Fabman & GDPR

Data inventory

We’ve reviewed and identified all the areas of Fabman where we’re collecting and processing personal data; categorizing and taking inventory of everything from cookies to server log files. We’ve validated our legal basis for collecting and processing sensitive data and double checked that we’re applying the appropriate security and privacy safeguards across our entire infrastructure and software ecosystem.

Rewritten privacy policy

We’ve rewritten our Privacy Policy to be clear and easy to understand. We explicitly state what kind of data we store, where we store it, and for how long we keep it.

Data processing addendum

We offer a data processing addendum (DPA) for our customers who collect data from people in the EU. Our DPA offers contractual terms that meet General Data Protection Regulation (GDPR) requirements and that reflect our data privacy and security commitments to our customers.

We cannot agree to sign customers’ DPAs. As a small team, we’re unable to make individual changes to our DPA as we don’t have a legal team on staff. Any changes to the standard DPA would require legal counsel and overhead that would be cost-prohibitive for our team.

Updates to our third party vendor contracts

We’ve listed all our 3rd party vendors and performed a review of their GDPR compliance. We have DPAs in place with those vendors who offer a signed version, while others are taking the same approach as us and having the DPA be automatically accepted as part of the Terms of Service on May 25th.

New tools for you

We’ve added new tools and features to your Fabman admin interface to help you stay GDPR-compliant:

1. Storage restrictions for sensitive data: You can now specify in your account settings how long we’ll store equipment activity logs and booking information. Any information older then the specified duration is automatically deleted.
2. Full data export for members: There’s a new link on each member’s detail page that lets you export all data Fabman has stored about that member in an open-standard data exchange file format, as required by the GDPR access and data portability rules. Previously, you were already able to get this data via our open API, but the new export makes it even easier.
3. Find inactive members: We’ve extended our members API to allow you to fetch all inactive members (i.e., members without an active package) with a single request. This can help you determine which members to delete (based on your data retention policies).
4. Anonymized user data: When you delete a member, all their data is immediately removed and any references to the member (for example, as part of activity log records) are replaced with anonymized placeholders.

Risk assessment

Having a managed data protection impact assessment (DPIA) process is a requirement for GPDR. Our DPIA process helps us identify and minimize the data protection risks of any project. Our team members are used to performing security and privacy due diligence when making tooling and implementation decisions. Any time we change the way we handle personal data, we take the time to discuss the potential implications for our customers and their users and possible privacy or security risks to personal data. If any risk is identified, we take steps to mitigate it. We’ll continue to execute this risk assessment process as we expand Fabman.

Breach management

We’ll assist with notifying regulators of breaches and promptly communicating any breaches to customers and users as required by the GDPR.