As you might know the General Data Protection Regulation (GDPR) goes into effect on the 25th of May.

Essentially, GDPR will place high demands on those who collect personal data, those who manage personal data and those who use personal data. EU citizens can also get full disclosure on the information that is collected on them and demand that the information is deleted or modified. By default, personal data must be kept within countries with adequate levels of data protection such as EEA countries (EU + Norway, Liechtenstein and Iceland) or other countries that live up to the data protection standards.

Penalties for non-compliance with GDPR can run up to € 20 million or 4% of global revenue, whichever is the highest.

If you want to read our standard data processing agreement, you can find it here, and our standard subprocessor agreement can be found here.

Defining personal data

The GDPR definition of personal data is:

any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.

It is a broad definition that covers all sorts of data. In the case of GatewayAPI the sensitive information that is handled mainly covers phone numbers, names and email addresses which are all personal information that can be used to identify individuals and link additional information to them.

GatewayAPI has handled personal data on the behalf of several major companies since 2013 and in many ways we already complied with GDPR before the regulations were announced back in 2016. Additional measures such as processor and subprocessor agreements were implemented later on though.

How we ensure compliance with GDPR

mtmo anonymized

Screenshot of how we pseudonymize MT and MO traffic on the dashboard.

  • We only use Tier 4 data centers that are located in the EU where security measures are very high - also the physical security at the data centers.
  • We have thorough login and passwords procedures, state-of-the-art firewalls and antivirus software and strong encryption on all transmissions of personal data.
  • We have ensured that employees who are authorized to process personal data have signed confidentiality agreements. Additionally, we have ensured that only employees with a specific work-related purpose have access to personal data.
  • We have signed processor and sub-processor agreements with all relevant parties which obligates all parties to treat personal data according to GDPR.
  • Personal data is automatically pseudonymized after 30 days by hashing all fields that have the potential to contain sensitive data.
    • Customers on can buy an add on service for instantly pseudonymizing the content of a message, when using this extra service the message content and sender id will be hashed at the time we store the sms in our database, and the phonenumber shown through our UI will be obfuscated as well. The recipient number will be stored for 30 days, as we need it to update the delivery status.
  • We only use data on the behalf of our customers. Data is not used for our own purposes such as commercial use.
  • It is possible for data subjects to contact us, to see the personal data that is collected on them and request that they are deleted or modified.

What this means for you.

The next time you log into your GatewayAPI dashboard, you will see a pop-up where you will be able to review our new Data Policy and accept or decline our updated terms.

sign modal

Screenshot of the pop-up with our new Data Policy.