On May 25, 2018, the European Union began enforcing the General Data Protection Regulation (GDPR), in an effort to strengthen the security and protection of the personal data of EU residents.
In 2020, the EU invalidated the EU-US PrivacyShield as a means of providing the ‘Appropriate Safeguards’ that are prescribed by the GDPR.
Kami is committed to protecting the security and privacy of entrusted data as well as helping our customers comply with regulations such as the GDPR. Kami product capabilities, design paradigms, and processes help your company be GDPR compliant.
Our Commitments as a Data Processor
Schools and organizations using Kami, you are likely a data controller under the GDPR. This is the case if you supply goods or services to EU residents – or if you track or monitor EU residents and decide why and how data is collected and processed. One of your requirements as a data controller is to only work with compliant data processors.
Data processors are vendors or businesses that process data on behalf of data controllers. Kami is considered a data processor. We comply with the GDPR when acting as a data processor on your behalf.
We take this responsibility seriously. Here are measures Kami is committed to as one of your data processors:
- Data Protection Officer: Kami has a designated Data Protection Officer who is proficient at managing IT processes, data security, and other critical business continuity issues around the holding and processing of personal and sensitive data. Contact Kami’s DPO directly at [email protected]
- Secure data transfer and storage outside the EU: Transfers of personal data outside the European Economic Area (EEA) are permitted as long as certain safeguards apply. Our customer DPA contains the EU Model Clauses, which are the industry standard for data safety. This means that Kami agrees to protect any data originating from the EEA in line with European data protection standards.
- Cloud storage safeguards: When we hold EU, EEA, or UK customer data in Google Cloud Platform (GCP) and Amazon Web Services (AWS) Data Centers in the mainland US, we also take these ‘Appropriate Safeguards’ that are prescribed by the GDPR. Specifically, we executed Standard Contractual Clauses (“SCC”) as set forth by the provisions of the European General Data Protection Regulation (“GDPR”) regarding the collection, use, and retention of personal information from European Union, Switzerland, and the United Kingdom to the United States; These are standard form data processing agreements using so-called “Model Clauses” that have been approved by the European Commission as a lawful basis for transferring personal data to non-EEA countries like the USA. This means that Kami users wishing to transfer personal data from the European Economic Area (EEA) or UK to GCP and AWS in the USA can do so with the knowledge that their personal data on Kami will be given the same high level of protection it receives in the EEA or UK.
- Technical and organizational security measures:
- All data is encrypted in transit and at rest.
- Kami has deployed a corporate data security program.
- Processing according to controller instructions: Kami gives you full control over how data is utilized in Kami.
- Prompt breach notifications: In line with our current policies, Kami will promptly inform you of any incidents involving your users’ personal data.
- Our Data Security Plan, our Data Breach Response Plan and our Disaster Recovery Plan containing further details are available to customers on request.
Helping You Achieve Compliance
If you collect data about EU residents, you are likely considered a data controller under the GDPR. One of the biggest challenges you will face as a controller will be managing individuals’ requests to exercise their rights as defined by the regulation.
With regards to the additional rights defined in the GDPR, Kami enables you to comply in case EU residents exercise the following rights:
Right to Access and Portability
Any activities that are carried out via Kami will be saved to your user’s own cloud or device storage. Data that might reflect an individual’s engagement data (annotations, comments) is synced back to Kami servers.
Right to Rectify
The GDPR also empowers individuals to correct any personal data that is deemed inaccurate or incomplete. When you update data in Kami App, Kami’s data will automatically be updated if applicable.
Right to Erasure
Kami allows you to honor requests to delete an individual’s data. You can facilitate Kami’s erasure tool in order to find an individual’s data stored in Kami and have it destroyed.
If you have any questions about the GDPR or want to learn how Kami can help you be compliant, please contact [email protected]
Meet our EU Designated Data Protection Representative
We have a Designated Data Protection Representative established in an EU member state, as required under the requirements of Article 27 of Regulation (EU) 2016/679 (GDPR). You can contact Ginka, our local EU data protection representative, here:
Contact person: Ginka HRISTOVA ILAC
Email: [email protected]
Kami does not take our responsibilities as a data controller lightly, especially considering the industry we’re in. Our commitment to data protection is implemented through both rigorous technical and organizational measures, ensuring our operations and culture uphold this commitment.
Should you have any questions or concerns, please do not hesitate to reach out to our Data Protection Officer or other representatives listed above.
For further information on our Terms of Service, please visit: