We have implemented processes and procedures to ensure we meet both our Data Controller and Data Processor obligations. As such, ActivTrak has determined that our current security controls, and certifications including Privacy Shield and Contractual Clauses defined in our Data Processing Addendum (DPA), allow us to adhere to the GDPR’s requirements applicable to ActivTrak’s business. This assessment includes supporting our customers in meeting their GDPR obligations.
It is important to note that GDPR does not have an accredited certification method. That means, there is no GDPR-approved way to demonstrate compliance. We believe our customers will appreciate that we voluntarily undergo security and compliance audits with respected firms to obtain their opinion.
Here is what ActivTrak has done to meet our GDPR obligations and help our customers do the same:
Privacy Shield and Data Transfer
ActivTrak currently complies with current EU and EEA data protection laws as they stand today regarding onward transfer of data subject information to a data processor. As a customer, we understand that you are entrusting us with your data. Therefore, ActivTrak takes a principled approach to privacy and security, gaining certification with the EU-U.S. Privacy Shield Framework as set forth by the U.S. Department of Commerce regarding the collection, use, and retention of personal information transferred from the EEA to the United States. Privacy Shield was designed with many of the privacy concepts that are in GDPR in mind. To learn more about the Privacy Shield Framework and the scope of our participation, visit the U.S. Department of Commerce website.
Standard Contractual Clauses
Additionally, ActivTrak signs DPAs with customers who need them. Where necessary, ActivTrak includes standard contractual clauses for transfer to third-party countries (the current bar set by the EU Commission). These clauses ensure our customers can transfer data to countries outside of the EEA for use in our system. Further, ActivTrak has DPAs in place with all sub-processors where legally required.
ActivTrak has already implemented many strong data security requirements and controls to protect our customers data – many of which already meet GDPR standards.
- ActivTrak has strong data protection controls, which includes encryption in transit and encryption at rest of customer data, to safeguard data subject’s data from unintended disclosure or misuse. ActivTrak rigorously tests its product to remedy proactively vulnerabilities and follows industry best practices and guidance in information security.
- ActivTrak maintains incident response and notification processes.
- ActivTrak has procedures in place to ensure data recovery and data integrity, so that customer data isn’t lost or inadvertently corrupted.
- ActivTrak provides assurances that the customer retains ownership of their data as described in Section 5.1 of our Master Subscription Agreement.
- Activrak’s key data sub-processors, i.e. Google Cloud Platform (GCP), all maintain rigorous security standards (SOC2 and/or ISO 27001 certifications, where possible), and undergo annual vendor reviews.
Disclosure & Consent
If your legal counsel determines you also need to obtain user consent before using ActivTrak, make sure you update your integration with ActivTrak to only send data from those who provided the required consent or have otherwise consented to it. Please note that proof of consent is required and may be necessary in the event of legal proceedings.
Use ActivTrak’s Data Processing Addendum (DPA)
If your company determines that you are subject to GDPR you can download our latest DPA. ActivTrak continues to monitor the guidance issued by the European Data Protection Board to ensure that we remain abreast with the most recent developments pertaining to GDPR. ActivTrak is also prepared for the fact that privacy compliance in the EU will be an evolving area and that compliance with GDPR is not a one-stop check box or finish line – it will require continuous adjustments and actions to ensure that we, and our customers, remain compliant.