Data Protection Compliance - For Your Benefit

Have peace of mind knowing that AfterShip protects your data.

Overview and Data Protection Law Basics

What do we mean with “Applicable Data Protection Laws”?

AfterShip follows and complies with all the most stringent global data protection laws, which ensures compliance for all our customers. When we use “Applicable Data Protection Laws”, we mean all data protection and privacy laws that apply to our operations. In particular, AfterShip’s services are designed and provided with specific attention to (i) Data Protection Laws applicable to European Economic Area and the United Kingdom, (ii) US Data Protection Laws, and (iii) any and all data protection laws and regulations applicable to personal data as such laws pertain and have jurisdiction with respect to AfterShip’s operations, in each case as amended, superseded or replaced from time to time.

Data Protection Laws applicable to the European Economic Area (EEA) and the United Kingdom (UK) means (i) the European Union’s (EU) General Data Protection Regulation (2016/679) (GDPR), the 2002/58/EC Directive on Privacy and Electronic Communications, (ii) the UK Data Protection Act 2018, the UK General Data Protection Regulation (UK GDPR) as defined by the DPA as amended by the Data Protection, Privacy and Electronic Communications (EU Exit) Regulations 2019, and (iii) any and all other data protection laws and regulations applicable to personal data in the EEA and the UK. The GDPR/UK GDPR applies to all organisations established in the EEA/UK and to organisations, whether or not established in the EEA/UK, that process the personal data of EEA/UK individuals in connection with the offering of goods or services to data subjects in the EEA/UK.

US Data Protection Laws means the California Consumer Privacy Act as amended by the California Privacy Rights Act, the Virginia Consumer Data Protection Act, the Colorado Privacy Act, the Utah Consumer Privacy Act, the Connecticut Act Concerning Personal Data Privacy and Online Monitoring, and any other similar comprehensive state privacy laws that place obligations on a business or controller in relation to personal data (as defined under such laws), as well, as or the extent applicable, the Electronic Communications Privacy Act; Massachusetts Gen. Law Ch. 93H; the Federal Trade Commission Act; the Gramm-Leach-Bliley Act, and any relevant regulation, rule or other binding instrument which implements such laws.

Is AfterShip compliant with Applicable Data Protection Laws?

Yes, we strive to meet the requirements set out in Applicable Data Protection Laws, and in order to monitor our compliance, we conduct annual audits to ensure all new products, services and any other changes in our company are in accordance with Applicable Data Protection Laws.

Is AfterShip a data processor or a data controller under Applicable Data Protection Laws?

Acting as a Data Processor: The substantial majority of AfterShip’s services are provided as a data processor under Applicable Data Protection Laws, processing personal data. Acting as a data processor, AfterShip acts pursuant to the instructions of the “Data Controller” - in such cases AfterShip’s customers and logistics partners. AfterShip does not independently determine the means or the purposes to process personal data, acting solely in accordance with the appropriate instructions. This is the case for most AfterShip services including, but not exclusively AfterShip Tracking, Shipping, Returns, Email, SMS etc. In order to lawfully process personal data, AfterShip concludes a data processing which incorporates AfterShip’s commitments as data processor.

Acting as a Data Controller: Occasionally, AfterShip may also act as a data controller; most often with respect to individuals' use of AfterShip’s mobile application.

Do data controllers sign a DPA with AfterShip?

AfterShip systematically concludes a Data Processing Agreement with each data controller, which sets out what type of personal data AfterShip will process and the measures to be applied to such processing.

How can I ensure my personal data is removed or purged?

Any individual may make a request to have personal data held by AfterShip removed in accordance with Applicable Data Protection Laws pursuant to the data subject request process set forth below.

What happens in the event of a data breach?

AfterShip has implemented and continues to evolve measures to secure personal data. In spite of these measures, should a data breach were to occur, AfterShip will inform the data controller, without undue delay, in accordance with its legal and contractual obligations.

European Specific Data Privacy Information

What is the GDPR?

The General Data Protection Regulation (GDPR) promulgated by the European Union (EU) protects the fundamental right to privacy and the protection of personal data of individuals located in a European Economic Area (EEA) member-state (“European Data Subjects”).

Who Does the GDPR apply to?

The GDPR applies to all organisations established in the EEA and to organisations, whether or not established in the EEA, that process the personal data of European Data Subjects in connection with the offering of goods or services to data subjects in the EEA.

Is AfterShip GDPR Compliant?

AfterShip has implemented all the GDPR mandated compliance mechanisms, and we conduct annual audits to ensure all new products, services and any other changes in our company comply with GDPR.

How does this apply to the United Kingdom and Switzerland?

The United Kingdom and Switzerland have each enacted data protection legislation substantially similar to the GDPR, and apply the same mechanisms and processes with respect to personal data originating from these jurisdictions.

Is AfterShip allowed to transfer personal data out of the EEA, UK and Switzerland?

The GDPR, nor similar legislation in the UK and Switzerland, does not require EU data to reside in Europe. The GDPR provides mechanisms to facilitate transfers of personal data outside of the EEA. These mechanisms are aimed at confirming an adequate level of protection or ensuring the implementation of appropriate safeguards when personal data is transferred to a third country.

Where personal data will be transferred outside of the EEA to third countries not covered by adequacy decisions, AfterShip commits under its Data Processing Agreement (accessible here), to the compliant processes needed to effectuate the transfer legally. We also conclude the Standard Contractual Clauses that have been pre-approved by the European Commission on 4 June 2021 for data transfers to third countries. We also follow the European Data Protection Board recommendations 01/2020 on measures that supplement transfer tools to ensure compliance with the GDPR mandated level of protection of personal data.

Does AfterShip have a GDPR Representative?

Pursuant to Article 27 of the General Data Protection Regulation (GDPR), AfterShip has appointed the European Data Protection Office (EDPO) as its GDPR Representative in the EU. You may contact EDPO regarding matters pertaining to the GDPR:

by using EDPO’s online request form: https://edpo.com/gdpr-data-request/
by writing to EDPO at Avenue Huart Hamoir 71, 1030 Brussels, Belgium

AfterShip’s DPO, GDPR Representative and Employees

Does AfterShip have a Data Protection Officer?

Our Data Protection Officer is Nicolas Magrez ([email protected]), an external data expert specialised in data privacy for more than 10 years and former General Counsel at AfterShip. He has extensive experience in privacy and data protection matters: audits, DPIAs, transfer impact assessments, ISO 27001 projects, etc. and a long track record in assisting clients bringing novel technology products to market and of ensuring regulatory compliance.

How does AfterShip ensure that persons accessing personal data comply with legal requirements?

All AfterShip personnel who have access to personal data are provided such access in accordance with Applicable Data Protection Laws, and trained on the requirements related to such access. In addition to training sessions, AfterShip implements clear access policies and processes to promote compliance and security in line with our ISO27001 and SOC2 Type 2 certification, which are designed to ensure fulfilment of AfterShip’s obligations under Applicable Data Protection Laws.

Security & Privacy Features

At AfterShip, we take our commitment to protecting your data seriously. We have you covered with key EU-GDPR compliant security features.

Security Measures

The AfterShip Services are hosted on Amazon Web Service and Google Cloud Platform in the United States of America and protected by security and environmental controls. Amazon Web Service and Google Cloud Platform regularly undergo independent verification of security, privacy, and compliance controls. Additional details are available at:

AfterShip configures the firewalls on the production environment according to industry best practices and monitor unauthorized intrusions' services. AfterShip also uses Cloudflare WAF to block cyber-attacks. AfterShip performs automated vulnerability scans on the production environment and remediate any findings that present a risk to our environment. Additionally, AfterShip undergoes annual third-party penetration testing. A bug bounty program through HackerOne is also maintained, where security researchers are invited to submit vulnerabilities to AfterShip throughout the year. Additionally, the security review process facilitated by the security team is an integral part of AfterShip development lifecycle and the industry security coding and review practices are followed.

AfterShip regularly performs security awareness training for all staff. AfterShip also offers 24x7 security monitoring and incident response.

Security Certifications

AfterShip is ISO 27001 certified. ISO/IEC 27001:2013 is a security management standard that specifies security management best practices and comprehensive security controls.

SSO and Two-Factor Authentication

The AfterShip products allow users to log in to their AfterShip accounts using built-in AfterShip login or "Sign in with Google" login. AfterShip allows authorized clients access to AfterShip through Multi-Factor Authentication (MFA) and API-Request Authentication.

Data Encryption to Prevent Unauthorized Access

AfterShip encrypts customer data aligning with industry-tested and accepted standards. We use TLS 1.2 to encrypt all traffic in transit. We also use AES-256 bit encryption to secure database connection credentials and data stored at rest. AfterShip monitors the changing cryptographic landscape closely and work promptly to upgrade the service to respond to new cryptographic weaknesses as they are discovered and implement best practices as they evolve.

Application Protection

AfterShip regularly performs security penetration testing using established security firms.

Further Description of the Security Measures

Further technical and organizational measures in accordance with GDPR are described in the DPA accessible here.

Data Subject and Data Controller Requests

This article describes how personal data is managed when AfterShip receives a request from the individual whose personal data is being processed by AfterShip (each a “data subject”) or AfterShip’s customers, when they instruct AfterShip to process personal data. There are several different obligations that apply to AfterShip when it processes personal data. AfterShip might encounter requests from different parties to perform actions with respect to types of personal data that is stored or processed by AfterShip. In most cases, a data controller will be AfterShip’s customer or logistics partner, and AfterShip will act as data processor, in accordance with the Applicable Data Protection Laws and the Data Processing Agreement. Please find here: (1) the process implemented by AfterShip and (2) an overview of data subject rights.

1. AfterShip Process for the Implementation of Rights

To ensure that the rights described in Section 2 are respected, AfterShip has implemented the following procedures:

1.1. AfterShip as a data processor

The majority of the time, AfterShip is acting as a data processor. This means that AfterShip processes personal data based on the instructions of a data controller, normally AfterShip’s professional customers such as merchants, platforms, or logistics partners.

In this case, AfterShip will act in accordance with the following process:

Data subject requests: a request from a data subjectt should be sent via email to [email protected]. In each case, AfterShip will forward the request to the relevant data controller without undue delay. AfterShip will comply with the data controller’s instructions on how to respond to the Data Subject request.
Data controller requests: instructions from a data controller should be sent via email to [email protected]. AfterShip shall comply with data controller’s instructions, without undue delay, in accordance and subject to the Data Processing Agreement and the Applicable Data Protection Laws.

1.2. AfterShip as a data controller

In the event where AfterShip is acting as a data controller, i.e. when the data subject uses AfterShip mobile application to track personal shipments, AfterShip will act in accordance with the following process:

Data subject request: request from a data subject should be sent via email to [email protected]. Requests from data subjects will be answered within 30 days and fulfilled free of charge in accordance with Applicable Data Protection Laws.

2. Data Protection Rights

Data subjects have a number of rights under Applicable Data Protection Laws.

2.1. The right to request access to personal data

A data subject has the right to obtain the following information:

Confirmation that data subject’s personal data is being processed;
The purposes of the processing;
The categories of personal data processed;
The recipients or categories of recipients to whom the personal data is disclosed;
The retention period or the criteria applied to determine that period;
The existence of the right to object to and to request rectification, erasure, or the restriction of processing of personal data;
Where personal data was not collected directly from the data subject, any information available regarding the source of personal data; and
The existence of any automated decision-making (including profiling) and meaningful information about the logic involved and the relevant consequences attached thereto.

This communication shall not adversely affect the rights and freedoms of others, which means that AfterShip cannot provide personal data related to any other data subject.

2.2. The right to obtain the rectification of any inaccurate personal data

Each data subject has the right to obtain the rectification of inaccurate personal data. Moreover, a data subject has the right to complete any incomplete personal data which is relevant for the purposes of the data processing.

2.3. The right to obtain the erasure of personal data

A data subject may request the erasure of personal data, under the following circumstances:

Personal data is no longer necessary in relation to the purposes for which such personal data was collected or otherwise processed;
A data subject withdraws consent which formed the sole legal grounds upon which processing was based;
A data subject objects to the processing of personal data, which is either based on a data controller’s legitimate interest or necessary for a task carried out in the public interest or in the exercise of official authority vested in the data controller, and there are no overriding legitimate grounds for the processing;
A data subject objects to the processing of personal data for direct marketing purposes, which includes any profiling related to direct marketing;
Personal data has been unlawfully processed; or
Erasure of personal data is necessary to comply with a legal obligation.

A data controller has no obligation to erase personal data in certain cases. In such case, AfterShip will follow the data controller’s instructions. This includes cases where the processing is necessary, such as:

To exercise the right to freedom of expression and information;
To comply with a legal obligation, to carry out a task in the public interest, or to exercise an officiation authority vested in the data controller;
For reasons of public interest in public health;
For archiving purposes in the public interest, scientific or historical research, or statistical purposes (to the extent that the request would render impossible or seriously impair the objectives of such processing); or
For the establishment, exercise, or defence of legal claims.

2.4. The right to limit the processing activities to which the personal data is subject

A data subject can request and obtain the restriction of processing of personal data.

Upon a request, the data controller should do so if:
- During the period of time it takes the data controller to verify the accuracy of any personal data, which was contested;
- The processing is unlawful, but the data subject opposes the erasure and requests the limitation of processing instead;
- The personal data is no longer needed by the data controller, but the personal data is needed by the data subject for the establishment, exercise or defence of legal claims;
- Subsequently, to an objection placed by the data subject, during the period of time it takes the data controller to investigate whether legitimate grounds exist that override those of the data subject’s request;
In these cases, personal data can only be processed:
- With the data subject’s consent;
- For the establishment, exercise or defence of legal claims;
- For the protection of another natural/legal person’s rights;
- For reasons of important public interest;
- For storage.
For data subjects that have obtained restriction of processing, they should be informed when the restriction is lifted.

2.5. The right to data portability

This means that the data subject shall receive personal data communicated in an easily transferable format and the data controller must transmit personal data to a person of its choosing. Personal data should be communicated in a structured, commonly used and machine-readable format, and upon request, can be directly transmitted to another data controller.

This applies in the following cases:
- The processing is based on data subject’s consent;
- The processing is based on the performance of a contract to which a data subject is a party.
This right does not apply to:
- The processing of personal data necessary for the performance of a task carried out in the public interest or in exercise of official authority vested in the data controller;
- Another person’s personal data: the communication should not adversely affect other people’s rights. This means that personal data related to another data subject cannot be transferred.

2.6. The right to object

A data subject has the right to object to the processing of their personal data, in the following cases:
- Processing is based on the data controller’s legitimate interest, or;
- Processing is done for the performance of a task carried out in the public interest or in the exercise of official authority vested in the data controller;
- Any processing of personal data for direct marketing purposes.
The data controller should stop processing personal data, unless:
- Compelling legitimate grounds for the processing that override the interests, rights, and freedoms of the data subject can be demonstrated, or
- For the establishment, exercise, or defence of legal claims;

This does not apply to direct marketing activities, which should always be stopped upon objection (including any profiling activities).

2.7. Automated individual decision making

A data subject has the right not to be subject to a decision based solely on automated processing (including profiling), which produces legal effects or affects them similarly. This means that a data subject has the right to have human intervention in decision making that impacts their rights/legal situation, unless otherwise foreseen by the law.

3. Further Information

Any further questions may be sent to AfterShip privacy team via email to [email protected] and to AfterShip’s Data Protection Officer at [email protected].

Status Transparency

We proactively monitor our uptime status, making us a reliable, consistent and trustworthy partner.

View our platform status

Legal documents

DPA

AfterShip works with merchants (data controllers) for most of its processing activities. The DPA describes the data protection obligations of the parties within the framework of their relationship. The DPA is accessible here.

Privacy Policy

In some instances, AfterShip is considered as an independent controller, for example for activities provided directly through its applications when creating an AfterShip account. For general information about privacy at AfterShip, please consult the Privacy Policy.

Technical and organisational measures

AfterShip technical and organizational measures are described in the DPA accessible here.

List of Subprocessors

In accordance with GDPR, AfterShip engages subprocessors based on the data controller’s general written authorization. AfterShip will inform the controller of any intended changes concerning the addition or replacement of said subprocessors. The list is accessible here.