InVision is committed to compliance with the General Data Protection Regulation (GDPR), a new EU data privacy regulation that went into effect May 25, 2018. The regulation gives EU citizens more control over their data and to unify a number of existing privacy and security laws under one comprehensive law.
We understand that compliance with a new set of privacy laws can be challenging, and we are here to help with your GDPR compliance initiative by providing you with state of the art GDPR compliant services.
Our legal and security experts have closely analyzed the requirements of the GDPR and continue to monitor new guidance on best practices for implementing the requirements of the GDPR. We are updating our products, contracts, and policies to ensure that we are in compliance with the GDPR. We are also dedicated to helping our customers succeed in complying with the GDPR.
What InVision is doing
InVision implemented its company-wide GDPR compliance strategy ahead of the May 2018 due date. Below are a few examples of initiatives InVision has committed to in order to satisfy GDPR requirements that apply to both InVision and our customers:
- We are ensuring our products and services are designed in accordance with ISO27001, ISO27002 and ISO27018 standards. These standards mirror many of the security and privacy requirements of GDPR and will help give our customers a transparent framework to measure our development and data management practices. Assurance that InVision maintains and follows these standards are affirmed through our annual SOC 2 audit.
- When processing personal data regulated under GDPR, we commit to follow any additional security and privacy measures required under GDPR.
- Where we are transferring personal data outside of the EU, we are committing to appropriate data transfer mechanisms as required by GDPR.
- We are ensuring that applicable users have the ability to access and update their personal data (in fact, we try to make this easy by including access to most data in our service).
- We are notifying regulators, customers, and users of breaches, promptly as required by the GDPR.
- We are holding vendors that handle personal data to required data management, security, and privacy practices and standards.
- We are carrying out data impact assessments and consulting with EU regulators where appropriate.
- We are ensuring that InVision staff that process InVision customer personal data have been trained in handling that data and are bound to maintain the confidentiality and security of that data.
General Data Protection Regulation FAQs
Does Invision process the personal data of its customers?
What personal data do we process?
For most users, this is limited to “business card” information of users that register for the service - meaning their names and e-mail addresses, and an IP address for session security purposes. We may obtain your phone number if we need to reach out for a support issue, and you can put your picture on your account if you would like to personalize your interactions with other users. Unlike many other SaaS companies, we do not process personal information outside of that user information (and require that customers not provide us with any other such personal information).
Where does InVision store and process my data?
Our goal is to provide our customers with secure, fast, and reliable services. Today, InVision stores data in its AWS data center located in the U.S. In order to bring you world class products, and to provide support and maintenance (e.g. 24x7 support coverage), InVision may also allow employees and contractors located outside the U.S. (e.g. in the EU, Argentina, Australia, and Canada) to access to certain data for product development, and customer and technical support purposes. We ensure that all such disclosures are compliant with the law and that all use will be for the limited purpose described.
How can I manage my personal data that is stored by InVision?
Please refer to our rights management page for information on how you can do things like access, rectify, export or erase your personal data. You can also contact us directly at [email protected] if you have any additional requests or questions
Is InVision E.U.-U.S. Privacy Shield Certified?
InVision is certified under EU-U.S. and Swiss-U.S. Privacy Shield with respect to the personal data we receive and process through our services. InVision adheres to the Privacy Shield principles including notice, choice, onward transfer, security, data integrity, access, and enforcement for personal data submitted by our customers in participating European countries through the services.
Does InVision enter into GDPR-compliant Data Processing Agreements (DPA)?
For InVision customers:
InVision will enter into DPAs with our customers who are data controllers and have purchased a subscription to our design collaboration platform via a written agreement. We provide a GDPR-compliant DPA that is tuned to our service, and invite such customers to complete and execute our GDPR-compliant DPA by going to InVision Customer Data Processing Addendum. Just follow the prompts through the form to complete your information.
For Wake and Brand.ai customers:
Please note: If you are a subscriber of the Wake or Brand.ai services, the preceding DPA does not apply to you. If you wish to receive a GDPR compliant DPA for your service, please contact your sales representative or [email protected] for a DPA applicable to your service.
InVision is committed to our customers’ success and the protection of customer data, which is why our customers can count on our commitment to GDPR compliance.
- Privacy: You own your data, and we’re committed to protecting your privacy.
- Security: InVision maintains customer security as our highest priority.
- Compliance: We maintain strict standards for achieving legal, regulatory and industry compliance frameworks such as SOC, PCI and CSA-Star.
- Policies and reports: We actively promote our information security policy library allowing customers insight into our data handling requirements.
- More information: You can find more detailed information about the GDPR from the European Commission website.