We answer the most commonly asked questions about what steps Mono take to make sure our products and services are GDPR compliant.
What we do to be GDPR Compliant
- Fully compliant automated Cookie Consent: Automated cookie compliance that stays up-to-date with changing legislation.
- Using hCaptcha instead of Google’s reCAPTCHA: hCaptcha's image-recognition challenge only captures image-selection data, not personal information.
- We use Proxies to keep your IP address hidden: Proxies work as a middleman on the internet. When a Mono site sends a request to Google Fonts, for example, the request is first sent to Mono’s proxy. The proxy sends the request on, so the receiver can only see the Proxy’s IP address, not the individual user’s.
- Your personal information stays in the EU: Mono stores personal information such as names and email addresses on servers in Europe.
What is GDPR?
The General Data Protection Regulation (GDPR) is the European data protection law. It’s important to stay compliant so that any data given to you by customers is not disclosed to third parties or misused in other ways. GDPR only applies to companies operating in the EU and the EEA.
Frequently Asked Questions
1: Can you use the services of American companies such as Google and Amazon Web Services and still be GDPR compliant?
Yes. American companies are inherently not compliant as they are located outside of the EU; however, it is possible to take steps to ensure full GDPR compliance even when using American services.
Mono use AWS as a hosting provider and we offer partners the option to use Google Fonts and Analytics if they wish. We do our best to protect your data through CDNs and Proxies.
A content delivery network (CDN) is a system of servers distributed across an area. Normally CDNs are used to optimise the efficiency with which internet content is delivered to the end user. However, they also have the benefit that data will always be stored at the server that’s geographically closest to the user. For Mono Partners this means personal data is stored in Europe.
Proxies are intermediary servers that send requests on behalf of Mono Partners. This means that Mono Partners don’t send requests from their own IP addresses – only through Mono’s Proxy server.
Read more about how we protect our partners’ data in the specific examples in questions 3 and 4.
2: Why not just use European digital providers?
It is not a viable solution to avoid the large American companies. They are far superior in terms of security, speed and stability to their European counterparts. In some instances, European companies can even be less safe than the American companies, because their security and stability are not up to high enough standards.
3: How can Mono use Google Fonts and still be GDPR compliant?
Partners can use Google Fonts through Monos Editor, because Mono acts as a middleman between you and Google. This means Mono communicates with Google on your behalf, so Google never see who you are or receive any of your data. Google only sees Mono in the interaction.
Normally, when you download a Google Font as a private person (not as a Mono Partner), you do so by sending a request to Google that you want to receive one of their fonts. When Google receive that request, they can see – and save – your IP address. As IP addresses can be used to find out a person’s identity, this practice is not GDPR compliant.
However, when a Mono Partner downloads a Google Font, they send a request to a Mono proxy server, which is located in Europe, and never saves IP addresses. The proxy server then sends a new request to Google. This proxy server has its own IP address that is only associated with Mono and cannot be used to ID anyone else.
4: What steps do Mono take to protect my data when using Google Analytics?
Mono Solutions have taken every possible step to make Google Analytics as compliant as possible. Many companies will use Google Analytics without considering these steps, but at Mono we think it’s important to address the issue of how data is stored. We have done the following:
- Google Analytics accounts on Mono websites anonymize IPs. This means the last three numbers in the IP addresses are left blank so Google can’t use them to identify the user.
- User-ID is switched off: The User-ID lets you associate engagement data from different devices and multiple sessions, so you can discover how users interact with your content over an extended period of time. We have kept his setting off.
- Data sharing is also turned off. The data which is processed and stored using Google Analytics ("Google Analytics data") is secure and kept confidential. This data is used to maintain and protect the Google Analytics service, and to perform system critical operations. Sharing is switched off.
If you are still concerned, it is also possible to completely switch off Google Analytics under website settings. Simply navigate to the Site Settings Icon in top right corner in the Editor, toggle Website Settings in the left-hand menu, click on Google Analytics and tick the box “Don't send any data to Google Analytics”.
5: Is hCaptcha GDPR compliant?
Yes. Mono use hCaptcha’s image-recognition CAPTCHA, which adheres to GDPR.
Image-recognition CAPTCHAs works by giving the user an image-recognition challenge. The user is presented with a grid that contains several different images. They must pick the pictures that contain the correct object, such as traffic lights, busses or pedestrian crossings. hCaptcha's image-recognition challenge doesn’t capture personal information about the user, only what images they selected. The image data can be processed in the United States, but it still adheres to GDPR as this data is not personally identifiable.
As an extra layer of security, hCaptcha have also signed Standard Contractual Clauses (SCCs) to make sure they are compliant for European customers. SCCs are contracts that help protect European data objects in case of data transfers to third countries. For more information about SCCs click here.