Kahoot! GDPR Compliance Statement
What is the GDPR?
As of the 25th of May 2018, the EU General Data Protection Regulation (GDPR) strengthens the rights of individuals regarding their personal data and seeks to unify local data protection laws across Europe. GDPR requires new or additional obligations on organizations in the EU processing personal data, and organizations outside the EU processing personal data of EU residents.
GDPR in Kahoot!
Kahoot! complies with the GDPR and is committed to embrace and uphold the principles of the GDPR in the processing of personal data of all our users. In particular, we aim to ensure:
- transparency with regard to the use of data
- that any processing is lawful, fair, transparent, and necessary for a specific purpose
- that data is accurate, kept up to date, and removed when no longer necessary
- that data is kept safely and securely
How does Kahoot! protect personal data?
Kahoot! takes the privacy and security of individuals and their personal data seriously. We take every reasonable measure and precaution to protect and secure the personal data that we process. We have dedicated information security policies and procedures in place to protect personal data from unauthorized access, alteration, disclosure, or destruction.
We are committed to regularly reviewing our policies for changes, effectiveness, changes in handling of data, and changes to the state of affairs of other countries where your data flows to.
What security measures are in place at Kahoot!?
Kahoot! has adopted several layers of security measures. For instance:
- Technical and organizational measures are in place to ensure an appropriate level of security and data integrity for the data we process (encryption, penetration testing, password protection, Secure Socket Layer, and more).
- Measures are in place to ensure timely and effective notification in the case of a data breach.
- Kahoot! enters into written contracts with all our sub-processors imposing the same level of security and data protection obligations that are undertaken by Kahoot!.
- Access to personal data is provided on a need-to-know basis, and all employees are subject to a duty of confidentiality. Mandatory security, awareness, and privacy training is provided annually.
Does Kahoot! respect the fundamental principles of the GDPR?
Kahoot! ensures that personal data collected is kept to the minimum required for providing the service to the user.
Kahoot! has taken steps to ensure that the personal data processed is accurate, and procedures are in place to rectify and/or erase inaccurate information.
Kahoot! has procedures in place to ensure that personal data is kept in a form that limits the identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed.
Kahoot! has put in place extensive and appropriate technical and organizational measures to ensure the appropriate security of the personal data against unauthorized and unlawful processing and against accidental loss, destruction, and damage.
How does Kahoot! comply with the data subjects´ rights?
Under the GDPR, data subjects have eight rights, and Kahoot! is committed to ensuring compliance with each of them:
Kahoot! ensures that the data subjects are presented with the opportunity to access, rectify, erase, and/or restrict personal data.
Kahoot! ensures that the data subject is presented with the opportunity to ask for any data supplied directly to us by them, to be provided in a structured, commonly used, and machine-readable format (‘data portability’).
Kahoot! gives data subjects the opportunity to object to further processing of their data for direct marketing purposes and otherwise as required by the GDPR.
Kahoot! emphasizes the right of data subjects not to be subject to a decision based solely on automated processing. In this regard, Kahoot! does not utilize automated processing, nor does it use profiling for its products or services.
You can exercise your rights by contacting us at firstname.lastname@example.org.
Does Kahoot! transfer data to countries outside the EU/EEA?
Customer and user data will be stored at Kahoot!’s sub-processors, located, as applicable, in Europe, Canada, and the USA. As such, we may transfer personal data we have collected from you to sub-processors located in countries outside of the European Economic Area (‘EEA’). For these transfers, Kahoot! has ensured adequate safety measures in accordance with the GDPR.
How does Kahoot! ensure that international transfers are compliant with the GDPR?
Countries outside of the EEA may not have the same level of data protection as offered in the EEA. Kahoot! has implemented measures to ensure that our international transfers are in compliance with the GDPR.
Where personal data is transferred to a country outside the EEA that is not subject to an adequacy decision, Kahoot! ensures that we have appropriate safeguards in place. Kahoot! will utilize Standard Contractual Clauses (‘SCCs’), as adopted by the European Commission, to protect personal data. Kahoot! enters into written contracts with all our sub-processors imposing the same level of security and data protection obligations that are undertaken by Kahoot!.
What additional safety measures does Kahoot! apply for international transfers?
The transfer of personal data to sub-processors located outside the EU/EEA is, as a main rule, done for hosting purposes only. Kahoot! has put in place technical and organizational measures to protect personal data that is transferred to our hosting providers. Data is encrypted, in motion and at rest, in accordance with industry best standards. For datastores, Kahoot! uses a combination of full partition encryption based on LUKS and supplied full disk encryption (AES).
All of our sub-processors hold the highest level of security and hold ISO270001, SOC2 type 2, or similar.