GDPR Compliance at Kustomer

We take customer data privacy seriously at Kustomer.  Our team has spent considerable time working with trusted privacy consultants to become EU-US & Swiss-US Certified. With the GDPR, we will continue to improve our customer’s data privacy while seeking to become compliant with the new regulations. If you are a company in the EU or simply would like to understand what we are doing to protect your data, the following guide should help answer your most common questions.

For more detail about privacy, please read our Privacy Policy.

What is the GDPR?

The General Data Protection Regulation is the latest and most comprehensive to date, regulation from the European Union to protect the privacy of EU citizens and residents. The regulation goes into effect on May 25th 2018.

The GDPR Alliance posted an article titled, The General Data Protection Regulation (GDPR) In A Nutshell that outlines the GDPR in simple terms:

  • Applies to personal data — any data that relates to or can be used to identify a person in any way.
  • Controls what can be done with personal information.
  • Requires that consent is given or there is a good reason to process or store personal information.
  • Gives a person a right to know what information is held about them.
  • Allows a person to request information about them is erased and that they are ‘forgotten’ — unless there is a reason not to do this — e.g. a loan account.
  • Makes sure that personal information is properly protected. New systems must have protection designed into them (Privacy by Design). Access to data is strictly controlled and only given when required (Privacy by Default).
  • If data is lost, stolen or is accessed without authority, the authorities must be notified and possibly the people whose data has been accessed may need to be notified also.
  • Data cannot be used for anything other than the reason given at the time of collection.
  • Data is securely deleted after it is no longer needed.
  • Allows national authorities to impose fines on companies breaching the regulation.

For more information, here is the full GDPR.


What is Kustomer doing to prepare for the GDPR?

Kustomer is in the process of updating technical and organization controls to be ready for the May 25th 2018 deadline.  This includes the highlighted areas of focus below:

Data Subject Rights

We plan to update our privacy policy, landing pages, and application forms to clearly, in a concise, transparent, intelligible and easily accessible form, using clear and plain language, identify the purpose of the processing of personal data by Kustomer and its data processors to make users fully aware of how their data is being processed.  

Kustomer will provide users with the right to data access, portability, and the right to be forgotten.  As such, users will be able to submit requests to access their personal data, require changes or corrections to that personal data, ensure that they can export their data in a machine readable format, or delete or remove personal data from being processed.

In the event of a request made by the data subject, Kustomer will respond, without undue delay, in accordance with the timelines specified within the GDPR.

Data Protection by Design

We are updating our processes to ensure privacy is being considered within the design phase of all new features, that we understand where personal data is being processed within internal systems and through our data processors so that we can provide the proper level of visibility and control to our users.  

Data Protection By Default

Kustomer will by default, only process personal data when absolutely necessary for the purposes of providing the functionality of the application.  Additionally, once processing is no longer required for a set of personal data, it will either be removed or pseudonymization applied.

Data Minimization

Kustomer will minimize the personal data being processed where possible and remove processing once no longer required.  We will not collect any personal data that is not required for processing.

Security of Processing

Kustomer will apply technical and organization practices to minimize access to systems and data. There are multiple levels of authorization required for individuals to access, audit trails available for understanding access, real time notifications from our continuous security monitoring tools, and procedures in place to limit and remove access when no longer required.

Data Mapping

Kustomer plans to perform data mapping to ensure we understand where personal data is flowing,what specifically is being processed by each data processor, and whether it needs to be processed. We will ensure that our data processors are GDPR compliant, and as such, will adhere to the same level of sensitivity to data privacy as Kustomer.

How do I submit a Data Subject Rights request to Kustomer?

Kustomer is working on exposing tools for users to easily submit and manage Data Subject Rights requests including access, corrections, portability, or deletion. For the time being, all DSR requests will be handled by our CX team. If you have an account with us, you may access, correct, or request that we delete your personal data by sending an email request to us at privacy@kustomer.com. Your request may include personal data of other individuals, such as your employees or customers that you have provided to us and who have requested this of you.

Data Processing Addendum

We offer a data processing addendum (DPA) for our customers that operate in the EU with contractual terms that meet GDPR requirements and that reflect our data privacy commitments.

Download Kustomer’s Data Processing Addendum Processor Template

Resources

Contact Us

If you have any further GDPR or other EU privacy questions or concerns, please reach out to us at privacy@kustomer.com.