honestly, I didn’t expect to find an advertising section. Also I believe that these “transmission costs” mentioned might refer to the cost of “sending an email” or equivalent, but it would be great to confirm this.

Under the section 5, at the very end, I found that:

Insurance companies, banks, credit agencies and service providers may also be recipients of your data for the purpose of initiating and fulfilling contracts.

Given the context, I believe you were just trying to explicitly mention this type of companies but not sure since you already mentioned “service providers” on top of this section. So I just want to make sure this is limited to the order processing (to provide us the platform service) you mentioned that other providers may do and would greatly appreciate your confirmations.

I felt quite shocked with section 7, since when I read it I had already read in this trust page this " All customer data is stored on servers within the European Union". I would really like to know what “third countries” might be the case (and if you are meaning other European countries or other countries outside of the EU).

Also on the other hand, it would be really nice not to have the ubiquitous Google Analytics watching. I totally understand the need for some telemetry/analytics to improve the product but I also see that there are some less “itching” alternatives. The same (although more complicated once committed) could apply to these AWS servers (and any other data-disrespectful “tech giants” that may help provide the services).

Thank you very much for taking the time to read this far. I know this is a long post but I just want to make sure I understand where I could head to, and that you will live to your data privacy promise (without blind spots).

Hi @Super_Gary,

Have you come across a different product that has similar features to those tape offers and a better privacy policy? to me it looked pretty standard and compared to other countries Europe do have some of the strongest privacy regulations.

In comparison, if you look at the Privacy Policy for Podio for example, they don’t even agree to go by the GDPR rules, since those are much stricter than the privacy rules in the US.

Hi @Super_Gary,

It’s great that you’re inquiring in detail about our information requirements on the website and expressing concerns about their clarity. I’d like to provide some context for why our wording might seem open in certain areas. The European GDPR regulations are exceedingly strict, with substantial penalties for non-compliance. Consequently, the legal language in the Information Requirements Section 2 on our website is intentionally broad, as it must cover all potential data we may receive from customers or partners.

These phrases align with the best practices recommended by our law firm’s privacy protection officers. The objective is to preemptively cover any content that could be transmitted to us in the course of a business partnership or customer relationship through various communication channels, both within and outside of Tape itself (e.g., email, community forums, Intercom messenger, Microsoft Teams, contact forms on our website, etc.). This approach ensures that we don’t constantly need to amend the information requirements, even if not all types of data are currently processed by us.

Additionally, the reasons for processing the previously defined data are outlined in paragraph 3. These phrases also align to best practices advised by our law firm’s privacy protection officers. The aim here is to incorporate potential reasons for data usage that may arise in day-to-day business operations within a business partnership or customer relationship (e.g., bug fixing, onboarding emails, newsletters, tax payments, etc.) from the outset, reducing the need for frequent updates, even if we presently only utilize a fraction of these possibilities due to our very limited processing of personal data.

Addressing your specific questions:

1. “Customer potential analyses”: This data refers to scenarios where e.g. an official Tape partner provides us with information about a potential customer, such as the number of users and guests. We use this information to create tailored offers for that customer.
2. “Religious affiliation”: This information requirement is applicable only to Tape employees. It’s a legal necessity in Germany for calculating salary payments accurately.
3. Permission for data processing: We require users to opt in via a checkbox during the signup process. If you prefer no communication with us, including the Intercom messenger, we can disable it entirely upon request after your signup.
4. “Personal data”: It strictly refers to the personal data outlined in paragraph 2. All data stored in Tape by a customer is owned and controlled by them. Tape processes customer data on their behalf, and access to this data by Tape or its employees is strictly forbidden. We maintain a stringent set of measures to ensure compliance, which is also a requirement for our public sector customers.

Regarding your query about section 5:

This applies in cases of legal obligations and within the context of legal proceedings, where authorities, courts, and external auditors may access your data. It is unrelated to routine payment processing and is invoked only if law enforcement authorities request such data.

Concerning “third countries”:

Tape does not transfer data to third countries; all data remains within the EU. However, the GDPR allows data transfers to third countries that guarantee an adequate level of protection, as determined by the EU. For a list of these countries, you can refer to the European GDPR regulations available online.

Addressing your concerns about Google Analytics:

We only enable Google Analytics on our landing page. As a requirement of a new client, we have permanently removed Google Analytics from the logged-in area of Tape. This client has assessed us rigorously by a data protection service provider, who investigated whether external IP addresses are accessed through the use of Tape. We promptly addressed and fixed any issues, besides of Google Analytics even those that some might regard as non-critical, such as the loading of Google fonts in our sign up emails. These recurring audits carried out by our privacy sensitive customers will remain a crucial double-check mechanism, aimed at identifying even the most minor security and privacy vulnerabilities.

I hope that this explanation has further strengthened your trust in Tape. As thankfully mentioned by @shir, we are dedicated to being one of the most secure low-code platforms in the market. We place a high priority on data security and exceed the standards set by European GDPR regulations.

Cheers
Leo