GDPR
truesender is ISO 27001 certified and GDPR compliant. We respond to your frequent asked
questions
below.
What is GDPR and who does it apply to?
The GDPR is EU regulation designed to protect the privacy of EU citizens and impacts all
organizations
that process the personal data of such citizens, regardless of whether an organization
itself is
based
in the EU.
The GDPR is effective from 25 May 2018 and aims to give EU citizens and residents
greater
control
over
their personal data, while simultaneously simplifying the regulatory environment for
international
business that takes place in the EU.
The GDPR describes different requirements depending on how an organization handles data
subjects’
personal data.
-
“Data Controllers” are businesses that collect customer data and also decide how,
when
and
why that
customer data is processed.
- “Data Processors” are businesses that carry out the processing of customer data on
behalf
of a Data
Controller.
trusender is both a Data Controller in our relationship with our own customers, and a
Data
Processor in
our
role as an organization that helps other businesses process their customer data (we
generally
refer
to
this as End User Data).
trusender’s GDPR compliance
In line with our commitment to GDPR compliance, we have reviewed, updated and modified many of
our
internal practices and policies to ensure we meet GDPR requirements as Data Controller and Data
Processor.
Below is an overview of several key things we’ve put in place to ensure such compliance.
Data Processing Addendum
We offer a data processing addendum (DPA) for our customers who collect data from data subjects
in
the
EU. Our DPA offers contractual terms that meet GDPR requirements. We have published this DPA
inside
your
Vero account and customers that require a DPA agreement with Vero in our role as the processor
can
download and execute a copy of our DPA here.
To ensure that no terms are imposed on Vero beyond what is reflected in our DPA and Terms of
Service, in
most scenarios we cannot agree to sign customers’ DPAs. We are a small team and do not have an
in-house
legal team. Changes to our standard DPA require legal counsel and this is typically
cost-prohibitive
for
our team. If you are unable to comply with our standard DPA, please email us at
support@trusender.com –
we
are happy to discuss your concerns and our options.
Data Inventory
We maintain an internal matrix identifying all data subject with which Vero interacts and the
categories
of data collected about each of these data subjects. This matrix has been built in response to
the
GDPR
deadline and will be maintained going forward whenever changes to trusender'sproduct,
infrastructure,
marketing or other organizational elements occur.
Using this matrix we are able to review and validate the legal basis for collecting and
processing
personal data and ensure that we have in place the appropriate security and privacy safeguards
across
our infrastructure and software ecosystem.
Third Party Vendors
We maintain a list of third-party vendors on our website here. We have reviewed and minimised
this
list
as much as possible.
We either have already put in place, or are finalising, the correct agreements with each of
these
vendors (for the 25 May 2018 deadline).
Breach Management
We maintain an internal Breach Management Policy that outlines the process our team should
follow in
the
event of a suspected data breach. We have updated this document in response to the GDPR and
other
relevant data privacy regulations.
Data Subject Rights in our role as Processor
Ways in which Vero helps you comply with GDPR as a Processor
If you are working with EU customers, you need to be able to provide them with the ability to
access,
update, retrieve and remove personal data. We’ve offered self-service features that help support
these
requirements from day one.
As part of providing trusender'ssoftware and services, we offer the following features that will
help
you
fulfil the rights of data subjects in your role as a Data Controller:
“Delete” requests (“Right to be forgotten”, “Right to the restriction of processing”). We
provide a
/delete endpoint via our API. This endpoint removes the customer and all of their data from
Vero’s
systems. You can also remove users directly in the UI, or raise a request via our helpdesk at
support@trusender.com
Updating customer data (“Right to rectification”, “Right to object”). Calling
trusender's/identify
API
endpoint updates and overrides a customer’s user properties, enabling you to respond to customer
requests to ensure accuracy in the data you have about them. You can also update user records
using
trusender'sUI or our CSV import functionality.
Exporting customer data (“Right to data portability”). You can download a copy of all user
details
(user
properties) as part of a segment export in Vero. If you would like to export a user, or users’,
full
event history, please email us at dataprivacy@trusender.com with the ID / name of the segment to
export.
Event tracking (fulfillment of Consent). trusender'sevents enable you to track granular data
about
your
customers. Ensuring that you track consent given by customers is critical under GDPR and our
events
can
assist in this process.
We store all data provided to Vero indefinitely unless your account is terminated. In this case,
we
will
dispose of all data in accordance with our Terms of Service, and data will be deleted promptly.
A note on consent
Under GDPR you must have a legal basis for all data processing. As a Data Controller using Vero,
it
is
likely that consent will be one of the legal bases used to ensure compliance for the data you
send
us.
In order to be valid, this consent must be verifiable. As the Data Controller, it is your
obligation
to
ensure you have researched and reviewed your consent-gathering processes. The following does not
constitute legal or compliance advice, but provides some suggestions as to how we have seen Data
Controllers manage consent:
Verifiable consent requires a stored record of how and when a customer agreed to let you process
their
data. trusender'sevents capture the activity and timestamp of a user activity and are our
recommended
basis
for tracking consent.
Unambiguous and explicit consent requires that data subjects take an action to affirmatively
consent
to
the data being processed. An example of this is actively ticking a box as part of a signup or
subscription process. This opt-in process must include a message that clearly (in plain
language)
states
the ways in which the data subject’s personal data will be used. Examples of ways in which you
are
likely to use data when using Vero include:
Transferring the user’s contact data to Vero
Sending the user email messages using Vero
Tracking behavioural interactions for email marketing purposes
If you rely on consent to process customers’ personal data, double check where and why your
contacts
shared their data with you to make sure that the consent you obtained meets the GDPR’s
standards.
Data Subject Rights in our role as Controller
If you are a customer of Vero based in the EU, you should be able to access, update, retrieve
and
remove
your own personal data.
You may edit the data you have provided to Vero open and manage your Vero account in the Account
area,
once logged in. If you would like an export of such data or to otherwise discuss the personal
data
we
store, please email us at dataprivacy@trusender.com. Refer to our Privacy Notice for information
regarding
the collection, storage and management of personal data provided to us.
We have also implemented cookie preferences. Please refer to our Cookie Notice for further
details
and
access to your preferences.
We are here to assist
We take data privacy seriously and think the GDPR is a great step forward for data subjects. If
you
have
any questions regarding GDPR or data privacy, please don’t hesitate to email us at
support@trusender.com.