Nested Knowledge

Bringing Systematic Review to Life

User Tools

Site Tools


GDPR Policy

Nested Knowledge is committed to ensuring protection of all personal information that we hold. We recognise our obligations in updating and expanding this program to meet the requirements of GDPR.

Nested Knowledge is located in the United States of America and provides services to users in countries across the world, except countries sanctioned by the U.S.

About GDPR

Key Concepts:

  • Personal data - name, email, phone number, location data.
  • Sensitive personal data - race, health status, religion, political affiliation
  • Controller - Determines how data is processed.
  • Processor - Processes data on behalf of another entitied.
  • Subprocessor - Processes data on behalf of another processor

Example: Nested Knowledge orders buisiness cards for an employee. A printing business, ACMEPrints, prints the business cards with the name and contact information of Nested Knowledge's employees. A cloud provider Cumulus Web Services hosts a database containing ACMEPrint's customers and their employees' contact information. Nested Knowledge is the controller, the employee is the Data Subject, ACMEPrint is the processor, and Cumulus Web Services is the sub-processor.

GDPR Compliance

Nested Knowledge performs or maintains the following activities or policies to ensure GDPR compliance:Policies and Procedures

  • Data Retention and Erasure - our policies meet the “data minimisation” and “storage limitation” principles and that personal information is stored, archived and destroyed in accordance with our obligations. We have procedures in place to meet the new “Right to Erasure” obligation.
  • Data Breaches - our Incident Response policies ensure that we have safeguards in place to identify, assess, investigate and report any personal data breach as early as possible. Our procedures have been explained all employees.
  • Privacy Notice/Policy - we have revised our Privacy Notice(s) to comply with the GDPR, ensuring that all individuals whose personal information we process have been informed of why we need it, how it is used, what their rights are, who the information is disclosed to and what safeguarding measures are in place to protect their information.
    • Our Privacy Policy was published online on January 3rd, 2022
  • Obtaining Consent - we have revised our consent mechanisms for obtaining personal data, ensuring that individuals understand what they are providing, why and how we use it and giving clear, defined ways to consent to us processing their information.
  • Direct Marketing - we have revised the wording and processes for direct marketing, including clear opt-in mechanisms for marketing subscriptions; a clear notice and method for opting out and providing unsubscribe features on all subsequent marketing materials.
  • Cookies - our cookies and user data tracking have been brought into compliance with the GDPR.
  • Use of photos - we have developed a Photo Policy describing our use of photos.

Information Security and Technical and Organizational Measures (TOMS)

We have robust information security policies and procedures in place to protect personal information from unauthorized access, alteration, disclosure or destruction.

II. Privacy Policy

See our Privacy Policy, which will be maintained by We will use the service provided by to stay updated with privacy regulation changes.

Data Subject Rights

Individual’s have a right to access any personal information that Nested Knowledge processes about them and to request information about:

  • what personal data we hold about them
  • the purposes of the processing
  • the categories of personal data concerned
  • the recipients to whom the personal data has/will be disclosed
  • how long we intend to store your personal data for
  • if we did not collect the data directly from them, information about the source
  • the right to have incomplete or inaccurate data about them corrected or completed and the process for requesting this
  • the right to request erasure of personal data (where applicable) or to restrict processing in accordance with data protection laws, as well as to object to any direct marketing from us and to be informed about any automated decision-making that we use
  • the right to lodge a complaint or seek judicial remedy and who to contact in such instances.

Nested Knowledge provides easy-to-access information via our Privacy Policy. We can be reached for further inquiry through our Data Protection Officer.

Communicating Updates

As described in our Third Party Policy, we will notify user of significant changes to how their data is processed, such as the addition of a new subproccesor, at least 7 days in advance.

Reporting Data Breaches

Nested Knowledge is obligated to report information on data breaches and mitigations to the required government agencies as well as reporting information of data breaches to the affected parties.

III. Statement on Sub-processors

Amazon Web Services (AWS)

AWS is used for cloud hosting of the Nested Knowledge platform, including its servers, services, and databases. All user accounts and data generated on the NK application are stored in databases in AWS, behind a firewall (VPC). This data, including personal information, is not shared with AWS in a structured or meaningful way, instead only being processed by NK application code within the VPC.


Auth0 provides authentication of users for the NK application. As such, Auth0 holds:

  • User email and password or social login account identifiers
  • Login history

No further data is shared with Auth0.


HubSpot Inc. is used to notify users via email of new software releases that will interrupt their workflow. Users can opt out of emails at any time. We also use HubSpot to handle inbound sales inquiries, onboarding communication, and technical support requests.

HubSpot stores the full name and email addresses of users. Users can have their personal or organizational data deleted at any time. All user data is deleted from HubSpot if an account is deleted.

HubSpot may employ additional third-party sub-processors, which are listed in Annex 3 of their Data Protection Agreement.

IV. GDPR Roles and Employees

Nested Knowledge's Data Protection Officer (see below) is responsible for promoting awareness of the GDPR across the organization, assessing our GDPR compliance, identifying any gap areas and implementing the new policies, procedures and measures.

Nested Knowledge understands that continuous employee awareness and understanding is vital to the continued compliance of the GDPR; we have involved our employees in our preparation plans.

Data Protection Officer

See the Data Protection Officer section of our Information Security policy.


For any GDPR-related issues, contact the CEO or other contacts listed under Key Contacts.

GDPR Audit Record

Nested Knowledge began an internal audit in September 2023

AuthorDate of Revision/ReviewComments
K. Kallmes05/22/2023Minor revisions
K. Cowie05/21/2023Minor revisions
K. Cowie01/24/2022Minor revisions
K. Holub01/11/2022Sub-processors
K. Kallmes11/19/20212021 version finalized and signed off

Return to Policies

wiki/policies/regulatory.txt · Last modified: 2023/09/28 21:18 by katcow