How you can protect your clients’ data
Due to the nature of our product, Appfarm has no way of tracking what type of data you store in our platform and how you store, secure, and maintain it. The appropriate application design choices you make to stay compliant with GDPR will largely depend on the actual use case and context of data collection and processing. There is no silver bullet to becoming GDPR compliant. Rather, when creating apps that process personal data using Appfarm Create, it is the responsibility of the data controller to ensure the data is processed in accordance with the GDPR regulations. However, we’d like to make accomplishing this goal as easy as possible for you.
Here's an overview of aspects you need to consider to achieve GDPR compliance.
Know your data
Before you start building an app, identify all the personal data your app will process. This data map will be crucial for your GDPR compliance journey.
Learn more about data classification for GDPR in our documentation.
Don’t use production data for testing
Using production data for testing is strictly regulated, and we therefore recommend using synthetic data instead. Although using real personal data to reproduce realistic test scenarios can be tempting, it constitutes a major intrusion into an individual data subject's privacy. It’s important to remember that the data controller (in most cases, the end customer) is always responsible for ensuring the protection of personal data and compliance with data protection laws.
Process legally
Understand the lawful bases for processing personal data under GDPR, like user consent, contract fulfillment, and legitimate purpose. Choose the right basis for each data processing activity in your app.
If you process personal data for other customers, you should have a Data Processing Agreement (DPA) in place.
Obtain clear consent
Obtain explicit and informed consent from your users before collecting and processing their data. This can be done with consent forms customized to your needs, e.g., a cookie banner that explains why you're collecting data and how it will be used.
Become a data minimalist
Only gather the data necessary for your app's purpose. Minimize data collection and retention to reduce risks and respect users' privacy.
Lock it up
The Appfarm Platform handles much of the security for you, such as using strong encryption in transit and at rest. Access controls, permissions, and roles are easily set up in Appfarm Create. Keep permissions and roles at a minimum per user and employ a good procedure for requesting additional permissions. Keep personal information safe and regularly upgrade your app by logging in and deploying it to production.
We recommend you complete our security checklist on all your projects, particularly those processing personal data.
Respect user rights
Let your users exercise their GDPR rights, such as accessing, editing, and erasing their data. Build mechanisms in your app to handle these requests promptly. Communicate with inactive users to avoid collecting personal data unnecessarily.
When you are a Data Processor (e.g., when you make an app for another company), you should have a DPA in place.
We retain solution data backups for 90 days. It's crucial to keep in consideration that opting to revert to a previous data version may necessitate the reprocessing of all alteration and deletion requests that have been submitted and handled during the intervening time.
Disclose third-party services
If your app integrates with third-party services, ensure they're GDPR compliant. Clearly disclose these services and their privacy practices to your users. This can be done on a sub-processor page on your website.
If you process personal data in your app built using our no-code platform, Appfarm should also be listed as a sub-processor of your company.
Report breaches
Have a plan in place to detect and report data breaches quickly. Notify both the supervisory authority and affected users if a breach occurs. In the event of a data breach in Appfarm’s systems, the affected customers of Appfarm will be notified within 72 hours of discovery, whereas you then have a further obligation to notify your affected customers.
Learn more about breach reporting on Datatilsynet’s website (Norway) or the relevant institution in your jurisdiction.
Report a breach via Altinn (Norway).
Publish transparent policies
Create a clear and concise privacy policy and data protection notices that users can easily access from within your app. Keep them informed about how their data is being handled.
Stay up to date
Regularly review your app's GDPR compliance, especially if there are changes to your data processing activities or regulations. Also, regularly review users, roles, and permissions. Staying up to date is key to maintaining compliance.
Last updated