GDPR

Blue Ridge Certifications

SOC II Type I for all of our products. This is an internationally recognized standard that covers the protection and management of sensitive information and all the various components.

Topic: Request from individual to remove their data from Blue Ridge products
Blue Ridge’s Response: Please reach out to our information security team using the contact information provided on this page. Describe your request (for example, you want PII data removed from an application) and provide your contact information so we can confirm receiving request within 48 hours. Depending on the scope of the request, we may need to contact other resources to complete the process. Once completed, you will be notified that your request is resolved.

Topic: Consent Management: GDPR has requirements for explicit consent to be given for controllers.
Blue Ridge’s Response: The PII required by Blue Ridge products must be entered by the Administrator before processing can begin. It is not possible for the product to track when consent was obtained. This information can be managed as a date field in the product but the product cannot be set up as a requestor of consent.

Topic: Right of Erasure / Right to be Forgotten: GDPR has extended rights to have PII removed from online storage, with exceptions noted in Article 17.

Blue Ridge’s Response: Blue Ridge has systems in place for Controllers to request PII to be removed. Due to the exceptions in GDPR for the deletion of such data, Blue Ridge is handling any removal request and responding without undue delay. For any removal request, part of our process is to confirm with the Controller that there are no exceptions for the request, including medical data or other legal requirements for data retention.

Topic: Right of Rectification: GDPR has extended rights to have PII be corrected by the person.
Blue Ridge’s Response: PII can be updated in all Blue Ridge products.

Topic: Data Portability / Right to access data.

Blue Ridge’s Response: Blue Ridge can provide the data upon Controller request.

Topic: Breach Notification

Blue Ridge’s Response: Blue Ridge follows breach guidelines outlined in GDPR

Topic: Security
Blue Ridge’s Response: Access control is available from the assignment of roles for the customer interface. For the Blue Ridge side, we have policies in place for control

Updates
Please let us know if you have any questions by emailing our team at info@blueridgeglobal.com.

Frequently Asked Questions

Q: What is a DPO?

A: DPO stands for Data Protection Officer and is a requirement for some organizations.

Q: How do I contact Blue Ridge’s DPO?

A: Blue Ridge does not meet the requirements for a DPO. All related responsibilities are being carried out by Blue Ridge’s information security team.

You can contact our information security team at:

Q: Where is Personally Identifiable Information (PII) currently stored?
A: To the extent that our customers input PII into the products, such data is stored within the applications, which are housed within Amazon Web Services (AWS) (Frankfurt, Germany; N. Virginia, USA).

Q: What about deleting a person’s PII in your applications?
A: We have privacy processes in place as part of our privacy policy, so we have the framework already in place to allow someone to opt out.

Q: Can I remove my PII from your products?

A: Yes, unless there is an overriding exception as outlined in the GDPR, such as medical record requirements and other legal data record requirements. We have policies in place to verify the storage requirements with the Controller of the data and will work with them to anonymize or delete the data without undue delay.

Q: Are Blue Ridge vendors and sub vendors required to be compliant? 
A: Yes.  We also use some data, such as email, for marketing purposes but we have a well-established process for users and customers to opt out of that process from the start.  To be extra cautious, we are working with our vendors to add addendums to our contracts that requires them to be GDPR complaint in addition to the confidentially agreements that are already in place.

Q: We as a company store PII in one or more of your products, how can we comply?
A: If you have data that qualifies as being regulated by GDPR (for example, you uploaded a document with PII for a GDPR-covered person or persons) it is up to the customer to remove that data.  Since we do not actively access customer data, we do not inherently know if your data is GDPR regulated.  Our most significant undertaking to be GDPR compliant concerns data that is uploaded or input by customers. We are working on solutions that will allow customers to anonymize or remove GDPR regulated data using automated solutions but as of today the process would be manual.