The European Union’s General Data Protection Regulation (GDPR) protects European Union (EU) individuals’ fundamental right to privacy and the protection of personal data. The GDPR includes requirements that harmonize standards for personal data protection and security.
GDPR Compliance for your Protection
Have peace of mind knowing that AfterShip protects your data.
Overview and GDPR basics
What is the GDPR?
Who Does the GDPR apply to?
The GDPR applies to all organizations established in the EU and to organizations, whether or not established in the EU, that process the personal data of EU individuals in connection with the offering of goods or services to data subjects in the EU.
Is AfterShip GDPR Compliant?
Yes, AfterShip is GDPR compliant. We meet all requirements of the GDPR and we organize yearly audits to ensure all new products, services and any other changes in our company comply with applicable laws and regulations.
Does the GDPR require EU personal data to stay in the EU?
The GDPR does not require EU data to reside in the European Union. The GDPR provides for mechanisms to facilitate transfers of personal data outside of the EU. These mechanisms are aimed at confirming an adequate level of protection or ensuring the implementation of appropriate safeguards when personal data is transferred to a third country.
Where personal data will be transferred outside of the EU to third countries not covered by adequacy decisions, we commit under our Data Processing Agreement accessible here, to maintain a mechanism that will facilitate these transfers. We also conclude the Standard Contractual Clauses that have been pre-approved by the European Commission on 4 June 2021 for data transfers. We also follow the European Data Protection Board recommendations 01/2020 on measures that supplement transfer tools to ensure compliance with the EU level of protection of personal data.
Is AfterShip a data processor or a data controller under the GDPR?
AfterShip mainly acts as a data processor under the GDPR. When customers use AfterShip services to process personal data based on their instructions, AfterShip acts as a data processor. This is the case for most AfterShip services including AfterShip Tracking, Postmen, Returns Center and Automizely. AfterShip offers a GDPR-compliant Data Processing Agreement that incorporates AfterShip’s commitments as data processor. AfterShip may also act a data controller namely for the end-users using AfterShip mobile application.
Must all Data Controllers sign a DPA with AfterShip?
Information about the data that AfterShip processes and the measures it takes to protect it can be found in AfterShip Data Processing Agreement (DPA). All Users must sign a DPA with AfterShip.
What Happens in the Event of a Data Breach?
AfterShip has been lucky as there hasn’t been any serious data breach in years. If it occurs, AfterShip will inform the Data Controller without any undue delay in accordance with its legal and contractual obligations.
AfterShip’s DPO, GDPR Representative and employees
Does AfterShip have a Data Protection Officer?
Our Data Protection Officer is Erika Ellyne ([email protected]), an external data expert specialized in Data Protection for more than 10 years. She has extensive experience in all data protection matters: audits, DPIAs, transfer impact assessments, ISO 27001 projects, etc. and a long track record in assisting clients bringing novel technology products to market and of ensuring regulatory compliance.
Does AfterShip have a GDPR Representative?
Our GDPR Representative is the EDPO (European Data Protection Office - [email protected]) with registered offices situated Avenue Huart Hamoir, 71 at 1030 Brussels, Belgium.
How does AfterShip ensure that employees are entrusted with the legal requirements?
It is important to us that all employees accessing or processing the data know the requirements of GDPR. In addition to general trainings, our company focuses on clear access policies and processes to ensure compliance and security in line with our ISO27001 certification.
Security & Privacy Features
At AfterShip, we take our commitment to protecting your data seriously. We have you covered with key EU-GDPR compliant security features.
The AfterShip Services are hosted on Amazon Web Service and Google Cloud Platform in the United States of America and protected by security and environmental controls. Amazon Web Service and Google Cloud Platform regularly undergo independent verification of security, privacy, and compliance controls. Additional details are available at:
AfterShip configures the firewalls on the production environment according to industry best practices and monitor unauthorized intrusions' services. AfterShip also uses Cloudflare WAF to block cyber-attacks. AfterShip performs automated vulnerability scans on the production environment and remediate any findings that present a risk to our environment. Additionally, AfterShip undergoes annual third-party penetration testing. A bug bounty program through HackerOne is also maintained, where security researchers are invited to submit vulnerabilities to AfterShip throughout the year. Additionally, the security review process facilitated by the security team is an integral part of AfterShip development lifecycle and the industry security coding and review practices are followed.
AfterShip regularly performs security awareness training for all staff. AfterShip also offers 24x7 security monitoring and incident response.
AfterShip is ISO 27001 certified. ISO/IEC 27001:2013 is a security management standard that specifies security management best practices and comprehensive security controls.
SSO and Two-Factor Authentication
The AfterShip products allow users to login to their AfterShip accounts using built-in AfterShip login or "Sign in with Google" login. AfterShip allows authorized clients access to AfterShip through Multi-Factor Authentication (MFA) and API-Request Authentication.
Data Encryption to Prevent Unauthorized Access
AfterShip encrypts customer data aligning with industry-tested and accepted standards. We use TLS 1.2 to encrypt all traffic in transit. We also use AES-256 bit encryption to secure database connection credentials and data stored at rest. AfterShip monitors the changing cryptographic landscape closely and work promptly to upgrade the service to respond to new cryptographic weaknesses as they are discovered and implement best practices as they evolve.
AfterShip regularly performs security penetration testing using established security firms.
Further Description of the Security Measures
Further technical and organizational measures in accordance with GDPR are described in the DPA accessible here.
We proactively monitor our uptime status, making us a reliable, consistent and trustworthy partner.
View our platform status
AfterShip works with merchants (data controllers) for most of its processing activities. The DPA describes the data protection obligations of the parties within the framework of their relationship. The DPA is accessible here.
Technical and organisational measures
AfterShip technical and organizational measures are described in the DPA accessible here.
List of Subprocessors
In accordance with GDPR, AfterShip engages subprocessors based on the data controller’s general written authorization. AfterShip will inform the controller of any intended changes concerning the addition or replacement of said subprocessors. The list is accessible here.