GDPR Compliance for Frappe Cloud and Frappe School

The blog gives a compact account of the measures taken to accomplish GDPR compliance for the two celebrated verticals of Frappe Technologies, Frappe Cloud and Frappe School.

 · 5 min read

The General Data Protection Regulation (GDPR)

The General Data Protection Regulation is the strictest data privacy and security law introduced and passed by the European Union. GDPR came into effect on the 25th of May, 2018 and it has, ever since, been the talking point for the open-source community. Be it lawyers, data privacy professionals, or developers, everyone is trying to get an understanding of the wide-reaching implications of this ace privacy legislation. One of the reasons why GDPR is so talked about is because of its wide applicability which surpasses the geographical boundaries. The GDPR applies to the scope of the business activity and the location it is performed at, as opposed to the location of the business’ headquarters. As a result, it becomes conformable to businesses outside of the European Economic Area (EEA) if the data processing activities are such that they facilitate the provision of goods and services to EU citizens or keeping a track of their behavior and choices. This is what makes it a global law in its application. In addition to this, the GDPR also has a reputation of imposing harsh fines to the tune of 20 million euros or 4 percent of the annual global turnover of a company for serious violations and 10 million euros and 2 percent of the annual global turnover of the company, whichever is higher, for less serious violations making it a costly mistake. The financial consequences can amount to hundreds and millions of euros depending on the breach committed. Thus, it becomes clear that the compliance to this law is non-negotiable despite it being a tedious affair considering the law’s scale and complexity.

Frappe Cloud

At Frappe, we believe in building a robust, resilient and top-notch ERP product. As one of the means to that end, we have built our own cloud hosting and deployment platform - Frappe Cloud. Frappe Cloud helps in the execution of scores of ERPNext instances with numerous custom extensions and apps. As of 07th December 2021, Frappe Cloud is GDPR Compliant. To satisfy the compliance requirements of GDPR, we first worked out a list of compliances that were set out by the EU legislation, and prepared a checklist that would help us gauge the level of compliance displayed by Frappe Cloud. The checklist enumerates the requirements, its contents, how to accomplish them, and whether it has been complied with or not as separate columns. This helped us identify our pain points and strategise a course of action to establish conformity with the GDPR essentials relevant to Frappe Cloud.

Frappe School

In addition to Frappe Cloud, Frappe Technologies’ other celebrated vertical, Frappe School is also GDPR compliant. The compliance is effective from the 11th of March, 2022. Just as Frappe Cloud, Frappe School also has the below-mentioned policies and procedures established for ensuring complete congruence with the legislation.

The Privacy Policy

Two most important policies quintessential to GDPR Compliance include the Privacy Policy and the Cookie Policy. The Privacy Policy provides an insight to the users regarding the information collected, the purpose of such collection and how we process and store such information. The Privacy policy must define :

Rights of the User

GDPR compliance requires the display and execution of the data privacy principles, rules and regulations enshrined in it. Thus, keeping a record of processing activities carried out,providing for convenient methods to request access to one’s personally identifiable information, its correction and deletion, having a data request management mechanism and personnels dedicated to carrying out the above activities prescribed by the EU Data Privacy Law becomes relevant.

For the execution of the user rights to erasure, to access and rectify information we have a dedicated email account called support@frappe.io which provides the User with the requested information on receiving an email to that effect. For our customers in the EU and UK region we have Prighter, our privacy representative and point of contact for such customers.
For exercising User rights, Frappe School Users are provided with the following email address school@frappe.io where they can mail their requests with the subject line, “ Data Subject Request”.

Our Cookie policy is simply drafted as we have limited the utilization of cookies to those that are strictly necessary for the functioning of the website, and enlists the 8 cookies specifying their domains, session durations and their type. Additionally, a detailed account of how to carry out modifications to the existing cookie settings according to the user's browser is provided. It also educates users as to the repercussions of disabling the cookies for them to make an informed decision regarding the same. The cookie policy of Frappe School is extremely concise and lucid as the number of cookies employed are limited and so are the types. Since no cookies apart from the ones which are absolutely necessary are placed on the website the requirement of putting up a banner for permission stands inessential. You can access the Cookie Policy here.

Most importantly, the policies require to be updated from time to time to ensure that the technical developments are in line and are compliant with the legislation.

ISO 27001-9001

As a company that provides cloud storage services, we host data on our servers which makes us Data Controllers. As Data Controllers, we are duty bound to protect the information that is entrusted with us and in order to meet that end, we are now an ISO 27001 and ISO 9001 certified company. The former primarily lays down an Information Security Management System to manage the security of its assets whereas the latter takes quality of product and user satisfaction as its primary area of concern. At Frappe, we have ISO 27001 compliant internal policy documents such as the Data Access Control Policy, Data Backup Policy, Incident Management, Patch Management, Log Management, and Password Management Policies amongst others that contribute to our information security architecture, making it more effective, resilient and sustainable. We also have a Security Vulnerability Reporting Mechanism in place in order to overcome the risks and vulnerabilities faced by Frappe.

Just as important as laying down privacy by design infrastructure, the technical landscape must include a robust and resilient data backup, authentication, and protection mechanism. Protection of internal drives or hard drives and putting checks on their accessibility are essential in the interests of integrity, confidentiality, purpose limitation, data minimisation, and accuracy.


No comments yet.

Add a comment
Ctrl+Enter to add comment