AquaFold’s GDPR Commitment

AquaFold, Inc. (“AquaFold”) is committed to the General Data Protection Regulation (“GDPR”), which will go into effect on May 25, 2018. The GDPR regulation contains the most significant changes to European data privacy legislation in the last 20 years. It is designed to give European Union (“EU”) citizens more control over their data and seeks to unify a number of existing privacy and security laws under one comprehensive law. The GDPR applies to all companies that do business with EU citizens or process data of EU citizens regardless of the location of the company that is processing such data. To that end, the GDPR applies to AquaFold.

Our customers can trust that AquaFold has made GDPR a priority and has devoted significant and strategic resources toward our efforts to adhere with GDPR.

Like many other global software companies, AquaFold is in the process of rolling out its company-wide GDPR policy program starting on May 25, 2018. AquaFold appreciates that its customers have requirements under the GDPR, which are directly impacted by their use of AquaFold’s products and services, and AquaFold is committed to helping its customers fulfill their requirements under the GDPR and local law.

AquaFold’s customers will typically act as the data controller for any personal data they provide to AquaFold in connection with their use of our products and services. The data controller determines the purposes and means of processing personal data, while the data processor processes data on behalf of the data controller. AquaFold is a data processor and processes personal data on behalf of the data controller when the controller is using AquaFold’s product and services.

Data controllers (e.g. AquaFold’s customers) are responsible for implementing appropriate technical and organizational measures to ensure and demonstrate that any data processing is performed with GDPR in mind. Our customers’ obligations as data controller relate to principles such as fairness and transparency, purpose limitation, lawfulness, data minimization, and accuracy, as well as fulfilling data subject’s (e.g. the customer clients of our customers) rights with respect to their data.

AquaFold will keep you informed through its website about its policy with the GDPR requirements; however, should you have any questions or concerns, please do not hesitate to contact our legal department at

Questions about GDPR?

If you have questions about AquaFold’s GDPR commitment or if you would like to submit an inquiry about your personal data, please fill out and submit this form. An AquaFold representative will be in touch shortly.


Frequently Asked Questions about GDPR Compliance1

AquaFold, Inc. (“AquaFold”) has prepared this document to help you clarify some common confusions around the General Data Protection Regulation (“GDPR”). AquaFold recognizes the importance of the evolving legal and regulatory landscape around information security and data privacy and remains firmly committed to GDPR readiness.

  • Does my data need to be stored in Europe?

    No. The GDPR does not contain any obligation to store information in Europe. However, transfers of European personal data outside the European Economic Area (EEA) generally require that a valid transfer mechanism be in place to protect the data once it leaves the EEA. The GDPR does not invalidate or override the EU Model Clauses or the EU-U.S. and Swiss-U.S. Privacy Shield Framework, which are both legally valid mechanisms to ensure the legal transfer of personal data into and out of the EEA.

  • Does the GDPR apply to company that is established outside the European Union?

    Yes. The GDPR applies to all companies regardless of where it is located to the extent AquaFold process personal data in the context of (A) offering goods and services (whether paid or not) to people in the EEA; or (B) monitoring the behavior of people in the EEA, for example by placing cookies on the devices of EEA individuals.

  • Is it required to have consent from individuals to process their personal data?

    Consent is only one of the legal bases a company can use for the processing of personal data. For example, AquaFold can process personal data (A) when necessary for the performance of a contract to which the data subject (the individual whose data is processed) is a party; (B) when there is a legal obligation to do so (such as the submission of employee data to a tax authority); and (C) sometimes even on the basis of legitimate interests, such as commercial and marketing goals. The legitimate interest must, however, outweigh any detriment to the privacy of the data subject.

  • What is the difference of ‘data controller’ and ‘data processor’?

    Data Controller is the owner of their information and decides how that information should be used. Data Processor is an entity who processes the personal data of the Data Controller and carries out instructions of the Data Controller with regard to this data. Generally speaking, when AquaFold collects data from a customer in order to create an account, AquaFold will be the Data Controller. Formal definitions from the GDPR full text may be found at

  • As an owner of the data (e.g. data subject) located in the EEA, do I have the absolute right to be forgotten? Putting another way, is AquaFold obligated to delete all my personal data upon my request?

    No. The right to erasure (or right to be forgotten) is not absolute. AquaFold may refuse to honor the request if continued processing is necessary for compliance with a legal obligation which requires processing by Union or Member State law to which AquaFold is subject. In addition, AquaFold can refuse to honor the request for the establishment, exercise or defense of legal claims. Therefore, several relevant factors have to be taken into account when considering a request for deletion of personal data by the data subject. Note, however, that data subjects have an absolute right to prevent their personal data from being processed for direct marketing purposes.

  • Does the GDPR require encryption of all personal data?

    No. The GDPR does not mandate specific security measures. Instead, the GDPR requires organizations to take technical and organizational security measures which are appropriate to the risks presented. Encryption at rest and pseudonymization may be appropriate depending on the circumstances, but they are not mandated by the GDPR in every instance. The following are kinds of security actions considered “appropriate to the risk” (1) the pseudonymization and encryption of personal data (as mentioned); (2) the ability to ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and services; (3) the ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident; and (4) a process for regularly testing, assessing and evaluating the effectiveness of technical and organizational measures for ensuring the security of the processing.

1NOTE: The above information is provided by AquaFold for informational purposes only and is not intended to serve as legal advice. You should contact your attorney to obtain advice with respect to any particular GDPR question, issue or problem.

Security Statement

AquaFold, Inc. (“AquaFold”), is committed to respecting and protecting the
privacy of its customers, partners and website visitors (collectively “You”
or “Your”). For more information about our Privacy Statement, click here.

The security of your personal information is very important to AquaFold. We
use robust security measures, which encompass both technical and
organizational security controls, to prevent data loss, information leaks,
or other unauthorized data processing operations. For example, AquaFold
requires that its processors and sub-processors (collectively, “Vendors”)
have implemented and maintain a security program in accordance with
industry standards, specifically AquaFold Vendors shall include the
following security program:

I – Physical Access Control: Unauthorized persons shall be prevented from
gaining physical access to premises, buildings or rooms where personal data
processing systems are located. Vendors have implemented the following

  1. prevent unauthorized individuals from gaining access to the processor’s premises.
  2. restrict access to data centers were data servers are located.
  3. use video surveillance and intrusion detection devices to monitor access to data processing facilities.
  4. ensure that individuals who do not have access authorization (e.g. technicians, cleaning personnel) are accompanied at all times when accessing data processing facilities.

II – System Access Control: Data processing systems must be prevented from
being used without authorization. Vendors have implemented the following

  1. implement measures to prevent unauthorized personnel from accessing
    data processing systems.
  2. provide dedicated user IDs for every authorized personnel accessing
    data processing systems for authentication purposes.
  3. assign passwords to all authorized personnel for authentication
  4. ensure that all data processing systems are password protected to
    prevent unauthorized persons accessing any personal data: (a) after
    boot sequences; and (b) when left unused for a short period.
  5. ensure that access control is supported by an authentication
  6. have implemented a password policy that prohibits the sharing of
    passwords, outlines processes after a disclosure of a password, and
    requires the regular change of passwords.
  7. ensure that passwords are always stored in encrypted form.
  8. implement a proper procedure to deactivate user accounts when a
    user leaves the processor (or processor function).
  9. implement a proper process to adjust administrator permissions when
    an administrator leaves the processor (or processor function).

III – Data Access Control: Persons entitled to use a data processing system
shall gain access only to the data to which they have a right of access,
and personal data must not be read, copied, modified or removed without
authorization in the course of processing or use and after storage. Vendors
have implemented the following controls:

  1. ensure that personal data cannot be read, copied, modified or
    removed without authorization during processing or use and after
  2. grant data access only to authorized personnel and assigns only the
    minimum data permissions necessary for those personal to fulfil
    their duties.
  3. ensure that the personnel who use the data processing systems can
    access only the data to which they have a right of access.
  4. restrict access to files and programs based on a
  5. store physical media containing personal data in secured areas.
  6. have measures in place to prevent use/installation of unauthorized
    hardware and/or software.
  7. have established rules for the safe and permanent destruction of
    data that are no longer required.

In addition, AquaFold requires its Vendors (i) to maintain a list of
subprocessors that may process the Personal Data of Vendor’s, and make
available such list to AquaFold; and (ii) to require all subprocessors to
abide by substantially the same obligations as Vendor under AquaFold Data
Processing Agreement for Vendors.

AquaFold incorporates encryption, incident management, network and system
integrity, and availability and resilience requirements into its security

AquaFold uses standard security protocols mechanisms to exchange the
transmission of sensitive data such as credit card details. When you enter
sensitive personal information such as your credit card number on our site,
we encrypt it using Secure Socket Layer (SSL) or Transport Layer Security
(TLS) technology.

In the event that your personal information is acquired, or is reasonably
believed to have been acquired, by an unauthorized person and applicable
law requires notification, AquaFold will notify you by e-mail or mail.
AquaFold will give you notice promptly, consistent with the reasonable
needs of law enforcement and/or AquaFold to determine the scope of the
breach and to investigate and restore the integrity of the data system.

If you have additional questions about privacy, please contact us at