GDPR Compliancy Update

Om je snel en accuraat te informeren, vind je onderstaand artikel in het Engels. Mocht je vragen hebben, neem dan contact op met [email protected]


GoodHabitz is growing, fast. With this growth comes the wish to create even more and even better content - and the need to make our platform faster, more reliable, and even more secure. We need to be ready for the future, because we want to keep helping you develop yourself even further. That's why we need to move to the cloud. 

We've been pushing our servers to their limits recently. This made us rethink our infrastructure. Moving to the cloud guarantees a higher level of security, availability, and scalability - enabling us to grow while still placing strict demands on reliability, security, and privacy.  

At GoodHabitz, we value privacy. 

Ours and yours. By design and by default. That's why we realize this move may raise some questions - we've had some as well in the beginning. On this page we'll try to answer them as best as we can. Please keep in mind that moving to the cloud is a process for us. We're taking small steps and at every step we're looking into the best privacy and security measures. At every step we'll inform you on this page about the details. 

Nothing will change when it comes to our GDPR- and ISO27001-compliance! 

We are still fully committed to the protection of your privacy. We'll comply with laws and regulations - or better yet, to surpass the legal requirements as best we can. We will therefore continue to process and store your personal data only within the EU/EEA. This is called 'localization' of data, in cloud related terms. And as a reminder: when we're talking about your personal data, we're talking about perhaps your name, e-mail address, IP-address and/or the UserID your employer sends us. What we're processing depends on the way you log in. 

We're telling you this because (we feel) you have a right to know. 

Because we think your privacy is important, we want to let you know we're not going to process or store your data outside the EEA. Also, based on the GDPR you have the right to know which new sub-processors we're planning to engage. If you'd like to respond to this news, please contact your primary contact within GoodHabitz or send an email to the Privacy & Security Team ([email protected]). 


The Q&A below will answer most of your questions. When we have new info (or often get the same question), we'll add it.


On 16 July 2020, the European Court of Justice invalidated the Privacy Shield. As a result, there no longer is a legal basis for exchanging data with American parties. Each organisation using (sub)processors in the United States will have to conclude a Standard Contractual Clause (SCC) with each of these parties. GoodHabitz is no exception. The next step is to prove that the level of protection offered by these SCCs meets the requirements of the GDPR.

What does this mean for students?

Your privacy is our biggest priority, which is why we want to show you the steps we’re taking in order to comply with the GDPR, with regard to our subprocessors. Our goal, of course, is to demonstrably safeguard the protection of your personal data.

  • We've listed all subprocessors that might process your personal data outside the EEA.
  • We've contacted those subprocessors to ask them about any measures taken after the invalidation of the Privacy Shield.
  • We've called together an Emergency Response Team to decide what to do with the US-based subprocessors.
  • We've decided to find European alternatives for our two US-based subprocessors.
  • We've implemented the services of the new European subprocessors.

What does this mean for our clients?

The data processing agreement concluded will remain in force. That said, the list of subprocessors mentioned in the agreement must be updated. It’s our duty as a processor to inform clients of any subprocessor changes.


New subprocessor for email address verification.

GoodHabitz could no longer guarantee GDPR compliance for Kickbox, our former US-based subprocessor for email address verification. That’s why we've decided to switch to a provider within the EEA, named Bouncer. We have thoroughly screened and tested the services of this Polish supplier. The security screening showed that all necessary technical and organisational measures have been taken by Bouncer to fully comply with the GDRP. Only email addresses are shared with this provider. Bouncer safely stores and processes those email addresses in a European Union based cloud infrastructure, a hybrid solution of AWS cloud (Frankfurt region) and OVH cloud (France). No data is being transferred outside the EEA and Bouncer will erase all personal data from the system after 60 days. We are no longer using the services of Kickbox.

Copernica (SMTPeter)

New subprocessor for sending transactional emails

Despite the many mitigated measures taken by our former US-based supplier Mailchimp/Mandrill after the Privacy Shield invalidation, we've decided to switch to a provider within the EEA. We have been screening and testing the tool SMTPeter, which offers a cloud-based SMTP server for fast and secure email delivery. SMTPeter is provided by Copernica. Copernica is a Dutch supplier of marketing automation software, located in Amsterdam. All data is stored in Dutch data centres. Both the security screening and the technical demo-test have been successfully completed. At the beginning of December, the GoodHabitz Security team informed all customers about our planned switch. Since 10 December, we have fully switched to the services of SMTPeter.


Subprocessor for providing a Sales CRM and a ticket system for customer support purposes
GoodHabitz has concluded Standard Contractual Clauses (SCC) with Salesforce. In addition, Salesforce has Binding Corporate Rules (BCR) in place, which are in accordance with the GDPR. Despite these appropriate measures, we have contracted Privacy Company as an external party to perform a Data Protection Impact Assessment (DPIA) on our implementation of Salesforce, in order to guarantee demonstrable GDPR compliance.

This has resulted in the following findings and mitigated measures:

1. Salesforce is used as a CRM by GoodHabitz. According to the GDPR GoodHabitz does not act as processor but as a controller regarding the use of Salesforce. 

Mitigated measure:

  • As Salesforce is not part of the contract between GoodHabitz and its clients, it will no longer be listed as a sub-processor within the Data Processing Agreement and related subprocessor overviews.

2. Pardot is part of our Salesforce contract and therefore it was assumed that the data was stored on the Salesforce EU18 servers (location France and Germany), just like all our Salesforce data. However, the indepth DPIA revealed that all Pardot data is stored in the United States.

Mitigated measures:

  • It is verified that the Binding Corporate Rules of Salesforce also apply on the Pardot services.
  • GoodHabitz closed an Additional Safeguards Addendum with Salesforce in order to protect the personal data against any interference that goes beyond what is necessary in a democratic society to safeguard national security, defence and public security.
  • We’ve made sure that no personal data of students is shared with Pardot, so only Salesforce accounts that are created for commercial purposes are shared with Pardot. A student reaching out to our helpdesk will get registered in Salesforce, but not in Pardot.

Ons laatste nieuws
direct in jouw mailbox?

Dat kan! Schrijf je in voor de nieuwsbrief en ontvang maandelijks de laatste nieuwsartikelen.