General Data Protection Regulation (GDPR)
This page provides detailed information about the General Data Protection Regulation (GDPR) and its implications for CommCare. It highlights how Dimagi’s policies and offerings allows for users to remain compliant with GDPR regulations.
About GDPR
The General Data Protection Regulation (GDPR) is a comprehensive European Union law that aims to protect the personal data and privacy of individuals within the EU. It gives individuals more control over their data, such as the right to access and delete it, and imposes strict rules on organizations that collect and process personal data, including requirements for transparency, consent, and data security. GDPR applies to any organization that handles EU residents' data, regardless of where the organization is located, making it a global standard for data protection.
GDPR and CommCare
Dimagi has taken great care to build CommCare’s security infrastructure in such a way that is compliant, where applicable, with GDPR standards. Because GDPR sets the standards by which data should be protected, the Data Privacy Framework (and previously, the Privacy Shield) were created to help companies meet these standards. Dimagi is certified and complies with the EU-U.S. and Swiss-U.S. Privacy Shield Programs as well as the EU-U.S. Data Privacy Framework.
Dimagi also provides a suite of security features to ensure our partners can remain compliant with GDPR’s regulations, including:
Data Security: CommCare employs robust security measures like encryption (at rest and in transit), secure ISO certified data centers, and regular backups, aligned with GDPR's requirement for appropriate technical and organizational measures to ensure data security. More on this here.
User Control: CommCare provides users with control over their data, allowing them to access, rectify, or delete their information, in line with GDPR's emphasis on individual rights. More on this here.
User Data Opt-Outs: CommCare allows for all users to opt-out of sharing data used for analytics at Dimagi. More on this here.
Data Processing Transparency: CommCare maintains transparency in its data processing activities through our updated Privacy Policies, informing users about how their data is collected, used, and stored, fulfilling GDPR's requirements for transparency and information. We also maintain a full list of sub-processors here. More on this here.
Data Sharing: Dimagi shares with all customers our principles for responding to United States Government data requests, focusing on responsible data stewardship and transparency. More on this here.
Where applicable, Dimagi can provide a Data Processing Agreement (DPA) outlining our requirements as a processor of Customer Data. If you require Dimagi's DPA for compliant use of CommCare, please reach out to support@dimagi.com.
Additional Security Qualifications and Certifications
Dimagi is SOC 2 Type II certified since 2022, HIPAA compliant, and has security standards which are aligned with NIST 800-53.
CommCare data is hosted in an ISO certified data warehouse with Amazon Web Services (AWS). AWS also has a number of other certifications which are all independently verified by third-parties.
Additional Questions
For any additional questions about GDPR and CommCare, please reach out to support@dimagi.com.