Step2Flow’s GDPR compliance statement can follow the same structure as the provided text, but adapted to a work‑management SaaS (tasks, calendar, teams, mobile apps) and to your company details. Below is an English version you can use and then localise to Bosnian.
GDPR – Compliance Statement (Step2Flow)
Introduction
The EU General Data Protection Regulation (“GDPR”) came into force across the European Union on 25 May 2018 and introduced the most significant changes to data protection law in over two decades. Based on privacy by design and a risk‑based approach, the GDPR has been designed to meet the requirements of the digital age, including broader use of cloud services, mobile devices and cross‑border data processing.
As a modern work management platform, Step2Flow processes personal data related to teams, tasks, internal calendars and mobile activity, and recognizes the importance of protecting that data in line with GDPR principles.
Our commitment
Step2Flow is committed to ensuring the security and protection of the personal data that we process and to providing a compliant and consistent approach to data protection across our organisation and products. We have implemented a robust data protection and security program that aligns with existing laws and the core principles of GDPR, and we continue to improve this program as regulations, guidance and best practices evolve.
Step2Flow is dedicated to safeguarding the personal data under our remit and to operating a data protection regime that is effective, fit for purpose and demonstrates an understanding of, and appreciation for, the GDPR. Our preparation and objectives for GDPR compliance are summarised below and include the development and implementation of dedicated data protection roles, policies, procedures, controls and measures to ensure ongoing compliance.
If you require a signed copy of our Data Processing Agreement (DPA), please contact us at info@step2flow.com.
How we are preparing for GDPR
Step2Flow already operates with a consistent level of data protection and security across our organisation. Our GDPR preparation and maintenance activities include:
Information audit
We have carried out internal information audits to identify and assess what personal data we process in Step2Flow, where it comes from, how and why it is processed, which systems store it (web, Android, iOS), and whether and to whom it is disclosed. This mapping covers data such as user identities, team memberships, tasks, calendar entries, device identifiers and logs.
Policies and procedures
We have updated our Privacy Policy, Terms of Service and internal data protection policies and procedures to meet the requirements and standards of GDPR and other applicable data protection laws. This includes:
- Data protection policy – Our core data protection policy has been revised to reflect GDPR concepts of accountability and governance, ensuring that obligations and responsibilities are clearly understood and evidenced. The policy emphasises privacy by design/default in the Step2Flow platform and the rights of individuals whose data we process.
- Data retention and erasure – We have updated our retention schedules to comply with the principles of data minimisation and storage limitation, ensuring that personal data is stored, archived and deleted in a compliant and ethical manner. We maintain procedures to support the “right to erasure” where applicable and to handle other data subject rights, including clearly documented processes for account‑level deletions upon customer request.
- Data breaches – We have incident and breach procedures designed to identify, assess, investigate and, where required, report personal data breaches at the earliest opportunity. These procedures have been communicated to relevant staff so that they understand escalation paths, responsibilities and timelines under GDPR Articles 33 and 34.
- International data transfers and third‑party disclosures – Where Step2Flow stores or transfers personal data outside the EEA/UK, we apply appropriate safeguards such as Standard Contractual Clauses or other recognised transfer mechanisms and maintain the security and integrity of the data. We conduct due diligence on all third‑party recipients of personal data (such as hosting, analytics or payment providers) to verify that they provide adequate protections, enforceable data subject rights and effective legal remedies where applicable.
- Subject Access Requests (SAR) – We have updated our SAR procedures to align with GDPR timeframes (generally one month) and to provide access free of charge unless permitted otherwise by law. Our procedures describe how we verify the requester’s identity, how we locate and compile data from our systems, what exemptions may apply, and how we respond in a clear and consistent way.
- Legal basis for processing – We review our processing activities to identify the appropriate lawful basis in each case (contract, legitimate interests, consent, legal obligation) and maintain records of processing activities where required by Article 30 GDPR. This analysis covers both our role as Controller (for our own website and account administration) and as Processor on behalf of customers using Step2Flow for their teams.
- Privacy notices – We have updated our Privacy Policy and related notices to clearly inform individuals why we need their data, how it is used (e.g., task assignment, calendar scheduling, analytics, notifications), what rights they have, with whom we may share the data, and which safeguards protect it.
- Obtaining consent – Where we rely on consent, we have reviewed our consent mechanisms to ensure they meet GDPR requirements for being specific, informed, freely given and unambiguous. Our processes record evidence of consent (including time and method) and provide simple ways to withdraw consent at any time, particularly for marketing communications and optional product features.
- Direct marketing – We have updated our direct marketing practices to include clear opt‑in mechanisms, concise and understandable explanations of what individuals are subscribing to, easy ways to opt out, and unsubscribe links on all relevant communications.
- Data Protection Impact Assessments (DPIA) – For processing operations that may be high risk, such as large‑scale monitoring of activities, extensive use of location data or processing of special categories of data, we have procedures and templates to carry out DPIAs in line with Article 35 GDPR. These help us identify and mitigate risks to data subjects before launching or significantly changing such features.
- Special category data – Step2Flow is not designed to process special category data as a core use case, and we instruct customers not to store such data unless strictly necessary and lawfully justified. Where special category data is processed, we require an appropriate Article 9(2) basis and apply heightened safeguards (e.g., stricter access control and encryption).
Data subject rights
Beyond our internal policies and procedures, Step2Flow enables individuals and customer organisations to exercise data subject rights under GDPR. Depending on whether Step2Flow acts as Controller or Processor, individuals can request information such as:
- What personal data we hold about them
- The purposes of processing
- The categories of personal data concerned
- The recipients or categories of recipients to whom the data has been or will be disclosed
- The envisaged period for which the personal data will be stored
- The source of the data, where it was not collected directly from the individual
- The existence of rights to rectification, erasure, restriction, objection, and data portability
- The right to lodge a complaint with a supervisory authority
Where Step2Flow is Controller, individuals may contact us directly via the details below, and where we are Processor, we assist our customer‑controllers in fulfilling such requests using the tools and exports available in the Step2Flow platform and our internal systems.
GDPR Data Processing Agreement (DPA)
When customer organisations use Step2Flow, we process personal data on their behalf as a Data Processor. Our DPA reflects the requirements of Article 28 GDPR, including:
- Processing personal data only on documented instructions from the customer
- Ensuring appropriate confidentiality and security measures
- Assisting the customer with data subject rights, DPIAs and incident notifications where relevant
- Returning or deleting personal data at the end of the provision of services, subject to legal retention obligations
If you would like a GDPR‑compliant Data Processing Agreement for your Step2Flow account, please contact us at info@step2flow.com.
GDPR roles and employees
Step2Flow has designated internal responsibility for data protection and appointed a privacy and security function to coordinate our GDPR roadmap, monitor compliance and act as a point of contact for customers on privacy topics. This team is responsible for promoting GDPR awareness across the organisation, assessing readiness, identifying any gaps and implementing policies, procedures and controls.
We recognise that continuous employee awareness and understanding are vital to maintaining GDPR compliance. Step2Flow has implemented privacy and security training for employees, which forms part of our onboarding process and is refreshed on a regular basis. Training covers topics such as data protection principles, handling of customer data, incident reporting and secure use of Step2Flow internal tools.
If you have any questions about our preparation for or compliance with GDPR, please contact us at info@step2flow.com.