GDPR Compliance at Kustomer

We take customer data privacy seriously at Kustomer.  Our team had spent considerable time working with trusted privacy consultants to become EU-US & Swiss-US Certified. With the GDPR, we continue to improve our customer’s data privacy while complying with the new regulations. If you are a company in the EU or simply would like to understand what we are doing to protect your data, the following guide should help answer your most common questions.

For more detail about privacy, please read our Privacy Policy.

What is the GDPR?

The General Data Protection Regulation is the latest and most comprehensive to date, regulation from the European Union to protect the privacy of EU citizens and residents. The regulation gets into effect on May 25th 2018.

The GDPR Alliance posted an article titled, The General Data Protection Regulation (GDPR) In A Nutshell that outlines the GDPR in simple terms:

  • Applies to personal data — any data that relates to or can be used to identify a person in any way.
  • Controls what can be done with personal information.
  • Requires that consent is given or there is a good reason to process or store personal information.
  • Gives a person a right to know what information is held about them.
  • Allows a person to request information about them is erased and that they are ‘forgotten’ — unless there is a reason not to do this — e.g. a loan account.
  • Makes sure that personal information is properly protected. New systems must have protection designed into them (Privacy by Design). Access to data is strictly controlled and only given when required (Privacy by Default).
  • If data is lost, stolen or is accessed without authority, the authorities must be notified and possibly the people whose data has been accessed may need to be notified also.
  • Data cannot be used for anything other than the reason given at the time of collection.
  • Data is securely deleted after it is no longer needed.
  • Allows national authorities to impose fines on companies breaching the regulation.

For more information, here is the full GDPR.


What is Kustomer doing to comply with the GDPR?

We have updated our technical and organization controls that include the highlighted areas of focus:

Data Subject Rights

We updated our privacy policy, landing pages, and application forms to clearly, in a concise, transparent, intelligible and easily accessible form, using clear and plain language, identify the purpose of the processing of personal data by Kustomer and its data processors to make users fully aware of how their data is being processed.  

Kustomer provides users with the right to data access, portability, and the right to be forgotten.  As such, users are able to submit requests to access their personal data, require changes or corrections to that personal data, ensure that they can export their data in a machine-readable format, or delete or remove personal data from being processed.

In the event of a request made by the data subject, Kustomer will respond, without undue delay, in accordance with the timelines specified within the GDPR.

Data Protection by Design

We updated our processes to ensure privacy is being considered within the design phase of all new features, that we understand where personal data is being processed within internal systems and through our data processors so that we can provide the proper level of visibility and control to our users.  

Data Protection By Default

Kustomer, by default, only processes personal data when absolutely necessary for the purposes of providing the functionality of the application.  Additionally, once processing is no longer required for a set of personal data, it is either removed or pseudonymization applied.

Data Minimization

Kustomer minimizes the personal data being processed where possible and removes processing once no longer required.  We do not collect any personal data that is not required for processing.

Security of Processing

Kustomer applies technical and organizational practices to minimize access to systems and data. There are multiple levels of authorization required for individuals to access, audit trails available for understanding access, real-time notifications from our continuous security monitoring tools, and procedures in place to limit and remove access when no longer required.

Data Mapping

Kustomer performs data mappings to ensure we understand where personal data is flowing, what specifically is being processed by each data processor, and whether it needs to be processed. We ensure that our data processors are GDPR compliant, and as such, adhere to the same level of sensitivity to data privacy as Kustomer.

How do I submit a Data Subject Rights request to Kustomer?

Kustomer is working on exposing tools for users to easily submit and manage Data Subject Rights requests including access, corrections, portability, or deletion. For the time being, all DSR requests are handled by our CX team. If you have an account with us, you may access, correct, or request that we delete your personal data by sending an email request to us at privacy@kustomer.com. Your request may include personal data of other individuals, such as your employees or customers that you have provided to us and who have requested this of you.

Data Processing Addendum

We offer a data processing addendum (DPA) for our customers that operate in the EU with contractual terms that meet GDPR requirements and that reflect our data privacy commitments.

Download Kustomer’s Data Processing Addendum

GDPR Sub-processors

We share some personal information with the following companies that can be considered processors under the GDPR:
Amazon AWS (Cloud Hosting Provider)
MongoDB (Remote Database Backups)
Stripe (Billing)
Twitter (Application Channel)
Facebook (Application Channel)
Postmark (Application Channel)
Twilio (Application Channel)

New Relic (Application Performance Monitoring)

Sentry (Application Performance Monitoring)
Launch Darkly (Release Management)
Beamer (Release Management)
Amplitude (Usage Analytics)

Mixpanel (Usage Analytics)

Segment.io (Usage Analytics)
Salesforce (CRM)
Google Analytics (Usage & Marketing Analytics)
Marketo (Website Marketing)
Greenhouse.io (Talent Acquisition)

Resources

Contact Us

If you have any further GDPR or other EU privacy questions or concerns, please reach out to us at privacy@kustomer.com.