Approach to GDPR

The EU's General Data Protection Regulations (GDPR) take effect May 25, 2018. It will set a new standard for how companies use and protect EU citizens' data. For the past few months the entire team has been committed to understanding and ensuring that we fulfill its obligations, maintaining and improving our transparency regarding customer messaging and how we use data.

What is the GDPR?

In a few words, the EU General Data Protection Regulation ("GDPR") is a new comprehensive data protection law that comes into effect on May 25, 2018. It will replace existing EU Data Protection laws to strengthen the protection of "personal data" and the rights of the individual. It will be a single set of rules that govern the processing and monitoring of EU data.

What actions did we take to comply with the GDPR?

Since the beginning of 2018, we (meaning our entire team) have been actively working to:

  • Understand the GDPR and what it involves for the company and our internal processes.
  • Train ourselves to always put data security at first, both when developing new features and when we consider using a new tool to help us operate the company.
  • We picked and designated a Data Protection Officer who will ensure that personal data security is always ensured!
  • We reviewed our entire infrastructure to ensure that we respect every state-of-the-art security practice.
  • We reviewed all our vendors and found out about their GDPR plans to arrange a GDPR-compliant data processing agreement.
  • We have updated our Privacy Policy and provided a Data processing addendum for schools to reflect our data security commitment.
  • In order to reinforce our transparency regarding customer data usage we listed and created clear explanations for every single use.

Understand the GDPR

We spent the first quarter of 2018 working with our lawyers to understand the GDPR and what it implies for us in terms of infrastructure, organizational impact and product changes. We understood that many requirements are actually quite close to the American COPPA / FERPA acts that we've been committed to following since early 2015.

Training and internal audit

We created a new internal team activity that intends to train all of our staff with state-of-the-art practices to:

  • Monitor the community and customers' data.
  • Always put our security duty first when it comes to handling these data.
  • Always think of security first when it comes to new developments.
  • Learn how to properly handle a security breach (countermeasures and internal communications).
  • Take appropriate measures upon becoming aware of any security breach (internal and external communications).

Once per quarter the DPO will work with the entire team to be sure everyone is up to date and continuing to apply these golden rules each workday.

The DPO will also personally onboard each new employee to give them enough knowledge and awareness before they are granted access to any customer data.

Finally, the DPO will run small unexpected internal audits once per month to ensure that team members are following and respecting the guidelines.

Data Protection Officer (DPO)

We took some time to clearly understand all the duties and responsibilities of this important role. Since we are still a small company, we decided to appoint someone from our existing staff. Pierre Rannou, our current CEO & sole director of the company, has been appointed on the 5th of January 2018. You can contact him at

Personal Data, Infrastructure and International transfers of personal data

We reviewed our entire infrastructure and made some changes to how we transfer personal data outside the EEA. We only store and transfer personal data in the EEA, in the UK, in Canada, and in the US to companies that adopted Standard Contractual Clauses (SCC). These technical choices follow the adequacy requirements of the protection of personal data in non-EU countries provided by the EU.

We now keep records of the data we store and process: What Data, When, Where, and have adjusted the different retention periods to reflect our updated privacy policy. We anonymized and removed data (e.g., IPs of guest visitors) that was not required to run our service.

Review of our vendors (subprocessors)

We have a strong culture of processing data on homemade tools, which is why we can keep the number of vendors very low. During our GDPR preparation, we reviewed them all to assess if they are GDPR compliant and to make sure that they are committed to be compliant before May 25, 2018.

You can find all the vendors (subprocessors) we work with on this page and how we use them.

New features on Flat

We took advantage of the GDPR to make some enhancements to the platform. Here are a few of the visible updates:

  • When you create an individual account on our public platform, we now require you to verify your age. Check out our dedicated FAQ to learn more about this change.
  • We ask for consent for our Terms of Service and marketing communications separately, and properly store these consents.

DPA for schools

We now provide a dedicated data processing addendum (DPA) for schools using Flat for Education.

Privacy Policy

We updated our privacy policy to reflect these changes and our compliance with GDPR. This now includes a clear annex on the personal information we collect and how we use it in our service.

Can't find your answer?

Get in touch with our team. We’re here to help.

Contact Us