Why SubmittableGDPR
How the GDPR Affects Organizations Using Submittable
The General Data Protection Regulation (GDPR) defines and creates laws concerning the privacy of individuals in the European Union. This affects any company that processes the personal data of people who live in the EU—whether that company is based in the EU or not. While not legal advice, this document can help you understand the GDPR provisions built into Submittable. Within the terms of the GDPR, you are the “controller” and Submittable is the “processor.” Submittable processes data on your behalf.
Your Users' Rights
Submittable helps your organization observe the GDPR by respecting the rights of people as outlined in it. These rights include:
Breach Notification
Submittable is committed to notifying those affected by a data breach within 72 hours of discovery.
Right to Access
Your users have the right to ask you if you are using their personal data, and how it is being used. Submittable has always allowed you to search for users by name to find their data. We also provide self-service features that allow your users to monitor the status of their submissions or applications and review the data they previously submitted.
Right to be Forgotten
Your users have the right to ask you to delete all of their personal data that you process. This excludes information you need for legal purposes such as taxes. This data is not limited to personally identifiable information, but refers to any data directly linked to that person.
Data Portability
Your users have the right to export their data in a “commonly used and machine readable” format. Submittable provides tools that allow your users to easily export their data as a CSV file.
Security and Privacy by Design
Submittable has always held user data securely and privately. We do not share this data with third parties. We are transparent about how the data is used, and we only process what is necessary. Submittable exceeds industry standards when it comes to protecting the security and privacy of personal information, as demonstrated through its commitment to annual independent audits under the SOC 2 Type 2 and HIPAA compliance frameworks.
Consent
Submittable allows your organization to show your own custom terms and conditions, along with a checkbox to gather consent to processing from your users. We are strengthening these consent measures to directly address requirements in the GDPR. Additionally, we made changes to the application that will allow your users to withdraw consent as easily as they provide it.
Data Residency
We ensure complete data residency within the United States, with all organizational data securely stored in our US-based facilities. For international customers, we maintain robust data transfer mechanisms as detailed in our Submittable Customer Terms of Service, adhering to global data protection standards.
Data Protection Officer (DPO)
Submittable has appointed a DPO to oversee its data protection strategy and ensure compliance with GDPR. For more information, please refer to Submittable’s Privacy Policy.
Third-Party Processors
Submittable is committed to maintaining the highest standards of data protection compliance. To this end, we thoroughly vet all our data subprocessors to ensure they meet GDPR's stringent requirements for data privacy and security. An up-to-date list of our latest data subprocessors, including their processing purposes and locations, is available at Submittable’s Subprocessors Page.
Terms and Conditions
Our SaaS company closely monitors changes to data privacy laws to ensure we remain compliant. We regularly update our Customer Terms of Service and Data Processing Agreement to reflect these changes, including clear guidance on how the General Data Protection Regulation (GDPR) applies. You can always find the latest versions of these legal documents on our website, along with details on updates related to user consent and data erasure.
