Hi i just have a quick question. Other than being GDPR compliant, i was unable to find any information regarding if you have any security cerifications. In sweden we have to note how reliable our future vendors security are before creating the company. Are you able to assist me with this information? Kind regards

hey @ambitious-winter-14693 we are Currently working through a SOC 2 security audit. We use AWS to run continuous vulnerability scans and conduct external pen tests on a regular basis. We align our cybersecurity practices based on industry standard. For more specific security or data privacy questions, I would reach out to the sales team 🙂

Okay, thank you very much for your time 🙂

my pleasure

Is it important or a requirement in Sweden to undergo a SOC 2 security audit? How is this certification valued in relation to Swedish legal requirements and industry standards?

Unforunetly i can not answer that question. I dont believe that SOC 2 is especially valued. But we have to do a risk assessment of our vendors. Data security is really important in Sweden, and you might get "Datainspektionen" after you if mishandle data.

Can i dm you ?

sure 👍

@ambitious-winter-14693 @freezing-printer-49373 is there any update on that? For me in Austria this is also a highly critical topic. Is it possible to receive a Data Processing Agreement by botpress to ensure GDPR is compliant?

Agree

thank you for sharing! There are several passages saying that Botpress will process personal data in compliance with applicable data protection laws, which would include GDPR for data subjects in the EU. I do not see an explicit statement that Botpress is GDPR compliant. Will we receive this? For us Europeans this is critical. Otherwiese we have to switch to another provder.

it does

Sorry this is definitely no proof that Botpress is GDPR compliant. It only says that the user has to ensure it. It gives no guarantee that you handle the data in compliance to data security standards and GDPR. It is obvious that we have to handle our part right. But you have also the the handle the data right - we have no evidence for it, that you really do it.

If you are asking for a third party audit, we are currently working through a SOC 2 audit, and will most likely be tackling that after.

this is good to hear and highly critical. When will it approximately come?

A couple of months.

I understand, that you are having a lot of work to do and are developing a lot of useful features for your clients and are doing a great job! But why does it take so long fixing such a highly critical issue? Currently it is legally not allowed to use any chatbot based on botpress for people from europe. Many of your users are not aware that their chatbot services may be used by people from europe even if they do not target this region.... and this will cause very serious legal issues for them.

Agree with you!!

Hi, SOC 2 is not a requirement to provide a Saas neither is European localisation, also are already are mapping all controls here we just need a third party auditor to confirm the work of our security team. To be clear, we are working on providing better documentation to help your clients through their own security or privacy assessments. As for Europeans, there is nothing currently prohibiting the use of our service. Creating a bot, through Botpress and then publishing to your clients website is however not always sufficient, if you are collecting personal information and storing it in Botpress, you will need to have it reflected in the websites privacy policy, as well as having a process for respecting DSRs. On the topic, of why SOC 2 is taking a couple of months, a type 2 audit is a minimum of 3 months of continuous monitoring.

Thank you for your answer and effort. Your current DPA doesn't state if you collect personal data and if yes: in which region do you store it and will these GDPR articles be applicable?: - The right to access - The right to rectification - The right to erasure - The right to restrict processing as long this is not explicitly stated in the DPA, then yes your service is prohibited to use for EU users/customers

DSRs are covered in the privacy statement

where is the passage saying you do not store personal data?

Hey. …I’m also seeking clarity on botpress and GDPR . At this point I am not able to offer services to EU based clients. @freezing-printer-49373 here’s some more detailed checkpoints. I’m nothing to do with the website. GDPR applies to US companies it’s not location based and it’s not enough to say it’s coming. If you already have EU users you must comply. Look forward to an official update soon. https://www.onetrust.com/blog/gdpr-compliance/

exactly what I'm saying. You wouldn't be the first sued for not being GDPR compliant. It's not so laissez-faire and it's not a joke.

I’m totally with you. Having the same conversation with another well known bot service….they just don’t seem to get that it’s a legal requirement and not optional..🤪😉…there is one bot service who are completely compliant that I found…. IMHO you have to either build your own compliant coded solution or not have any EU users if there’s no proof of compliance. Same goes for HIPAA and that’s a US law….it’s a minefield as these bots are obviously data centric!! 😂…

Hi both, Botpress complies with GDPR and all applicable privacy regulations. let me know if you have specific questions.

Hi, then state it in data privacy declaration if you are confident about it.

It's stated in the dpa already. A new version privacy statement should be live towards the end of the week

Is this a joke? the word GDPR is not stated even once. Please review the data privacy statements of stack.ai or typebot.io or flowise. Saying "Each party shall carry out any processing of Personal Data in compliance with all applicable Data Protection Laws." I repeat one last time why you are 100% not GDPR comliant: - No statement in DPA or data privacy on website that you comply withe the GDPR articles - No word about if you store personal data - No word about where your servers are

Your statements do not hold up to scrutiny, section 5 states these black on white the first statement is mentioned in the DPA, we covered this already up in the conversation. As i stated prior, the Privacy statement is going to be updated towards the end of the week, but the information you are requesting is already in there.

no single word about GDPR here:

the privacy statement...

and how can we decide to let the data be stored in EU servers and not in the US?:

We are targeting for european localisation in q4 (not possible currently)

This is laudable but then you are not yet then GDPR compliant. Only after we can decide on the server location.

That fact does not hold up to scrutiny

This requires that Botpress is listed in companies participating in the EU-U.S. Data Privacy Framework at the site of the european commission or US department of commerce. Can't find you there anywhere. Colud you please provde us the link?

Looking forward when you finish the audit and are listed. Till then we have no actual proof stated anywhere that you are compliant.

@jb this really is a legal scenario that the botpress legal team should be handling. Arguing with your EU clients over discord is extremely surprising. How about you refer to your legal team and publish a GDPR compliant policy statement that meets EU law. Until that time we cannot accept that botpress is in fact compliant. This is a highly unusual and unprofessional approach by a data hosting provider. The EU law is detailed here. Google were fined 50 million for non compliance...just saying!! Look forward to the official legal statement soon. Thanks https://gdpr-info.eu/

Just as Information: I haven't dealt with this topic for a while. I only know that there is a new law now, if the company is listed, then the tool can be used on the website (as you mentioned before) . But Botpress I think also uses Google services. Here the user must also agree. You have to mention that in the privacy page as well. It must also not connect to Google if the user does not want this. If you can not prevent the connection to Google, then Botpress may not be used. Before this new law, actually every US service was not GDPR compliant (e.g. also Google Fonts, because here the IP address was transmitted). Even if the user agreed to the service. Even despite the new law, the user must have the possibility to know what data is stored where and how and what is done with the data. He must also have the possibility to get a list of what data is stored about him. If necessary, all stored data must be deleted. I am not an expert on the subject. But I think it would be helpful if in the Botpress Administration you can turn off non Botpress services (eg Google Tag Manager).

@cold-motherboard-82208 any update on this please? @freezing-printer-49373 it’s over a week and no additional information. Currently unable to use any botpress services for EU clients until the GDPR compliance policy is confirmed. What’s the email of the legal team at botpress thanks

Hi @adventurous-glass-22349 you can refer to our recently revised privacy statement and the DPF portal https://www.dataprivacyframework.gov/s/participant-search/participant-detail?id=a2z3d000000207VAAQ&status=Active if you have aditional questions you can reach out to legal@botpress.com

Dm

So to understand is it GDPR applanet?

Hey sorry, i dont understand the question (applanet?). You can refer to section 10 of the privacy statement for more information on GDPR. If you have any questions dont hesitate to reach out to legal@botpress.com https://botpress.com/legal/privacy-statement