GDPR Policy

Legal Documents

Terms & Conditions

Privacy Policy

Terms of Use

Data Protection Addendum

Acceptable Use Policy

HIPAA BAA

Master SaaS Agreement

GDPR Policy

Cookie Policy

HIPAA Privacy and Security Policy

Sandbox Policy

Legal Documents

Terms & Conditions

Privacy Policy

Terms of Use

Data Protection Addendum

Acceptable Use Policy

HIPAA BAA

Master SaaS Agreement

GDPR Policy

Cookie Policy

HIPAA Privacy and Security Policy

Sandbox Policy

Legal Documents

Legal Documents

Terms & Conditions

Privacy Policy

Terms of Use

Data Protection Addendum

Acceptable Use Policy

HIPAA BAA

Master SaaS Agreement

GDPR Policy

Cookie Policy

HIPAA Privacy and Security Policy

Sandbox Policy

Is Upvio GDPR compliant?

Yes, Upvio is GDPR-compliant.

You can find more details below on how Upvio ensures GDPR-compliance:

Upvio and GDPR

  • Upvio has an in-house Data Protection Officer (DPO).
  • Upvio has conducted the required system & business assessments to comply with GDPR.
  • Our Privacy Policy and Terms & Conditions include GDPR where required.
  • Data moves from your computer to our servers using 256 bit encryption - same as your bank.
  • Upvio stores your data on servers that GDPR considers appropriate for your location.

Where does Upvio store data?

GDPR and privacy conscious business always ask us: Where will Upvio store my data? Our DPO ensures that Upvio complies with privacy laws and frameworks around the world, not just GDPR or UK GDPR. You might not know that GDPR’s requirements are similar to other privacy laws that make mention of the physical location where data is stored and accessed. We make use of servers in multiple countries that enable us to comply with data protection and privacy laws the world over, which include GDPR.

We only use servers that have been recognised by the EU as adequate and that are fully GDPR compliant.

Does GDPR require that data be stored within the EU?

No, and this is a common misconception. Under GDPR, businesses are allowed to transfer personal data outside of the EU as long as they put in place a mechanism to ensure that personal data is adequately protected.

All data collected via Upvio is stored in the US on AWS servers and is governed by the EU-U.S. Data Privacy Framework.

Data can be transferred to  non-EU countries where the European Commission has decided that the destination country ensures an adequate level of protection, EU-U.S. Data Privacy Framework has been recognized as providing such an adequate level of protection.

Detailed information

EU GDPR

On 10th July 2023, the European Commission published its Commission Implementing Decision which provides that personal data transfers from the EU to the US are ‘adequate’. This adequacy decision deems the US as an adequate jurisdiction – a jurisdiction that adequately provides protection for people’s rights and freedoms in relation to their personal data due to the enactment of the Data Privacy Framework.

The Data Privacy Framework requires US organizations to self-certify and undertake that they comply with the seven principles set out within the Framework. These principles are very similar to (albeit with some deviation in wording) to the EU GDPR principles.

AWS (and Amazon group companies) were certified under prior EU-US data transfer legislation (specifically, the US Safe Harbor Agreement declared invalid in 2015, and the US Privacy Shield which was declared invalid in 2020). AWS are certified under the new Data Privacy Framework, which notes the start date of prior certification under previous EU-US transfer legislation and expires on 01/10/2024. As a certified organization under the Framework, transfers of personal data from EU (which include personal data of EU individuals) to AWS are compliant with EU GDPR as the personal data will be protected under the Data Privacy Framework regime. The requirement under EU GDPR to implement additional ‘appropriate safeguards’ such as EU Standard Contractual Clauses (‘SCCs’) are no longer required, as adequacy negates this requirement (Art.45, paragraph 1 GDPR: ‘A transfer of personal data to a third country or an international organization may take place where the Commission has decided that the third country, a territory or one or more specified sectors within that third country, or the international organization in question ensures an adequate level of protection’).  

UK GDPR

On 21st September 2023, the UK Government recognized the adequacy of protection, and such was provided by the ‘UK Extension to the EU-U.S. Data Protection Framework’ which arose following the UK granting a data bridge to the US which took effect from 12th October 2023. The rules for EU-US transfers apply to UK-US transfers regarding certification, however, the US organization must specifically be certified under the UK Extension, and such must be displayed on the certification in order for a UK-US transfer to be compliant with UK GDPR. AWS are UK Extension certified which was granted on 08/10/2023 and expires on 01/10/2024. Transfers of UK individuals’ personal data to AWS US data server are in accordance with UK GDPR due to adequacy, and there is no need to rely on additional safeguards, such as SCCs, for transfers to AWS for data storage.

Data Protection Built into Upvio

1 - Upvio requires that all users have a unique User ID and Password.

2 - Business owners can assign roles to users, limiting which data users can access.

3 - Upvio has built in form templates to collect user consent, including

  • Treatment
  • Collecting PHI

4 - Upvio creates an activity-log that tracks all user activity.

More Questions?

Our team are on hand to answer any more questions you might have, please use the contact-us page for the quickest response.