Privacy Policy
Are we GDPR compliant?
Under the General Data Protection Regulation (GDPR), we take on the role of "data processor" and follow the rules that come with it. Because messages can contain personal information, we treat all message data as potentially "Personally Identifiable Information".
Note that because we're a "data processor", our customers (that is, you) are still responsible for getting your user's permission for collecting said data (depending on your reading of the law, this is implicitly given by their choice to use your messaging feature, or you'll have to ask for explicit consent).
We recommend that you send us as little user data as possible. For example, do not send us a user's email address if you don't intend to use our email notification feature, do not send a phone number unless you want SMS notifications, and so on.
In line with GDPR principles, we only collect and store data needed to provide cross-device messaging. We don't "track" your users for marketing purposes. If a user files a "right to be forgotten" request, you can use our REST API to irrevocably remove their data, or ask us to do it.
Do we have a Data Processing Addendum (DPA)?
Chapter 9 of our Terms of service addresses all data processing and protection required aspects. So much so that an additional DPA should be deemed unnecessary.
That said, if your internal procedures and processes still require a signed DPA (its contents are identical to chapter 9 of our Terms of Service) from us to be GDPR compliant, then please download the full DPA document
Who are our data processors?
By default, we store all your data in the EU. See our data processors for an up-to-date list.
Are we ISO 27001 certified?
TalkJS is ISO 27001 certified, giving customers audited assurance around our information security controls.
You can access the certificate from our auditor.