I am from Austria, Europe. I am hosting my application on Heroku in Europe. Because of the new General Data Protection Regulation (GDPR) in Europe I am wondering if I need to take care of something new.
I am storing the following data of users:
Name, Surname, Roomnumber of a stay in a hotel, allergies and preferences.
I hope stackoverflow is the right place to ask also this type of questions.
Thanks a lot for the effort.
Yes, you need to take extra steps.
You must clearly explain several aspects of the compliance in your Privacy Policy, e.g.:
What personal information you collect
Why you collect that information and for what purpose
How users can update that information
How users can remove that information
If and how you transfer that information outside of the EU
and probably many more.
You can go through the Privacy Policy documents of companies that are GDPR compliant already to get the brief overview of what is required. Atlassian is a good example: https://www.atlassian.com/legal/privacy-policy-may-25th
There are also resources available that explain in more details the steps that you need to take, e.g., https://info.fastspring.com/gpdr_compliance
It is not an easy task to ensure GDPR compliance so my advice is to find an expert who can help you in that matter.
Cheers,
Jacek
Related
Closed. This question does not meet Stack Overflow guidelines. It is not currently accepting answers.
This question does not appear to be about programming within the scope defined in the help center.
Closed 2 years ago.
Improve this question
I am working on a small web-app as a hobby, and I would like to avoid any functionality that would trigger GDPR requirements. As such, the web-app neither collects nor processes personal data, does not set cookies (or otherwise track individual users), and also does not integrate any services that do these things.
My question is, if I deploy this app on Heroku, does Heroku do anything behind the scenes (e.g., collecting IP addresses) that would then impose GDPR requirements on my web-app?
Another way to put this would be, is it possible to use Heroku and have GDPR not apply to your website? (without preventing traffic from EU countries)
The first thing to check is hosting location. When you create an app, Heroku allows you to select whether it's hosted in the US or Europe (though no more specifically than that – you just have to hope it doesn't include the UK!).
Next, because Heroku is a managed app service, it means that they get more access than a typical VM would have. You then need to read their privacy policy, which presents a problem: Heroku is owned by Salesforce.com, who have taken a belligerent Facebook-style head-in-sand denial approach to recent court verdicts in this doc. They say in there that the ECJ did not invalidate standards contractual clauses (SCCs), which is true, but not the end of the story. The ECJ said that while SCCs are valid as legal instruments, they can only be used to manage transfer between jurisdictions that uphold EU data protection and privacy standards (which, as far as the US is concerned, has been shot down with the collapse of Privacy Shield), and this is deemed to be the responsibility of the service in question to substantiate. So, what you then want to know is where is the detailed analysis of the US legal position and the audit of the US security services that Salesforce is required to conduct if the SCCs they are using are to be considered valid?
This is of course a rhetorical question: Salesforce has conducted no such audit, nor could they do so in sufficient detail, which then means of course that SCCs are not a valid mechanism for transfers between the EU and US for any service that Salesforce runs.
That said, their privacy policy is pretty large, and I recommend you read it, though they still make reference to the now-defunct Privacy Shield, and make some assertions that would concern me. I'd suggest finding out exactly what they do with data held in EU data centres, what they do with logging, and look harder at their third-party sharing, as that's often the biggest problem area.
This isn't really the place to go further into this, so I'd recommend you read their policies, and also read the GDPR (that's not the official source, but I find it's much more usable), or find a lawyer if you want a more precise analysis. The primary focus of GDPR is on the broad principles, not implementation details, so if something seems dodgy, creepy, or overreaching, it probably is.
I apologise if this has raised more questions than it's answered!
I'm having a problem with payment procedure in heroku account(billing section).
I got verified first time successfully and in one month all charges of my card are giving an error: "Unable to verify your card. Please try later or contact your financial institution for help'".
I tried with 10 credit cards, all of which are from Mexico (and I triple checked all the info and I’m sure it’s correct). I also talked to my bank and there is no attempt of charging cards.
Heroku support can't help me out. This is their answer to my ticket "I truly wish I could be of more assistance, but unfortunately I do not have access to anything that would be able to make a difference here. I apologize for the poor experience."
Maybe someone had the same problem?
Thank you.
The answer is ... that noone can help me in Heroku.
Support of Heroku answered: "Unfortunately, the many layers of security make it impossible for us to further investigate. I find it frustrating myself, since my job is to try and help customers and in cases like this I'm told there's nothing I can do. I'm truly sorry for the poor experience here. The only choices are pretty much to use only Free Dynos and no add-ons except the free version of Heroku Postgres (and no custom domains), or to move to a different platform. I apologize that these are really the only choices".
So I'm moving to other platform. Lol
If that many cards are not working, one of the possibilities is that your user footprint (things that can compare your online activity to the other user profiles, like location, e-mail, credit card) could be triggering fraud prevention tools, which can happen if patterns are identified that are similar to ones used by spam or fraudulent accounts. It doesn't necessarily mean that your account is identified as fraudulent or spam, but it does mean that the virtual footprint is considered too risky to approve.
My company (which does Tutoring services) recently transitioned to Square for their Appointments and POS and I am trying to automate certain tasks. I wanted to know if there was a way to create "Open Tickets" for transactions through the Connect API.
I went through the documentation and couldn't find anything that refers to "tickets". I checked the seller community but wasn't satisfied with the answer from Square since they seemed to not understand what "Tickets" meant. I have provided more details at the end of this post in case someone wasn't sure about "Tickets" here as well.
I believe currently Tickets are only available through the Square POS app (Android/iOS) and not on the Web Dashboard. I would like to be pointed in the right direction in terms of what I might need to look at in order to get access to automatic ticket creation.
For more details, please read on.
In order to clarify what I mean by "tickets", here is Square's page regarding "Open Tickets". They are basically a way to create and save transaction info ahead of time so customers can be charged quicker. The way we use "Open Tickets" is we create tickets for Tutoring sessions every day in the morning and when a customer shows up, all they have to do is look up their ticket and pay. We do this since we expect a lot of traffic every day and we want to streamline the process as much as possible.
Therefore, our admin staff ends up creating 80-100 tickets manually every day! I wanted to know if there was a way to automate this. I already have a running Google Sheets with all appointments data that would be needed in order to create a ticket. I just need to find a way to communicate with ticket creation.
I apologize if this is a long post. I tried to be concise but thorough. Please let me know if there is any detail that I missed. I appreciate any help!
Unfortunately, Open Tickets isn’t currently available for Square’s API. Square's API is only able to track completed transactions at this time.
We are constantly improving the product based on feedback like this, so I’ll be sure to share your thoughts with the API team.
I have installed and configured a Magento Community edition v1.8 according to a few requirements. Part of the requirements is the setup of a few stores.
For completion though, it is necessary to configure "administrators" per se for each of these stores. This administrator, when (s)he logs in to the admin portal, would be viewing data, configuration and settings only for their respective store, and the rest(of the stores) is not shown (As is the case when one configures an admin role via System -> Permissions -> Roles).
When the main administrator logs in to the back-end portal, they should view options for assigning these smaller (so to speak) administrators to their respective admin website sites. This list should be updated when stores are added/deleted (and hence the excellent Alan Storm's blog is not of much help)
I have been looking at various tutorials that enable and manipulate ACL, although none of them specifically tackle allowing such specific administrator access.
Can someone kindly point the right resources for achieving such a functionality? Any help is very much appreciated and will be rewarded with karma points :)
(I forgot to mention that I am not looking for a turnkey solution, but rather a direction to proceed, so that I may configure it myself. Any resource in this regard will be very helpful!)
Magento just doesn't work this way - it sounds like you are trying to create a kind of multi-vendor setup with each vendor having access just to their store/products. To achieve a robust, complete solution like this would require such widespread changes to standard functionality you would probably end up making it extremely difficult to upgrade the store, it would also take many, many hours of development time. Essentially, I wouldn't recommend going down this route.
Aitoc has made an extension for admin restrictions per strore. But Aitoc is not my favorite :). And than I'm kind in my words :) honestly we set them to our extension Blacklist
But if you want it : http://www.aitoc.com/en/magentomods_advanced_permissions.html
Note: on own risk ;)
The company where I work for (1800+ Employees) is looking to enhance the personal relationships between its employees, allow a better collaboration and communication between departments and make it easier for the HR department to identify skills, experience and interests among the personnel (ex: we have some colleagues with deep knowledge of SAP modules and products, but during concrete projects it results very difficult to identify them and integrate them). Therefore, they want to implement a social network for our intranet.
We are just looking for the basic features such as profiles, discussion boards and so on, so nothing fancy. I proposed Community Server but my boss said .Net and java are no-gos. He wants LAMP and is not interested in a web solution like Ning, because of privacy and security concerns. It does not matter if it is Open-Source or commercial software. But it should allow a complete layout customization and must also have access from the outside world.
So my question would be, is there something like Community Server running on a LAMP stack?
Thank you very much!
UPDATE: We already have a Facebook page and a group. But my boss wants some features not included in Facebook such as a tag cloud in each profile page displaying skills and relevant proyects; and a feature like the "neighborhoods" from Last.FM, where you can group people with similar skills and interests and there is also the confidentialy issue (discussions about projects, clients, etc). So, any ideas?
You should check out StatusNet. http://status.net/
It doesn't directly answer your question, but aren't you rather trying to reinvent the wheel?
Facebook has got Social Networking down and the likely hood is 95% of your 1800 employees already use it.
Why would you go to the effort of writing and supporting a product as well as asking your employees to update information about themselves in multiple places when you could just set up a Facebook Network.
The other point I would make is, why are you limiting yourself to one way of doing things right from the off. Perhaps a detailed analysis of which technologies best serve your purpose would be more appropriate.
I appreciate this doesn't answer you question, I just feel this is a good example of Corporations unwilling to embrace tools already out there, I suspect because they are scared of them.
I'm probably right in guess that you're company heavily monitors Facebook usage, which is why this also might be hard.
Try Open Atrium, a Drupal-based team server.
Some sort of facebook application would allow you to keep the data on a server that you manage, but still use facebook's existing features. Pretty certain that facebook uses PHP for its application framework.
I agree with MrEdmundo and would upvote him if I were registered. Dont fall victim to "It wasnt invented here" syndrome. I bet your boss is like "we need something like facebook".
If it makes you feel better... here is a little story:
I was trying to implement some sort of group chat so fellow employees could ask quick questions to eachother online without having to get up or if someone was on the phone, etc. However, the service I installed (some sort of jabber daemon, i forget which one) never really got used. The solution? Just install the facebook chat client because all the co-workers are already on facebook most the day anyways!
plus, the "screen name" is appropriate because it is our real names, not stuff like "Out Into Space", "theman", or "fly-mystikal-dj-69"
You might want to consider something like Drupal. It's technically a CMS, but it's extremely customizable, and there are a lot of modules available that provide social-networking-style features.
Use Office Messenger for communication. It's basically like MSN Messenger but run on the company's servers so they can monitor all traffic. To know who has expertise in what area, it can't be too hard to build your own simple CRUD application to record profiles of employees and have each profile tagged with key skills, that the employee has and build a search function to find the people with the skills you need at any given time.
You can create an application using the Facebook SDK (PHP, java or any other language) and moderate it so that only employees can use it. That way you can use the existing Facebook features and add the tag clouds and other stuff your boss wants.
I've not used it, but Dolphin might be worth downloading to try out.
elgg.org
LAMP easy to install and setup, looks like your requirements would all be easily satisfied by the official plugins that are available.
Another option: http://buddypress.org/