Frequently Asked Questions about
LabiOffice, Inc’s GDPR compliance
The General Data Protection Regulation (GDPR) is the result of many years of work by the European
Union to unify and strengthen data protection for all EU citizens. Taking care of your and your
customers’ privacy is our number one priority.
GDPR gives you more control over how your data is used, while to us, it will be a simple legal
environment where we can operate. That makes this change desirable for both parties!
The new regulation came into effect on the 25th May 2018 and we are glad to report that LabiOffice
has fulfilled all the required regulations to become fully GDPR compliant.
Below you will find a list of frequently asked questions regarding GDPR compliance. If you can’t find
an answer that relates to your question, please let us know by writing to
– we will reply as soon as possible and update this document.
01. What has LabiOffice done about the GDPR?
We take our responsibilities under the GDPR seriously. That’s why we have taken steps to identify
which measures we need to implement to be compliant with the GDPR.
02. What organization provides services and stores my data? Is LabiOffice a data controller or a
Services are provided and your personal data are stored by LabiOffice, Inc. (220 E 23rd street, #400,
New York, NY 10010, United States of America). You can contact us via chat or at
LabiOffice, Inc. is a data processor since we do not decide the purposes of processing your
(including your users/visitors) data. It is you who decide to use our software, thus, you decide to
supply us with the personal data to facilitate communication between you and your customers. We only
process the data in order to provide, maintain, and improve our services as well as to secure yours
and our potential claims. In some exceptional cases LabiOffice, Inc. may also act as a data
03. What data does the LabiOffice, Inc. process?
While registering for one of our product/services (
) we request you to provide us with such information like the first name, last name, company
business name, address, website address, email address, and credit/payment card information.
This is the basic data of yours that we process and store. We also store the data you insert
into the service (i.e. your chat content, your tickets contents, knowledge base articles, ChatBot
scenarios, website or landing pages content, CRM contacts, emails, task cards, files or any other
content inserted into the service). We also store your customers/visitors data such as email address
or other data you ask your clients for via the product/service you use. You can find a full
04. What is the basis for personal data processing? Is customers consent required?
The basis for your personal data processing by LabiOffice, Inc. is an Agreement between you and us
which is concluded when you sign up to the product/service (create an account). The Agreement is
This is why a separate consent for your data processing by LabiOffice, Inc. is not required.
However, you may need to gain consent for data processing and transferring from your
customers/users/visitors. It depends on whether you need to be a GDPR compliant or not if you
collect your customers/users/visitors data, and what are your data processing basis. You may need to
at least notify your customers about using LabiOffice, Inc.’s services.
05. Am I a data controller or a data processor?
Firstly, you need to figure out if you process or provide personal data of EU citizens. For instance,
if you are an Australian company and you only process Australian citizens data, GDPR does not apply
to you. However, if you process personal data of the European citizens, you need to comply with this
regulation. You or your company (organization) may then act as a data controller. It happens when
you are a natural or legal person, public authority, agency or other body, and you, alone or jointly
with others, determine the purposes and means of the processing of personal data. You may also act
as a data processor. It happens when – as a natural or legal person, public authority, agency or
other bodies – you process personal data on behalf of the controller. Simply, when you do not
determine the purposes of the processing but use data according to the controllers’ instructions.
06. Do I need to enter into a Data Processing Agreement/Addendum?
Regardless of being a data controller or a data processor, when you transfer the personal data to us
(and you do so using our services) you may need to enter into DPA with us if you transfer any EU
citizens personal data.
07. Do you have a GDPR compliant Data Processing Agreement/Addendum for us to sign?
Yes, we have prepared this document for our customers. You can review and sign a copy of
LabiOffices’s Data Processing Addendum here. Instructions for execution are set out in the Addendum.
If you have any questions about its contents you can email:
08. How my personal data are used/processed in LabiOffice? How can I execute my right to be
LabiOffice, Inc. stores and processes personal data of its customers and people employed while using
LabiOffice, Inc. services – agents. We store such data as a first name, last name, email address, IP
number, browser information, operating system, geolocation, payment/credit card details (and other
LabiOffice, Inc. also stores the data you inserted into the service via the system (i.e. your chat
content, your tickets contents, knowledge base articles, ChatBot scenarios, website or landing pages
content, CRM contacts, emails, task cards, files or any other content inserted into the service).
It allows you to have constant access to the history of your conversations and other content.
However, if you intend to delete any of your (your chat content, your tickets contents, knowledge
base articles, ChatBot scenarios, website or landing pages content, CRM contacts, emails, task
cards, files or any other content inserted into the service), or other content you can delete it in
your account directly. If you wish to delete the data permanently just send us a request at
[email protected] and we will delete your data within 30 days.
09. What can I do to become GDPR compliant using LabiOffice’s services? How to prepare my service
LabiOffice, Inc. also stores/process personal data of your customers, visitors (end users of the
service you use). Thus, if you collect your visitors/end-users/clients personal data and process
them to us, you may need to gain their consent and/or notify them you use LabiOffice’s services.
10. Where does LabiOffice, Inc. store personal data? Are personal data processed outside the
LabiOffice, Inc. stores its customers’ data mainly in a data center in the U.S. We also have a data
center in Europe. Your data storage location depends on which service you use. When you sign up and
create an account in LabiOffice, your data are automatically collected and stored in our U.S. data
center (regardless you are signing up from the EU, the US or other parts of the world).
Additionally, similarly to many SaaS providers, we use a top-tier, third-party data hosting
providers (Amazon S3, IBM Softlayer and Google) to host our online services.
11. Does LabiOffice share any personal data with any sub-processors (other entities)?
To make our services work properly we use other companies’ services (generally software). We do so
to maintain the services, improve our tools, enable, and simplify its usage. If there is a necessity
to give processors access to a part of your data, firstly, we make sure that this company will gain
only necessary data (i.e. only an email address for the email service provider). Secondly, we enter
into an agreement with such company to make sure they provide at least the same level of protection
as we do.
12. How does LabiOffice choose and verify sub-processors?
We are committed to comply with GDPR and accordingly to transfer personal data lawfully. This is why
we work only with third party service providers from Europe (EOG) or countries recognized by the
European Commission as providing an adequate level of protection of personal data (mostly the
United States). We have verified all the sub-processors we cooperate with currently. Besides the
above ‘location requirement’ we made sure they are GDPR compliant and – if based in the US – Privacy
Shield certified (or – if based in another country recognized as secured – are the subject of a
similar agreement and adequate obligations due to the data protection). Also, before appointing a
new sub-processor, we make sure the data will be securely and lawfully transferred. We choose
providers only based in EOG and the US (or another secure country such as Canada, Switzerland,
New Zealand). We verify if the provider is GDPR compliant and Privacy Shield certified. Only if we
are sure your data will be transferred and stored securely we will work with the provider. If the
data transfer was not secured by the mentioned measures we would apply additional measures (i.e.
Standard Contractual Clauses), to transfer data in line with the GDPR.
13. Has LabiOffice appointed a Data Protection Officer?
14. What security measures does LabiOffice, Inc. implement to protect the data? Are the data
encrypted and if so, to what standards?
As a company offering its services in SaaS model, we are aware that the security of our customers and
their data is crucial. We treat security as a basic aspect of our business. We know that it is a
matter of trust. This is why we have implemented a number of safeguards even before GDPR was
adopted. Currently, we made sure our safeguards comply with the Regulation and adjust some new if
15. Does LabiOffice, Inc. carry out external penetration tests on the application? If so, how
LabiOffice, Inc. uses external auditors to verify the adequacy of its security measures, including
the security of the physical data centers. This audits are performed at least annually and include
16. How does LabiOffice, Inc. comply with the EU export restrictions?
All of our “”LabiOffice” EU customers’ data is hosted strictly on European data centers. When we
“LabiOffice” processes EU customers data, we ensure appropriate safeguards are in place that is
prescribed by GDPR – i.e. by entering into the Data Processing Agreements with the entity the data
is transferred to, or by ensuring the entity is Privacy Shield certified
LabiOffice processes all customers personal data in accordance to a particular lawful basis for
processing provided under the GDPR. Thus, we rely on such basis for customers personal data
- consent of the data subject
- performance of a contract
- legal obligation
- legitimate interest
We also undertake appropriate organizational and technical measures to ensure effective protection
of personal data. For example, we limit access to the personal data for our employees and contractors
according to their competence level and conduct regular privacy training for our team members.
When it comes to technical measures, we encrypt the personal data we process, have firewalls,
anti-virus and anti-malware software, as well as fraud prevention algorithms put in place, and
conduct regular security checks.
In the event we process EU customers data in other territories, we ensure appropriate safeguards are
in place that is prescribed by GDPR – i.e. by entering into the Data Processing Agreements with the
entity the data is transferred to, or by ensuring the entity is Privacy Shield certified (for
transfers to US-based entities).
17. Is LabiOffice, Inc. Privacy Shield certified?
The EU-U.S. and Swiss-U.S. Privacy Shield Frameworks were designed by the U.S. Department of
Commerce, and the European Commission and Swiss Administration, respectively, to provide companies
on both sides of the Atlantic with a mechanism to comply with data protection requirements when
transferring personal data from the European Union and Switzerland to the United States in support
of transatlantic commerce.
18. How long do you hold the personal data for?
and us) and our DPA:
It’s possible to request periodic data purge; in order to do that, please write a request to
with information: which data should be deleted, how often do you want to delete them, what time
these chats and tickets should be deleted (hour + timezone). However, this feature may vary
depending on what service you use.
19. Does LabiOffice have an incident management process in place?
Yes, we have it in place. In case of any management incident, we are ready to take a reaction immediately to protect your data from unjustified disclosure or any other infringement.
20. What are your processes for identifying and remediating vulnerabilities in your application and the underlying software and infrastructure?
a) Running an external audit, fixing all found vulnerabilities, testing the implemented fix and iterating this procedure until the issue is fixed;
b) Periodic systems scanning with tools for automatic issue recognition.
21. What process should we follow if we suspect that a security breach has occurred?
Contact support via [email protected] or chat on our websites.
22. Have you had any information security breaches in the last 12 months?
No, we haven’t any. You can follow the website where we report about any security issues and incidents.
23. Who is responsible for Information Security?
24. Do you have a DR plan? How quickly could you restore from a data backup if you suffered a major loss and what is the maximum amount of data that might be lost?
We do have a DR plan, each part of the system can be restored from 24 to 48 hours (considering a complete disaster). Moreover, each instance of the whole infrastructure is multiplied, so losing a single instance will not cause service degrading. Provided time refers to a flood scale of the disaster.
25. Are we able to take a full copy of our data in a standard format (e.g. CSV)? Is it possible to export all content using your API in a JSON format, that can be easily converted to CSV?
Regardless of the service you use, you can ask us for a copy of your data. It is possible to download a copy of the data in JSON.
26. Do you have any DDoS protection in place?
Yes, we do have DDoS protection provided by CloudFlare.
27. Is the application a single tenant or multi-tenant? If multi-tenant, what steps have been taken to secure the data from being accessed by other tenants?
The application is multi-tenant, data for each license is accessible only to accounts assigned to the license, so the person that wants access to a license data, needs a corresponding login and password. This is the basic logic behind the whole application infrastructure, it’s not possible to access other users’ data, as the access request without needed credentials will be considered unauthorized call and denied. Also, one set of credentials (login + password) can be used for one license only.
28. Cookies at LabiOffice, Inc.
Inc. or browsing any of the websites where our services are installed. These are pieces of information sent by the server,
stored on a user’s computer for the purpose of automatic identification of a particular user when using our services or
browsing the website. We have decided to set different expiration date depending on the type of your activity on the
website but remember you can simply delete cookies from your browser anytime. You can read more about our cookie
Legal note: Please note that the materials available at this website are for informational purposes only and not for the purpose of providing legal advice.
You should contact your attorney to obtain advice with respect to any particular issue or problem.