Filemail is committed to maintaining full compliance with the General Data Protection Regulation (GDPR) and other relevant data protection regulations globally. Key compliance measures include the following:
Data Handling and Retention: We adhere to strict policies regarding the storage, retention, and deletion of data. Data is stored only for as long as necessary to fulfill the intended purpose, and users can determine how long a file may be accessed by the recipient. Data is securely deleted following this period.
User Privacy: We have implemented comprehensive measures to safeguard user data, including end-to-end encryption during data transfer and rigorous access controls for data at rest. Users have extensive control over their data, including the ability to define where files are stored and set custom file expiration dates. Users can also access, rectify, and request deletion of their information in compliance with GDPR and other privacy laws.
Compliance and Legal Standards: We document our compliance through Data Protection Impact Assessments (DPIAs), which help to identify and minimize data protection risks associated with data processing activities. We have also implemented features in its enterprise-level managed file transfer solution to enable HIPAA compliance, such as Business Associate Agreements, US data storage, and access monitoring.
Data Sharing and Third-Party Management: We limit the number of third parties that process files and data and ensure that any data shared with third parties complies with our stringent privacy policies and is subject to data processing agreements. Thorough assessments are conducted to ensure third parties provide a similar level of protection as Filemail, with ongoing evaluations to ensure continued compliance and protection.
Data Breach Notification: In the event of a data breach, Filemail has established protocols to promptly notify all affected customers and relevant authorities. Notification procedures are designed to comply with the GDPR and other data protection laws, ensuring notifications are made without undue delay and, where feasible, not later than 72 hours after becoming aware of the breach.
Privacy by Design: We incorporate privacy by design principles into the development of our products and services. Measures include regional data storage choices, strict data minimization practices, secure default settings, and user-controlled data management to ensure privacy and data protection are integral to its operations.