Balsamiq and GDPR

Like most software companies, at Balsamiq we have implemented changes to follow guidelines established by the European Union’s data privacy law General Data Processing Regulation or GDPR, which came into effect May 25, 2018.

After reading the legislation, we were pleased to find it is in alignment with our company philosophies related to data, privacy, and transparency with our users. A lot of work was put into this effort, but we know we still have more we can do to protect our community’s privacy.


As our newly updated Privacy Policy states: “Our business model is a very traditional one: we provide products and services, and customers pay us for them. In other words, you are the customer, NOT the product.”

So most of the work we have done was making it very clear that we do not sell or rent your data, ever. And we only keep what is required to provide you with those products and services.

Briefly, here are steps we have taken as of May 2018:

  • Completed a company-wide audit of all our systems to identify:
    • all data we collect
    • where it is stored
    • why we store it
    • if there is no reason to continue to store it, create a plan for deleting it
  • We developed initial drafts of internal policies related to:
    • collecting and storing of employee data
    • improving company procedures and training tools related to security and privacy concerns
  • We updated our legal documents on the website:
    • consolidated multiple documents into just three, all in one central location
    • updated our Privacy Policy to add clarity on exactly what we are collecting and why, as well as other GDPR required elements
    • added a main Information Security page, which has answers to the most common questions found in security questionnaires

The work we’ve done is just a start. Just as with all the work we do at Balsamiq, we consider GDPR an ongoing project of continual kaizen improvement. We’ll be keeping GDPR in mind when doing internal reviews of our processes, designing new software, and establishing new programs.


Does Balsamiq Have a Data Protection Officer?

We do not have a DPO because we are not legally required to have one. However, if you need a main contact regarding privacy, we have contact information listed in our Privacy Policy.


Is Balsamiq a Member of the EU-US Privacy Shield?

We have applied to join the EU-US Privacy Shield. As soon as our certification is approved, we will add this information to our Privacy Policy.


Do You Have a Data Processing Agreement?

No. In our preparation and research for GDPR, we believe that a DPA is not needed for Balsamiq. The reason is because we are a controller rather than a processor.

We do not sign additional agreements, so we will not be able to sign custom DPAs.

However, if you require a contract with us for your records, our Terms and our Privacy Policy together are your contract with us.

If you have any questions, please don’t hesitate to contact us at privacy@balsamiq.com.



Edit this page