1. Record of processing activities
Required under Art. 30 GDPR — even for small businesses. Document: what data, purpose, legal basis, retention period, recipients. A simple table suffices. PlotonIQ generates this overview automatically.
2. Data processing agreements (DPA)
Required with every cloud service processing your customer data: accounting software, email tools, hosting, industry software. PlotonIQ provides a DPA. Request one from all your other providers.
3. Privacy policy
Specific: which cookies, which analytics, which third parties, controller contact details.
4. EU servers
Customer data on US servers is problematic post-Schrems II. Safest: German servers. PlotonIQ: Hetzner Falkenstein, ISO 27001 certified. No third-country transfers.
5. Retention periods
Tax law: 10 years for invoices, 6 years for business correspondence. Site photos: delete after project + warranty period. Job applicant data: 6 months after rejection.
6. Encryption
Transit: TLS 1.2+ (preferably 1.3). Storage: AES-256. Passwords: bcrypt or Argon2. API keys: encrypted, never plaintext.
7. Access control
Not every installer needs access to all invoices. Role system: Admin (everything), Office (clients, quotes, invoices), Installer (own jobs, time tracking).
8. Photos only in managed apps
Site photos on personal phones = customer data on unmanaged devices. Solution: capture in PlotonIQ app — encrypted upload, never stored on device.
9. Replace WhatsApp
WhatsApp shares metadata with Meta. Not GDPR-compliant without Business API + DPA. For approvals: PlotonIQ customer portal with digital sign-off and timestamp.
10. Impact assessment for geofencing
GPS tracking for installers requires a data protection impact assessment under Art. 35 GDPR. Document: purpose, legal basis, safeguards. Employees must be informed.