Last updated: July 31, 2019.
The General Data Protection Regulation (GDPR) provides consistent standards to protect EU citizens’ rights regarding how their data is being used. It went into effect on May 25, 2018, and applies to any company that handles personal data from EU citizens and those living in the EU.
As a Processor for your user data, we are also committed to making it easier for you to comply and equipping you, our customers, with more accessible paths towards your compliance with applicable laws and regulations. As part of our commitment to our customers’ privacy and security and were ready for the GDPR when it came into effect on May 25, 2018, and continue to make improvements as new developments progress.
In July 2020, the European Union’s top court invalidated the Privacy Shield, which previously helped protect data transfers between the EU and the US. In response to this new ruling, we have published our Standard Contractual Clauses for the immediate protection of your data. Additionally, we are currently creating an EU region for storing your Customer.io data and are committed to having this in production by January 1st, 2021.
Here we’ll provide a quick overview of GDPR and share what we did to prepare.
Replacing the previous EU privacy directive 95/46/EC, which had been in place for over 20 years, the GDPR strengthens and expands individuals’ privacy rights in an era in which much of life takes place online.
The GDPR is extensive, affecting not just businesses based in the EU but also any company that processes EU citizens’ data. For instance, if you’re sending data about a person in the EU to Customer.io, the GDPR likely applies to you.
The Data Protection Principles outlined in the GDPR include requirements like the following:
- Personal data collected must be processed in a fair, legal, and transparent way and should only be used in a way that a person reasonably expects.
- Personal data should only be collected to fulfill a specific purpose, and it should only be used for that purpose. Organizations must specify why they need personal data when they collect it.
- Personal data should be held no longer than necessary to fulfill its purpose.
- People covered by the GDPR have the right to access their data. They can also request a copy of their data and be updated, deleted, restricted, or moved to another organization.
We’d encourage you to read the text in full and consult with your legal counsel for a complete understanding of the GDPR.
How Does Customer.io Comply With GDPR?
As a customer of Customer.io who puts data about your end users into our product, you are a Data Controller. We act as a Data Processor for you. We’re also a Data Controller in supplying services to you (as a Customer.io customer) and making decisions about your data.
In addition to our compliance — we made it easy for you to comply as a data controller. Here is an overview of what we’ve done so far:
Security and Data Management
Customer.io employs strict policies and procedures around security and data management. Additionally, we have a designated internal team and engaged outside expertise to enhance security standards that protect our customers’ data:
- Our Data Protection Officer ensures ongoing GDPR compliance. You can contact them at firstname.lastname@example.org.
- We ensure prompt notifications to customers and GDPR authorities as required in the unlikely event of a data breach.
- We have formalized and documented internal policies related to data security.
- We use safeguards to ensure secure and proper handling of data stored outside of the EU as required.
- We only process personal data according to our customer’s instructions.
Expanding Product Capabilities
To help you comply with Article 24 (responsibility of the controller) and your end-users’ requests related to the right to access, data portability, right to erasure, right to object and the right to restrict processing — our platform easily allows for:
- Easy profile export: Export all data about a single profile in a simple, standardized format to help you with requests from your end-users regarding access and data portability.
- Automatic suppression: API endpoint that allows us to block any associated incoming personal data to help you comply with requests regarding the right to object or restrict.
- Audit trail: Customer.io provides limited auditing information upon request to date. We expanded and enhanced this capability by adding full audit trails for all changes to your Customer.io account.
Existing Product Capabilities
Customer.io enables compliance with requirements regarding the right of data rectification and the right to be forgotten:
- Right to rectify user data: GDPR gives individuals the right to rectify any inaccurate or incomplete personal data. In Customer.io, data can be adjusted at any time with a simple identify call. This will create or update the associated profile with the newly provided data.
- Right to be forgotten: We make it easy for you to honor deletion requests from your end-users by calling the DELETE API or using the UI to delete a profile. We ensure that any associated user data and historical data are quickly and permanently deleted from our data stores.
- Accountability: Customer.io has role-based permissions, supports encryption at rest of all associated account data, and many data management tools.
We fully support the GDPR and think it’s good to treat customers and their data with care and respect. Our mission is to help companies like yours create better customer experiences with relevant communication. That requires the fair and secure use of personal data that was given with full consent and transparency.