🇪🇺GDPR (EEA/EU)

InsurFront's approach to GDPR compliance is multifaceted, addressing various aspects of data protection, particularly focusing on data sovereignty in line with its service setups. This detailed examination will provide an in-depth look at how InsurFront aligns with GDPR across different operational scenarios.

The GDPR sets a high standard for data privacy and security, requiring organizations to implement stringent measures to protect personal data. InsurFront's compliance strategy encompasses various facets of these regulations, ensuring that user data is handled with utmost care and responsibility.

Data Sovereignty

Data Sovereignty in Self-Service Setup

For insurance companies on InsurFront's Self-Service Setup, which uses a shared database cluster, data is stored in the United States. This decision was significantly influenced by the European Commission's adequacy decision for the EU-US Data Privacy Framework, adopted on July 10, 2023. This framework allows for the free flow of personal data from the EU to the US under certain conditions, ensuring compliance with GDPR. This means that, for companies on non-enterprise subscriptions, storing data in the US, once a complex challenge, is now compliant with GDPR, aligning with the newly established regulations.

The shift in data storage policy post-July 10, 2023, highlights InsurFront's adaptability and commitment to maintaining legal compliance in its data handling practices. This change ensures that InsurFront's clients on the Self-Service Setup can confidently operate within the bounds of GDPR while utilizing a shared database infrastructure.

Data Sovereignty in Enterprise Account Setup

InsurFront's Enterprise Account Setup offers a different approach to data sovereignty. Unlike the Self-Service Setup, companies on certain Enterprise Plans have the autonomy to select their preferred data storage location. This flexibility is particularly advantageous for companies operating within the European Economic Area (EEA).

For these companies, selecting an EU/EEA country for data storage is encouraged to ensure direct compliance with GDPR. This choice aligns with the principle of data protection by ensuring that personal data remains within a jurisdiction that upholds GDPR standards. However, InsurFront also accommodates companies that choose to store their data in the US or other countries with a positive adequacy decision from the European Commission. In these cases, GDPR compliance is still maintained, provided the data handling adheres to the established regulations of the adequacy decision.

On the other hand, if an enterprise opts to store data outside the EU/EEA in a country without an adequacy decision, and if the data includes personal information from EU/EEA citizens, they could be at risk of GDPR non-compliance. InsurFront provides guidance and support to these companies to understand the implications of their data storage choices and helps ensure that their operations remain within the legal framework of GDPR.

Comprehensive Data Protection Measures

InsurFront’s approach to GDPR compliance extends into several critical areas:

Data Processing and Consent

One of the cornerstones of GDPR is the lawful processing of personal data. InsurFront ensures that all data processing activities have a legal basis, whether it is the explicit consent of the data subject, the necessity for the performance of a contract, or compliance with legal obligations. The platform has streamlined the process of obtaining and documenting user consent, making sure it is freely given, specific, informed, and unambiguous. This includes clear communication about the purpose of data collection and the rights of the users regarding their data.

User Rights and Data Access

In compliance with GDPR, InsurFront has established efficient mechanisms to facilitate the exercise of user rights. These rights include access to personal data, rectification of incorrect data, erasure of data under certain conditions (also known as the right to be forgotten), and the right to restrict or object to certain types of data processing. The platform allows users to easily make requests regarding their data, ensuring a swift and compliant response to these requests.

Data Portability

Another important aspect of GDPR compliance is data portability – the right for individuals to receive their data in a structured, commonly used, and machine-readable format. InsurFront enables users to retrieve their data or transfer it to another service provider, enhancing user control over personal information.

Data Protection by Design and by Default

InsurFront adheres to the principles of data protection by design and by default. This means integrating data protection into new products, processes, and services from the outset and ensuring that only necessary data is processed by default. The platform continuously evaluates and updates its processes and systems to ensure they are aligned with the highest standards of data protection.

Data Breach Notification

In the event of a data breach, InsurFront has a robust protocol in place to promptly notify the relevant supervisory authorities and, where necessary, the affected individuals. This quick response is crucial in mitigating any potential harm caused by the breach and is a key requirement of GDPR.

Training and Awareness

To ensure ongoing GDPR compliance, InsurFront conducts regular training and awareness programs for its staff. This training is focused on educating employees about the importance of data protection, the provisions of GDPR, and their specific roles in maintaining compliance. This continuous education helps foster a culture of data protection within the organization.

Vendor and Third-Party Management

InsurFront carefully evaluates and manages relationships with vendors and third-party service providers to ensure they are also compliant with GDPR. This includes conducting due diligence checks and incorporating data protection agreements into contracts with third parties who process personal data on behalf of InsurFront.