GDPR Compliance


We maintain the strictest data protection and privacy policies for our customers, including complying with the General Data Protection Regulation (GDPR).

On this page, we’ll explain how we achieved GDPR compliance—both for ourselves and our customers.

What is GDPR and why does it matter?

The European Union General Data Protection Regulation (GDPR) is the most comprehensive EU data privacy law in decades. The law came to force on May 25, 2018.

Besides strengthening and standardizing user data privacy across the EU nations, it requires additional obligations for all organizations that handle EU citizens’ personal data, regardless of where the organizations themselves are located.

The new regulations are designed to better reflect the interconnected nature of our world regarding consumer’s right to privacy, protection of personal data, and business usage of personal data across the European Union.

How is Certify complying with the GDPR?

The recent advances with GDPR and streamlining data protection requirements across Europe have provided an opportunity for us to make changes to how we handle and process our data.

While our existing security and privacy programs provide our customers with the highest security standards, the added layer of GDPR compliance will give our customers increased peace of mind.


Additionally, the Certify Legal and Privacy teams have carefully analyzed the GDPR and have taken the necessary steps to ensure we comply with the regulation including:

  • Assessing our previous level of compliance; identifying and prioritizing tasks needed to update our privacy policies, procedures, and practices to achieve compliance.
  • Conducting an inventory of customer and employee data flows, data sharing relationships, practices, and procedures across applicable Certify products. This will result in the creation of a Data Inventory which we will maintain.
  • Assessing legal documents and ensuring sure we have the appropriate contractual terms in place.
  • Ensuring we can continue to support international data transfers by maintaining our Privacy Shield certifications, and by executing Standard Contractual Clauses through our updated Data Protection Addendum.

In addition to these specific objectives, we will continue to monitor the guidance around GDPR compliance from privacy-related regulatory bodies to ensure we maintain compliance as regulations evolve.

Did Certify achieve GDPR compliance on its own?

We partnered with TrustArc to assist in our compliance efforts.

TrustArc (formerly TrustE) is considered the foremost GDPR compliance expert in the privacy industry. All TrustArc consultants are former Chief Privacy Officers, have completed the EU-US Privacy Shield Verifications, and many have worked personally with European Union officials and working groups on GDPR specifics since the reform was created.

With this trusted partner guiding our compliance process, we became GDPR compliant before the May 25, 2018 deadline.

What is a Data Protection Addendum (“DPA”)?

Certify offers customers and prospects a robust Data Protection Addendum (“DPA”), which governs the relationship between the customer (acting as a data controller) and Certify, Inc. (acting as a data processor). The DPA facilitates our customers’ compliance with their obligations under EU data protection law.

This document is a key requirement for compliance with the GDPR.

Our DPA contains data transfer frameworks to ensure that our customers can lawfully transfer personal data to Certify, using systems that are hosted outside of the European Union. Such data transfers require the foundation of one of three mechanisms: our Binding Corporate Rules, our Privacy Shield certification, or Standard Contractual Clauses.

What does this mean for Certify customers?

By signing our DPA, you’ll be compliant with the GDPR if and when any of your employees or users travel to the European Union.

While we took care of the heavy lifting, there are a few steps required to maintain compliance with the new regulations.

Compliance with the GDPR requires a partnership between Certify and our partners and customers in their use of applicable Certify products. In this context, Certify will act as a data processor and our partners and customers generally will act as data controllers.

Meeting GDPR obligations is complicated, and we encourage our partners and customers to independently familiarize themselves with the GDPR as it relates to their organization.

What if my company doesn’t have any employees in the European Union?

While your company may not have any employees in the EU, if you collect data from users who reside in the EU, your company is required to comply with the GDPR.

Our robust Data Protection Addendum (DPA) takes most of the heavy lifting out of compliance for your company when using applicable Certify products.

We can also offer a simple waiver that customers with no EU nexus can sign instead of our DPA. However, it should be noted that customers who sign such a waiver would be choosing to retain all responsibility for compliance with the GDPR.

We recommend that all customers sign the DPA so that our GDPR compliance efforts can benefit your organization.

What if we have more questions about GDPR compliance with Certify?

As always, please feel free to contact your Customer Success Manager or the Support Team with any questions or concerns you may have. You can email them here.

Additionally, we have a few GDPR resources you may find helpful:

Disclaimer:

This page is intended to provide helpful guidance to Certify customers on the GDPR and not as a comprehensive solution or legal advice. Each organization must take steps to ensure compliance with all regulations.



GDPR FAQ

How does GDPR relate to PCI, SOC, and other standards?

In some ways, GDPR overlaps with other security and privacy standards, but is different in that there is currently no such thing as GDPR “certification.” GDPR “compliance” is the goal, and other security standards and certifications serve as excellent starting points for pursuing GDPR compliance.

Certify products provide our customers with the highest security standards, such as strong encryption, auditing standards (PCI DSS, SOC 2, Privacy Shield), regular vulnerability scanning and penetration testing, and regular review of our security policies and procedures.

As a customer, what documentation will I receive from Certify demonstrating compliance?

We make security and compliance documents available to current customers and sales prospects through our own Mutual-NDA Security Documents Portal.

The Data Processing Agreement is available as a contract addendum, and we require all customers and prospects to agree to our DPA—or sign a waiver for customers with no EU nexus, and retain all responsibilities for GDPR compliance.

What is a DPA?

A DPA is a legally binding agreement that governs the relationship between a customer (acting as a data controller) and an organization (acting as a data processor). The agreement also regulates the specific ways data is handled and processed—such as scope and purpose.

The DPA facilitates our customers’ compliance with their obligations under EU data protection laws.

My company does not have employees in the EU, so why do I have to sign the DPA?

We offer a simple waiver that customers with no EU nexus can sign instead of our DPA.

However, it should be noted that customers who sign such a waiver would be choosing to retain all responsibilities for compliance with GDPR. We recommend that all customers sign the DPA so that our GDPR compliance can benefit their organization.

Should the customer choose to sign the waiver, they can request a waiver form by emailing privacy@certify.com and put “GDPR waiver” in the subject line.

Is anything changing as to how customer data is processed by Certify as a result of this DPA? Is there any physical change in how data is processed or stored?

No. There is no change in how Certify will process or store customer data. If anything, Certify has enhanced its security measures and granted additional rights to its customers for managing their data and privacy.

In which countries is customer data processed?

Customer data is processed within the United States and Canada.

The DPA refers to various clauses however, there are no clause numbers on the addendum itself – please can we have a copy with the clause numbers on it to review?

Most likely this customer has downloaded the DPA in Word document format. The conversion from .pdf to Word document disturbs the formatting and numbering. Customers must download the .pdf as is.

Is the customer able to obtain a fully executed version of the DPA after the online completion/acceptance?

The automated process does not generate a fully executed version of the DPA.

However, customers may download the .pdf version after accepting it, countersign the DPA, and email a copy to their Customer Success Manager for the company’s records.

Can we receive the DPA in a word format?

The DPA is only available in a read-only .pdf format to ensure the integrity of the document.

If we decide to sign the DPA even though we do not meet the criteria, what are the pros and cons?

There are no downsides to signing the DPA. The benefit is knowing you’re adhering to GDPR guidelines if and when a customer’s employee/user travels to the EU. The data transfer will be covered by the DPA.

What if a customer refuses to sign either the DPA or the waiver? Will the service be suspended or terminated?

No, the service will not be terminated or suspended. We urge all customers to take advantage of the work we’ve completed to adhere to the GDPR by signing our DPA. If not, customers will be required to sign the waiver.

What if we have more questions about GDPR compliance with Certify?

As always, please feel free to contact your Customer Success Manager or the Support Team with any questions or concerns you may have. You can email them here.