Articles on: đź”’ Security

What's Drag EU GDPR compliance status?

The European Union General Data Protection Regulation (GDPR) is a regulation in EU law on data protection and privacy in the European Union (EU) and the European Economic Area (EEA). This article describes Drag's GDPR compliance status.

If your company needs to ensure it is GDPR-compliant, it also needs to ensure its providers (e.g. Drag) are also GDPR compliant. Drag is GDPR-ready, and strictly enforces the regulation as to protect users' data we handle. The list of the users' information we collect, as well as how we use, protect and share them is disclosed in our privacy policy, that can be accessed here. The list of our providers is also available, and kept up to date, here.

We are committed to protecting our customers’ data and have developed processes, technologies and policies that enhance our data security.

Find below 10 key points and how Drag handle compliance with GDPR in each one of them.

1. Awareness of GDPR



All employees responsible of software development & infrastructure maintenance in Drag are fully aware of the GDPR requirements.

Also, code reviews are performed by the Data Protection Officers (as listed in this article), before any code deployment to the platform. This ensures security breaches and bad practices are not implemented by any employee, even if aware of GDPR requirements (this plays as a double human safety check).

2. Information we hold



We only collect data that users share with us and we do this to improve services we offer our users. This includes 3 kinds of data:

Personal Data.
We only collect Personal Data from two sources:
– Gmail’s API (via OAuth), only when authenticated by users or (e.g. first name, last name, email address).
– Information users submit when using our services (e.g. tasks, notes, tags names, etc).

General Information.
We use third party services such as Google Analytics that collect, monitor and analyze some types of information in order to increase our Service’s functionality, including your computer’s Internet Protocol (“IP”) address, browser type, browser version or specific pages accessed during your visits to our website.

Referrals information.
If you chose to tell a friend about Drag, we will ask you for your friend’s name and email address. We will automatically send your friend a one-time email inviting him/her to visit the Site or use the Services. Drag stores this information for the purpose of sending this one-time email and tracking the success of our referral program. Your friend may submit a request at access@dragapp.com to request to have this information removed from our database.


3. Communicating privacy information



Our Privacy Policy and terms are clearly communicated to users and customers on our website.

We also notify all of our users by email every time that there are updates on our Privacy Policy to meet GDPR requirements and also keep an up-to-date version of our Privacy Policy permanently on our website.

4. Individuals’ rights



Drag customers rights regarding to GDPR are considered and enforced, including:

Right to be informed: we clearly inform our users about the use that will be made of their data.
Right of access: our users can access all their data, without restriction, from our apps.
Right of rectification: it's as simple as contacting us, we'll process all your rectification queries.
Right of erasure: it's as simple as contacting us, we'll process all your erasure queries.
Right to data portability: our users may contact us anytime if they wish to get an export of their data.
Right not to be subject to automated decision-making including profiling: we don't do that, and never will.

5. Subject access requests



We reply to all access requests and offer this free of charge for our free and paid users.



Consent is provided by our users explicitly via OAuth authentication when setting an account on Drag.

Drag also allows it customers to submit user data within our application, for example by creating a task or adding comments to emails. This data must have been provided by the user in a consented way.

7. Children



Drag does not knowingly collect information from minors. To use our website or services, users must be the age of legal majority in your place of residence.

We do not use an application or other mechanism to determine the age of users of our website and services. All information provided to Drag will be treated as if it was provided by an adult.

If, however, we learn that a minor has submitted information about himself/herself to us, we delete the information as soon as possible.

8. Data breaches



Every version of our Chrome extension is manually reviewed by the Google internal audit team to verify that no security policies have been violated and, upon approval, maintained within the Chrome store.

We also use JWT tokens, that define a compact and self-contained way for securely transmitting information between parties as a JSON object.

We also use node express framework, that has built-in security policies.

We also engage yearly with an independent security assessment company, appointed by Google itself, to ensure high standards of security practices are in place in our software.

The points listed above help reduce the probability of a major data breach occurring.

If we become aware of any accidental, unauthorised or unlawful destruction, loss, alteration, or disclosure of, or access to the Personal Data that is processed by us in the course of providing our Services, we commit to, without undue delay, notify the concerned users and provide them as soon as possible with a description of the incident, investigate the incident to reasonably prevent or mitigate the effects of the incident and provide periodic updates to information about the Incident to concerned users.

9. Data protection by design



Whenever we develop a new system, security comes as a first when designing the architecture of such a system.

10. Data Protection Officers



Drag designated a Data Protection Officer, as required by GDPR:

Name: Breno Vieira
Role: CTO
Email: breno@dragapp.com
Location: SĂŁo Paulo, Brazil


To learn more about our Security and Privacy practices, check out the following links:

Terms of Use
Privacy Policy

Still have questions? Our team will love to clarify them at support@dragapp.com.

Updated on: 07/09/2023

Was this article helpful?

Share your feedback

Cancel

Thank you!