Two Hat takes security and privacy very seriously. Our content moderation platform is classed as a data processor, meaning we diligently ensure our compliance, as well as our client’s.


Learn about how Two Hat’s settings can assist kid’s platforms on their road to COPPA compliance.


May 25th, 2018. On this date, the General Data Protection Regulation (GDPR) was enforced in the EU. Companies that don’t comply could face fines of up to €20 million or 4% of worldwide annual turnover (whichever is higher).

At Two Hat, we take the security and privacy of your user’s data very seriously. Our content moderation platform Community Sift is classed as a data processor, so we diligently engaged with industry experts and international consulting firms to ensure that we are compliant.

What is GDPR?

GDPR replaced the Data Protection Directive 95/46/EC as the primary law that regulates how companies collect user’s personal data. GDPR applies to any company that collects data from EU citizens, regardless of their physical presence in the EU. The regulation increases accountabilities for both “data controllers” (companies that collect personal data) and “data processors” (companies like Two Hat that process personal data).

As defined by GDPR, personal data refers to:

any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person

GDPR is a complex piece of legislation with many moving parts. Because of this, some areas are up for interpretation. However, the basics are relatively clear and can be broken down into four distinct categories: data minimization, transparency, security by design, and privacy by design.

Important note: We are not GDPR specialists, and cannot offer legal advice. We strongly recommend that you consult with your own experts (legal team, Data Protection Officer, GDPR consultant, etc) for advice relating to your specific situation.

Read the complete regulation here.

What are the GDPR requirements?

Key transparency requirements of the regulation include:

Breach Notification

Notification within 72 hours is mandatory where a data breach is likely to “result in a risk for the rights and freedoms of individuals”. As a data processor, Two Hat is required to notify data controllers (our clients) of any data breaches. In the event of a data breach, Two Hat will provide notice within 24 hours.

Right to be Forgotten (also known as “Right to Erasure”)

Data subjects can request that their personal data be erased. There may be some exceptions, as data controllers can compare the subjects’ rights to erasure to “the public interest in the availability of the data”. In this situation, we strongly recommend that you consult with your legal team to determine how they define “public interest”. To facilitate users’ Right to be Forgotten requests, Two Hat provides clients with a dedicated API.

Right to Access

Data subjects can request confirmation as to whether or not their personal data is being processed, as well as where and to what purpose. Data controllers are also expected to provide an electronic copy of the subject’s personal data for free.

Are Two Hat and Community Sift GDPR compliant?

Two Hat has implemented new processes and upgraded technology to address the key points above, in addition to other aspects of GDPR. We are committed to GDPR compliance and have met all of the requirements of the regulation as of May 25th, 2018.

Request Demo