Data security

Comments

21 comments

  • Avatar
    Mark Meinema

    This is something we'd very much like to as well!
    We're actively promoting Workflowy within some very large employers in the Netherlands, but GDPR compliance and server location keeps popping up as a major issue that prevents them from committing to (and paying for) Workflowy on any significant scale.

    Could you enlighten us as to what your current stance towards this is and what your plans are for the future? Please don't understimate the influence of this to the adaptation speed of Workflowy and, ultimately, to your bottom line!

     

    Cheers

    Mark

    0
    Comment actions Permalink
  • Avatar
    Mark Meinema

    Any thoughts on this already? :-)

    0
    Comment actions Permalink
  • Avatar
    Frank (Workflowy Support)

    Hi Mark and Priscilla,

    We do believe that we are currently GDPR compliant and are currently waiting on an audit process. So that information will be forthcoming. 

    Our servers are based in the US through AWS (Amazon Web Services), and we are backed up by their robust cloud-powered security. 

    https://aws.amazon.com/security/

    0
    Comment actions Permalink
  • Avatar
    Mark Meinema

    That's good to hear!

    And it's good to hear that an audit and official compliance will be forthcoming. I wouldn't at all be surprised if Workflowy is already compliant,

    Europeans companies however would like to be 100% certain that Workflowy is and will be guaranteed to be compliant. That will greatly help in creating enough trust for companies to put their data that is personally identifiable into Workflowy as well and will greatly increase the scope of things for which Workflowy will be useful.

     

    Cheers

    Mark

    1
    Comment actions Permalink
  • Avatar
    J

    Hi Frank,

     

    Any news on the GDPR compliance?

     

    Kind regards,

    J

    1
    Comment actions Permalink
  • Avatar
    Stefano Grassi

    I'd like to know that as well,

    thank you

    1
    Comment actions Permalink
  • Avatar
    Frank (Workflowy Support)

    Hi folks,

    Absolutely, we are in fact GDPR compliant regarding storage of emails, cookies, etc. We jumped on board way back when we were hit with the GDPR tsunami :-)

     

    0
    Comment actions Permalink
  • Avatar
    Martijn Aslander

    Thats awesome! Now I can try to get the Dutch Police force on board ..

    0
    Comment actions Permalink
  • Avatar
    Frank (Workflowy Support)

    Hi Martijn,

    We have just implemented reCAPTCHA over the last couple of days... and fairly soon we will be implementing 2FA/ MFA. We're focusing on this aggressively now...

     

    0
    Comment actions Permalink
  • Avatar
    Martijn Aslander

    Hey Frank!

     

    That's music to my ears!!

     

    Ciao, Martijn 

    0
    Comment actions Permalink
  • Avatar
    Jakup L. D. Michaelsen

    But you do not explain adequately how you are GDPR compliant in your Privacy Policy. What essential guarantees have you taken to secure customer data from US intelligence? 

    0
    Comment actions Permalink
  • Avatar
    Frank (Workflowy Support)

    Hi Jakup,

    We have a team member dedicated to putting together our TOS, privacy policy, info. on GDP, etc. Our privacy policy is out of date and we are working now to put this all together. We're working with lawyers and specialists...

    0
    Comment actions Permalink
  • Avatar
    Jakup L. D. Michaelsen

    Thanks for your reply Frank 😊

    That sounds great. Our school, based in Denmark, is experiencing a surge of interest in using Workflowy in post-covid teaching. Its simplicity and powerful collaborative feature are a welcome extension of how much we used MS Teams during lockdown. Since I introduced my colleagues to Workflowy some years ago, in the time before GDPR, I have become our school's DPO. Therefor I can no longer actively push for proper adoption of Workflowy until it will be possible for us to sign a DPA. 

    Best regards,

    Jákup

    0
    Comment actions Permalink
  • Avatar
    S V Smailus

    Hi Frank,

    I'm also in the position of needing to know if personal and sensitive information is secure in workflowy.

    One area of concern is with your Privay Policy, which states the user agrees to data being stored in the US. The Privacy Policy is from 2016, so I'm hoping there is an update. However, as it stands it means that all the data I put into Workflowy could be given to US authorities and my rights would be negligent as a non-US citizen.

    Could you please tell me the position on this. It really means anyone outside the US could have their data taken with no recourse as they are not US citizens.

    I should add the my understanding is that to be GDPR compliant data cannot be taken outside of the EU?

    0
    Comment actions Permalink
  • Avatar
    Frank (Workflowy Support)

    Hi! We're on the cusp of releasing the latest privacy policy. We've been working hard on this with consultants. Just yesterday our entire Team underwent GDPR training. We have to comply with EU regulations and that will be made clear in the new privacy policy/ DPA. 

    To be GDPR compliant does not mean that data cannot be taken out of the EU. Our servers are based in the US with AWS. We need to observe GDPR laws wherever our servers happen to be, and we would incur infringement fines all the same, which are rather hefty.

    0
    Comment actions Permalink
  • Avatar
    Frank (Workflowy Support)

    All data is encrypted and there is no possibility to access it in a meaningful way. Also, in addition, all of our third party data processors are GDPR compliant as well. 

    0
    Comment actions Permalink
  • Avatar
    S V Smailus

    I'm really disappointed that you not only did not post my last post, but even deleted it. It demonstrates that workflowy is untrustworthy at handling my data. I have now cancelled my account.

    0
    Comment actions Permalink
  • Avatar
    Frank (Workflowy Support)

    Hi @SV and company,

    @SV If I deleted your post, it must have been for good reason. I can't quite remember why. But I do recall having deleted a forum post recently... which is the first time in a very very long time. Feel free to post again so I can have a look at it and remember why it is. I delete posts that are inappropriate... and I can't remember the content. I've got a lot to get through on several platforms.

    Update to the privacy policy: I can't wave a wand and make it happen as soon as I personally would like to have it ready. The entire team went through GDPR training (a significant effort) and we've had our lawyer and consultant/ specialist go through everything in the most excruciating detail. The Data Processing Agreement was just signed by our CEO and it's not long before the corresponding team member posts on a dedicated WorkFlowy web page. 

    One and all, please feel free to join our users group on Slack. For some reason the Zendesk forum here is like a ghost town. There are many more WorkFlowy users engaging and interacting here:

    https://join.slack.com/t/workflowyusergroup/shared_invite/zt-s867uw4j-hxIqSvU7n6e7gXKwpjVWbw 

    0
    Comment actions Permalink
  • Avatar
    Frank (Workflowy Support)

    Hi @SV,

    I just checked deleted comments... and there are 3 all-time comments deleted that I find... and the last one I deleted was a double post. I don't see anything of yours that was deleted. Please go ahead and post here again if you wish. I'm not sure what this is about. You mentioned, "not only did not post my last post"... well, there is no process where anyone has to approve posts. EVERYTHING gets posted automatically... Posts go through as soon as you post them. No one sorts through the "good and the bad fish". So I believe you've jumped the gun here and have canceled your account with no intervention from another living being. I have no recollection of having deleted a post that would otherwise be in our trash can. I hope that you will choose of your own accord to take WorkFlowy up again. 

    0
    Comment actions Permalink
  • Avatar
    HTHawks

    The link you posted is not only outdated, but it seems I have to be some kind of special member to join -so now I cannot track/follow or participate in this important conversation ...that effects all workflowy users.

    So what's the deal? What's up with this?

    0
    Comment actions Permalink
  • Avatar
    S V Smailus

    @HTHawks

    I've been having a private exchange with Workflowy. The Long and short of it is that Workflowy have no immediate plans of offering other AWS locations other than the US to their customers. This means all data is stored in the US. Non-US citizen's are afforded no guarantee to privacy by US surveillence. The Court of Justice of the European Union (CJEU) ruled that US surveillance laws are in conflict with EU user privacy (https://noyb.eu/en/cjeu). To quote from the article:

    The Court was clear that the far-reaching US surveillance laws are in conflict with EU fundamental rights. The US limits most protections to “US persons”, but does not protect the data of foreign customers of US companies from the NSA. As there is no way of finding out if you or your business are under surveillance, people also have no option to go to the courts. The CJEU found that this violates the 'essence' of certain EU fundamental rights.

    With that in mind as a British citizen, I have deleted all my data off Workflowy and cancelled my subscription. Should Workflowy at some future point feel they want to protect the data of non-US citizens by providing AWS storage within the user's local legal jurisdiction I may reconsider, but as it is Workflowy have left non-US citizen's with no protection from US surveillance.

    There is an interesting discussion on this on Mac Power User Forums here

    0
    Comment actions Permalink

Please sign in to leave a comment.