GDPR

Last Updated: Jan 20, 2025

At Padlet, we value your privacy as much as you do. That’s why we’ve made compliance with the General Data Protection Regulation (GDPR) a core part of how we operate. Here’s how we ensure your data is securely handled with care and transparency.

International Data Transfers

Padlet is certified under the EU-U.S. Data Privacy Framework

On July 10, 2023, the European Commission adopted a new adequacy decision for participants in the EU-U.S. Data Privacy Framework (DPF). This adequacy decision confirms that the United States provides a level of data protection equivalent to that of the European Union, ensuring seamless and secure data transfers without the need for additional safeguards. As an active participant, Padlet guarantees compliance with this framework.

GDPR Compliant Processing

We ensure that all data processing activities adhere to GDPR standards, prioritizing security, transparency, and accountability at every stage.

  • Data Processing Agreements: All our vendors handling user data sign legally binding agreements requiring them to adhere to GDPR standards, including security, data access, and confidentiality measures.

  • Clear Data Retention Policies: We maintain a strict policy on data retention, specifying clear timelines for storage and secure deletion protocols to minimize unnecessary data retention.

  • Documented Data Processing Records: Our internal documentation meticulously records data processing activities, including purposes, data flows, and security measures, as required under GDPR Article 30.

  • Regular Compliance Audits: We conduct regular audits at least annually to ensure all data processing activities comply with GDPR.

GDPR Rights Guaranteed

We are committed to protecting your rights under the GDPR.

  • Data Access and Portability: Users can request detailed information about the data we hold on them, and we provide it in a structured, commonly used, and machine-readable format.
  • Right to Erasure: If you request data deletion, we ensure all relevant information, including backups, is permanently removed within 30 days, subject to legal retention requirements.
  • Data Modification Rights: You can update or correct inaccuracies in your personal data through our intuitive user interface or by contacting us directly.

Data Protection by Design

Privacy is embedded into every decision we make at Padlet.

  • Encryption at Rest and in Transit: All stored data is encrypted with AES 256-bit encryption, and data transmission is secured with SSL/TLS v1.2+ to protect it from unauthorized access.
  • Secure Password Management: Passwords are hashed and salted using industry-standard algorithms like bcrypt, ensuring they remain secure even in the unlikely event of a breach.
  • Robust Hosting Infrastructure: Padlet is hosted on Google Cloud in the United States. Google Cloud’s certifications, including ISO/IEC 27001 and SOC 2, ensure state-of-the-art data center security, including biometric authentication, 24/7 surveillance, and advanced intrusion detection systems.
  • Granular User Privacy Controls: Users can control access to their content through customizable privacy settings, such as limiting access to invited participants, setting passwords for Padlets, or restricting access to specific organizations.
  • Data Minimization Principle: We only collect necessary data like email address for service delivery, avoiding excessive or irrelevant data collection. Other data items are optional and users can use pseudonymised data.
  • Regular Security Assessments: Our dedicated security team performs regular vulnerability scans, penetration tests, and reviews to proactively identify and address risks.

Transparent Data Practices

Our business model is not based on ads, so we can focus on providing a secure and private platform for our users.

  • No Selling of Personal Data: Padlet has a strict policy against selling user data to any third party, ensuring your data remains confidential.
  • No Advertising: Our platform is ad-free, and we do not use your data to serve targeted advertisements.
  • No Profiling: We do not analyze or combine data to create behavioral profiles of users.
  • Clear Data Collection Policies: We transparently disclose the types of data collected and the specific purposes for which it is used.
  • Documented Sub-Processors: All third-party service providers are listed on our website, along with their purpose and country of processing.

FAQ’s

Does the GDPR require storage of personal data in the EU?

No, the GDPR does not mandate that personal data must be stored within the EU. However, transfers of personal data outside the EU are only permitted if the recipient country ensures an adequate level of data protection, as determined by the European Commission. Padlet complies with this requirement by participating in the EU-U.S. Data Privacy Framework, ensuring secure and compliant data transfers.

Does Padlet sell personal data?

No, Padlet has a strict policy against selling personal data to any third party. Your data is never monetized or shared for advertising purposes.

What subprocessors does Padlet use and for what purpose?

Padlet uses trusted third-party subprocessors for specific services such as cloud hosting, content moderation, AI. For example, we use Google Cloud for secure data hosting. A full, up-to-date list of subprocessors, along with their purposes and locations, is available on our website. Padlet’s subprocessors cannot use our users data for their own purposes.

Who can I contact for privacy concerns?

You can reach out to our Data Privacy team at privacy@padlet.com or contact our EU or UK representatives for region-specific concerns.