Does InVision comply with the General Data Protection Regulation for EU customers?

InVision is committed to compliance with the General Data Protection Regulation (GDPR), the EU data privacy regulation that went into effect May 25, 2018. The regulation gives EU citizens more control over their data.

In our continued effort to help our customers with their GDPR compliance, we hope that this page will be useful for our customers to better understand InVision’s commitment to privacy.

Our legal and security experts have closely analyzed the requirements of the GDPR and continue to monitor new guidance on best practices for implementing the requirements of the GDPR.

What InVision is doing

InVision implemented its company-wide GDPR compliance strategy ahead of the May 2018 due date. Below are a few examples of initiatives InVision has committed to in order to satisfy GDPR requirements that apply to both InVision and our customers:

• We are maintaining an information security policy comparable with ISO27000 series standards and we are maintaining security in the delivery of our Services in accordance with SOC2 standards (or any successor standards). These standards mirror many of the security and privacy requirements of GDPR and will help give our customers a transparent framework to measure our development and data management practices. Assurance that InVision maintains and follows these standards are affirmed through our annual SOC 2-type 2 audit. For more detailed information, review our security practices.
• When processing personal data regulated under GDPR, we commit to follow any additional security and privacy measures required under GDPR. For more detailed information, review our security practices.
• Where we are transferring personal data outside of the EU, we are committing to implement appropriate data transfer mechanisms as required by GDPR.
• We are committed to provide our authorised users with the ability to access, update, rectify, export and erase their personal information themselves (for any further details on how authorised users can manage their rights, please visit our rights management page).
• We are holding vendors that handle personal data to required data management, security, and privacy practices and standards.
• We are carrying out data impact assessments and consulting with EU regulators where appropriate.
• We are ensuring that InVision staff that process InVision customer personal data have been trained in handling that data and are bound to maintain the confidentiality and security of that data.

Please review our Privacy Policy for a detailed description of InVision’s compliance steps with GDPR.

General Data Protection Regulation FAQs

Does Invision process the personal data of its customers?

Yes, InVision processes customer personal data to provide the products and services as set forth in our customer agreements and for other limited purposes enumerated in our Privacy Policy.

What personal data does InVision process when providing its Services?

For most users, this is limited to “business card” information of users that register for the service - meaning their names and e-mail addresses, and an IP address. We may obtain your phone number if we need to reach out for a support issue, and you can put your picture or avatar on your account if you would like to personalize your interactions with other users.

Please bear in mind that as a service provider of design, collaboration, prototyping, and design management services, when building designs, whiteboards and prototypes with InVision, InVision does not process your end-customer data or have access to your internal IT systems. It is an industry standard to use ‘dummy data’ when building designs and prototypes, and this is a firm requirement under our terms of service with our customers.

What is InVision’s role?

Where you are using our Services and making decisions about the personal data that is being processed in the Services (for example when uploading and using Customer Content, or selecting the Third Party Services you wish to connect to the Services), you are acting as a data controller and InVision is acting as a data processor.

Where does InVision store and process my data?

Our goal is to provide our customers with secure, fast, and reliable services. Today, InVision stores data in its AWS data center located in the U.S. In order to bring you world class products, and to provide support and maintenance (e.g., 24x7 support coverage), InVision may also allow employees and contractors located outside the U.S. (e.g., in the EU, Argentina, Australia, Canada, Israel and the United Kingdom) to access certain data for product development, and customer and technical support purposes. We ensure that all such disclosures are compliant with the law and that all use will be for the limited purpose described.

Is the hosting of my data in the European Economic Area (EEA) a requirement under GDPR?

For the purposes of using InVision and processing your personal data, the hosting of personal data in the EU is not legally required. The European Commission clearly states that, under the GDPR, EEA entities can safely and legally transfer personal data to third countries such as the United States via contractual clauses ensuring appropriate data protection safeguards. This includes model contract clauses – so-called standard contractual clauses (SCCs) – that have been “pre-approved” by the European Commission. This is the reason for the existence of the SCC’s.

For more information on this, please refer to the European Commission’s website, including an FAQ describing the validity of the SCCs for exporting personal data from the EEA to US. For example, this FAQ explains:

“SCCs as a tool for data transfers, i.e. to comply with the requirements of the GDPR for transferring personal data to countries outside of the EEA. They contain specific data protection safeguards to ensure that personal data continues to benefit from a high level of protection when transferred outside the EEA. They can be used by data exporters, without the need to obtain a prior authorisation (for the data transfer or the clauses used) from a data protection authority.”

How can I manage my personal data that is stored by InVision?

Please refer to our rights management page for information on how you can do things like access, rectify, export or erase your personal data. You can also contact us through this webform if you have any additional requests or questions.

What is InVision’s commitment to EU International Data Transfer following the Schrems ii case?

The CJEU (in its judgment dated 16th July 2020) has upheld the SCCs as a valid mechanism to transfer personal data outside of the EEA. This means that InVision customers can continue to rely on the SCCs included in the InVision Data Processing Addendum (InVision DPA) as a valid transfer mechanism under GDPR.

InVision has updated its InVision DPA to incorporate the 2021 SCCs, as recently published by the European Commission.

The InVision DPA with the SCCs is available for all InVision customers transferring data outside of the EEA, including to the US. InVision customers can therefore continue to use InVision’s services in compliance with the GDPR.

For more detailed information on this ruling and on how to review and sign the InVision DPA, please visit our dedicated privacy policy.

Does InVision enter into GDPR-compliant Data Processing Agreements (DPA)?

InVision will enter into a DPA with our customers who are data controllers and have purchased a subscription to our design collaboration platform via a written agreement. We provide a GDPR-compliant DPA that is tuned to our service, and we invite such customers to complete and execute our GDPR-compliant DPA—InVision Customer Data Processing Addendum. For our customers with whom we have already executed a DPA, we invite such customers to complete and execute our GDPR-compliant DPA Amendment, which incorporates the minimum legally required updates and does not make other substantive changes to our agreement with you. Just follow the prompts through the form to complete your information.

How do InVision customers enter into the 2021 SCCs?

InVision has updated its DPA to incorporate the 2021 SCCs.

If you are a new customer signing up with InVision after September 27, 2021, our updated InVision DPA (including the 2021 SCCs) can be signed through this dedicated page. Just follow the prompts through the form to complete the signature process.

If you are an existing customer of InVision with an executed DPA before September 27, 2021, you can update your current DPA to implement the 2021 SCCs, by signing InVision’s updated DPA or by signing InVision’s DPA Amendment. Just follow the prompts through the form to complete the signature process.

Additional resources

For additional information, we recommend starting with the following resources:

• Privacy: You own your data, and we’re committed to protecting your privacy.
• Security: InVision maintains customer security as our highest priority.
• Compliance: We maintain strict standards for achieving legal, regulatory and industry compliance frameworks such as SOC, PCI and CSA-Star. Policies and reports: We actively promote our information security policy library allowing customers insight into our data handling requirements.
• More information: You can find more detailed information about the GDPR from the European Commission website.