GDPR Compliance for your Protection

Have peace of mind knowing that AfterShip protects your data.

GDPR Image

Overview and GDPR basics

AfterShip’s DPO, GDPR Representative and employees

Security & Privacy Features

At AfterShip, we take our commitment to protecting your data seriously. We have you covered with key EU-GDPR compliant security features.

Security Measures

The AfterShip Services are hosted on Amazon Web Service and Google Cloud Platform in the United States of America and protected by security and environmental controls. Amazon Web Service and Google Cloud Platform regularly undergo independent verification of security, privacy, and compliance controls. Additional details are available at:

AfterShip configures the firewalls on the production environment according to industry best practices and monitor unauthorized intrusions' services. AfterShip also uses Cloudflare WAF to block cyber-attacks. AfterShip performs automated vulnerability scans on the production environment and remediate any findings that present a risk to our environment. Additionally, AfterShip undergoes annual third-party penetration testing. A bug bounty program through HackerOne is also maintained, where security researchers are invited to submit vulnerabilities to AfterShip throughout the year. Additionally, the security review process facilitated by the security team is an integral part of AfterShip development lifecycle and the industry security coding and review practices are followed.

AfterShip regularly performs security awareness training for all staff. AfterShip also offers 24x7 security monitoring and incident response.

Security Certifications

AfterShip is ISO 27001 certified. ISO/IEC 27001:2013 is a security management standard that specifies security management best practices and comprehensive security controls.

SSO and Two-Factor Authentication

The AfterShip products allow users to login to their AfterShip accounts using built-in AfterShip login or "Sign in with Google" login. AfterShip allows authorized clients access to AfterShip through Multi-Factor Authentication (MFA) and API-Request Authentication.

Data Encryption to Prevent Unauthorized Access

AfterShip encrypts customer data aligning with industry-tested and accepted standards. We use TLS 1.2 to encrypt all traffic in transit. We also use AES-256 bit encryption to secure database connection credentials and data stored at rest. AfterShip monitors the changing cryptographic landscape closely and work promptly to upgrade the service to respond to new cryptographic weaknesses as they are discovered and implement best practices as they evolve.

Application Protection

AfterShip regularly performs security penetration testing using established security firms.

Further Description of the Security Measures

Further technical and organizational measures in accordance with GDPR are described in the DPA accessible here.

Data Subject and Data Controller Requests

This article describes how Personal Data (“PD”) is managed when AfterShip receives requests from Data Subjects (the individual whose PD is being processed by AfterShip) or Data Controllers (the merchants or Users). There are several different obligations that apply to AfterShip when it processes PD. AfterShip might encounter requests from different parties to perform actions on certain Personal Data that is stored or processed by AfterShip. In most cases, the Users or merchants act as Data Controllers and AfterShip acts as Data Processor in accordance with applicable laws and the Data Processing Agreement. Please find hereafter (1) the process implemented by AfterShip and (2) an overview of the Data Subject rights.

1. AfterShip Process for The Implementation of Rights

To ensure that the rights described in section 2 are respected, AfterShip has implemented the following procedures:

1.1. AfterShip as a Data Processor

Most of the time, AfterShip will act as a Data Processor. This means that AfterShip processes Personal Data (“PD”) based on the instructions of the Data Controllers, the Users (merchants, etc.).

In this case, AfterShip will act in accordance with the following process:

  • Data Subject: request from the Data Subject may be sent via email to **[email protected] and [email protected]**. In this event, AfterShip will transfer the request to the relevant Data Controller without undue delay. AfterShip will comply with the User’s instructions on how to respond to the Data Subject request.
  • Data Controller: instructions from the Data Controller may be sent via email to [email protected] and [email protected]. AfterShip shall comply with User’s instructions, without undue delay, in accordance with the Data Processing Agreement and the applicable personal data laws and regulations.

1.2. AfterShip as a Data Controller

Most of the time, AfterShip acts as Data Processor. There is however one main case where AfterShip will act as a Data Controller: when the Data Subject (end-user) uses AfterShip mobile application to track his/her shipments. AfterShip will act in accordance with the following process:

  • Data Subject: request from the Data Subject may be sent via email to [email protected] and [email protected]. Requests from Data Subjects will be answered within 30 days and fulfilled free of charge in accordance with applicable personal data laws and regulations.

2. The Data Protection Rights

Data Subjects have a number of rights in accordance with applicable data protection laws.

2.1. The right to request access to PD

The Data Subject has the right to obtain the following information. This communication shall not adversely affect the rights and freedoms of others, which means that the company should not provide PD related to any other Data Subject.

  • Confirmation that his/her PD is being processed;
  • The purposes of the processing;
  • The categories of PD processed;
  • The recipients or categories of recipients to whom the PD is disclosed;
  • The retention period or the criteria applied to determine that period;
  • The existence of the right to object to and to request rectification, erasure, or the restriction of processing of PD;
  • Where the PD was not collected directly from the Data Subject, any information available regarding the source of the PD;
  • The existence of any automated decision-making (including profiling) and meaningful information about the logic involved and the relevant consequences attached thereto.

2.2. The right to obtain the rectification of any inaccurate PD

The Data Subject has the right to obtain the rectification of inaccurate PD. Moreover, the Data Subject has the right to complete any incomplete PD which is relevant for the purposes of the data processing.

2.3. The right to obtain the erasure of PD

A Data Subject has the right to obtain the erasure of their PD namely under the following circumstances:

  • PD are no longer necessary in relation to the purposes for which they were collected or otherwise processed;
  • The Data Subject withdraws their consent which formed the sole legal grounds upon which processing was based;
  • The Data Subject objects to the processing of PD, which is either based on the Data Controller’s legitimate interest or necessary for a task carried out in the public interest or in the exercise of official authority vested in the Data Controller, and there are no over-riding legitimate grounds for the processing;
  • The Data Subject objects to the processing of their PD for direct marketing purposes, which includes any profiling related to direct marketing;
  • The PD have been unlawfully processed;
  • Erasure of the PD is necessary to comply with a legal obligation.

The Data Controller has no obligation to erase the PD in specific cases. AfterShip will follow the Data Controller’s instructions. This includes namely cases where the processing is necessary:

  • To exercise the right to freedom of expression and information;
  • To comply with a legal obligation, to carry out a task in the public interest or to exercise an officiation authority vested in the Data Controller;
  • For reasons of public interest in public health;
  • For archiving purposes in the public interest, scientific or historical research or statistical purposes (to the extent that the request would render impossible of seriously impair the objectives of such processing);
  • For the establishment, exercise or defense of legal claims.

2.4. The right to limit the processing activities to which the PD is subject

The Data Subject can request and obtain the restriction of processing of their PD.

  • Upon a request, the Data Controller should do so:
    • During the period of time it takes the Data Controller to verify the accuracy of any PD, which was contested;
    • The processing is unlawful, but the Data Subject opposes the erasure and requests the limitation of processing instead;
    • The PD is no longer needed by the Data Controller, but the PD is needed by the Data Subject for the establishment, exercise or defense of legal claims;
    • Subsequently to an objection placed by the Data Subject, during the period of time it takes the Data Controller to investigate whether legitimate grounds exist that override those of the Data Subject’s request;
  • In these cases, PD can only be processed:
    • With the Data Subject’s consent;
    • For the establishment, exercise or defense of legal claims;
    • For the protection of another natural/legal person’s rights;
    • For reasons of important public interest;
    • For storage.
  • For Data Subjects that have obtained restriction of processing, they should be informed when the restriction is lifted.

2.5. The right to data portability

This means that the Data Subject has the right to receive their PD communicated to them in an easily transferrable format and the Data Controller have to transmit the PD to a person of their choosing. The PD should be communicated in a structured, commonly used and machine-readable format, and upon request, can be directly transmitted to another Data Controller.

  • This applies in the following cases:

    • The processing is based on the Data Subject’s consent;
    • The processing is based on the performance of a contract to which the Data Subject is a party.
  • This right does not apply:

    • To the processing of PD necessary for the performance of a task carried out in the public interest or in exercise of official authority vested in the Data Controller;
    • Other people’s PD: the communication should not adversely affect other people’s rights. This means that PD related to any other Data Subject cannot be transferred.

2.6. The right to object

  • The Data Subject has the right to object to the processing of their PD, in the following cases:
    • Processing is based on the Data Controller’s legitimate interest, or;
    • Processing is done for the performance of a task carried out in the public interest or in the exercise of official authority vested in the Data Controller; Any processing of PD for direct marketing purposes.
  • The Data Controller should stop processing the PD, unless:
    • Compelling legitimate grounds for the processing which override the interests, rights and freedoms of the Data Subject can be demonstrated, or
    • For the establishment, exercise or defense of legal claims; This does not apply to direct marketing activities, which should always be stopped upon objection (including any profiling activities.

2.7. Automated individual decision making

  • The Data Subject has the right not to be subject to a decision based solely on automated processing (including profiling), which produces legal effects or affects them similarly. This means that a Data Subject has the right to have human intervention in decision making that impacts their rights/legal situation, unless otherwise foreseen by the law.

3. Further Information

Status Transparency

We proactively monitor our uptime status, making us a reliable, consistent and trustworthy partner.

View our platform status

Legal documents

file

DPA

AfterShip works with merchants (data controllers) for most of its processing activities. The DPA describes the data protection obligations of the parties within the framework of their relationship. The DPA is accessible here.

file

Privacy Policy

In some instances, AfterShip is considered as an independent controller, for example for activities provided directly through its applications when creating an AfterShip account. For general information about privacy at AfterShip, please consult the Privacy Policy.

file

Technical and organisational measures

AfterShip technical and organizational measures are described in the DPA accessible here.

file

List of Subprocessors

In accordance with GDPR, AfterShip engages subprocessors based on the data controller’s general written authorization. AfterShip will inform the controller of any intended changes concerning the addition or replacement of said subprocessors. The list is accessible here.

More Questions?

If you have any questions regarding personal data at AfterShip, please contact us at [email protected].

Create a world-class post-purchase experience