Centercode and EU Data Protection Laws
On May 25, 2018, the EU Data Protection Directive (also known as “Directive 95/46/EC”) was replaced by the EU General Data Protection Regulation (the “GDPR”), which is the European data privacy regulation aiming to strengthen the security and protection of personal data in Europe and harmonize European data protection law between member states. The GDPR governs information relating to an identified or identifiable natural person (“Personal Data”).
Under the GDPR, organizations must demonstrate the security of the Personal Data they’re processing and their compliance with the GDPR on a continual basis by implementing and regularly reviewing robust technical and organizational measures and policy compliance.
Based on this preparation, Centercode is able to offer its customers GDPR-compliant solutions.
Customer Data and Centercode’s Role Under The GDPR
Our customers always own the data they collect and supply to their Customer Validation communities and projects using the Centercode Platform (the “Customer Data”).
Based on this context, our customers are considered the “controllers” of this Customer Data under EU data protection law. We process the Customer Data on behalf of our customers and are considered the “processor” of the Customer Data under EU data protection law.
As our customers’ processor, one important feature of compliance with EU data protection law is our Data Processing Addendum (DPA). This contract addendum governs the relationship between our customer (as data controller of the Customer Data) and Centercode (acting as data processor).
Our DPA contains privacy and security commitments. GDPR requires that customers subject to the GDPR enter into GDPR-compliant contract terms with processors who process Personal Data on their behalf.
In addition, because Centercode and its production systems are primarily located in the United States, Customer Data is located in the United States unless the customer specifically arranges for an alternative location. EU data protection law provides that EU Personal Data may be transferred outside of the EU and European Economic Area when an adequate level of protection for that data is guaranteed. To achieve this level of protection, we enter into controller-to-processor Standard Contractual Clauses with customers who request them and have been doing so for several years.
The European Commission has approved a standard set of contractual provisions in order to provide a data controller with a legally-compliant mechanism for transferring Personal Data outside the European Economic Area. Centercode’s DPA includes the Standard Contractual Clauses to ensure that all customers subject to the GDPR have entered into an appropriate mechanism to lawfully transfer Personal Data from the EU and European Economic Area to Centercode, which is located in the United States.
To execute our DPA and Standard Contractual Clauses, please follow the instructions in our Data Processing Addendum (DPA). Even if you have an existing DPA in place with Centercode, if it pre-dates the GDPR and was not written with the GDPR in mind, in order to be compliant with the GDPR, you will need a revised DPA to be in place that references the GDPR specifically.
The GDPR for Centercode Platform Subscribers
The Centercode Platform, upon which all of our services operate, has been designed to provide our customers with a secure platform for their Customer Validation needs.
Centercode Platform Features Useful for GDPR Compliance
While data privacy and access control have always been core to the Centercode Platform, to prepare for the GDPR and its specific requirements, we rolled out the C14.5 release further strengthening our facilities for Personal Data and data privacy.
The following features and enhancements are now available to all Centercode Platform customers:
Personal Data Fields
The Centercode Form Engine allows Administrators to flag specific form fields that are intended to contain personally identifiable or other Personal Data (“Personal Data Fields”). The platform uses this flag to clearly instruct users of the intended use of both personal and non-personal fields, as well as to appropriately remove this data on opt-out or user delete. This functionality is available in all form types, including User Profiles, Test Platforms, Surveys, and Feedback.
This centralized system allows Administrators to search for and export digital agreements associated with any user across the entire platform. This includes archived projects and users who have previously opted-out. This system also allows end-users (active or opted out) to review the entirety of their own community and/or project agreements at any time.
The platform’s opt-out system removes all flagged Personal Data Fields (see above), in addition to identity (account) information. The system provides an enhanced end-user experience, allowing users to opt out via an email verification, as opposed to requiring login credentials. This system also offers an opportunity for the user to indicate why they’re opting out via both a selection and anonymous open text field. This information is available in a new Opt-Out Dashboard, which is intended to allow Administrators to obtain anonymous feedback which can be used to enhance their community user experience.
It can be expedient and convenient to allow participants to self-administer an opt out and deletion request. However, in some situations, such as when the participant is in an active test and in possession of proprietary, pre-production equipment, this can be problematic. To address this, the platform includes a project role which allows the Administrator to determine which users may actively leave their project. The opt-out system will reference this role before allowing a user to opt out and delete data in Personal Data Fields. In the event that the user cannot opt out due to lacking this role in one or more projects, appropriate Administrator contact information will be shared in order to facilitate the process.
Automatic Report Expiration
All cached reports throughout the platform expire (and are deleted) automatically after 30 days. This ensures that any Personal Data relative to users that have opted out will not be retained unnecessarily.
Projects deleted from the platform interface are deleted 7 days after they are deleted from the interface. This is intended to ensure data is fully erased, and this action cannot be undone.
Customer Data Request Form
Our general community contact form and process has been enhanced to offer community members options specific to request types, including Personal Data and related requests. These requests are all logged within the platform. Contact and request choices may be easily customized to fit the needs of the Administrator.
GDPR and the Centercode Platform
Based on our existing features, infrastructure, policies, and processes, we make the following commitments to Centercode Platform subscribers relative to the GDPR:
Ownership of and Access to Customer Data
Our customers own their Customer Data. We do not access or use Customer Data except in order to perform services for the customer and as directed by the customer. Our employees and contractors are provided access to Customer Data on a limited, as-needed basis.
Password complexity standards default to an eight-character minimum with alpha and numeric requirements and prohibitions on using other identity fields (username, first and last name, or email) within the password. These settings can be easily modified by the platform Administrators to add additional characters and complexity requirements.
Subject to the customer’s edition, customers can also optionally integrate their Centercode Platform implementation with their own single sign-on systems (such as SAML and OAuth). Where the customer’s single sign-on system supports 2-factor authentication, the customer can then extend this feature to its Centercode Platform implementation.
Limiting Access to Personal Data or Sensitive Information
Customer Administrators govern access to the Customer Data and to our services through the use of groups (“Teams“) and permissions (“Roles“). Leveraging these and other features, the platform includes capabilities which allow Administrators to determine which specific fields of information are shared or exposed both internally and externally. Customers are responsible for approving access and reviewing user accounts regularly.
Responses to Legal Requests for Customer Data
In certain situations, we may be required by law to disclose Personal Data in response to lawful requests by public authorities. We may also disclose Personal Data to respond to subpoenas, court orders, or legal process, or to establish or exercise our rights or defend against legal claims. We may also share such information with law enforcement agencies or public authorities if we believe it is necessary in order to investigate, prevent, or take action regarding illegal activities, suspected fraud, situations involving potential threats to the safety of any person, violations of our customer agreements or user agreements, or as otherwise required by law.
The Centercode Platform infrastructure, including Customer Data and regular back-ups of Customer Data, is located in a secure cloud-computing environment in an audited, United States-based (or as otherwise specified in the order) data center with 24 x 7 on-site security and monitoring. We will not remove Customer Data from these systems except as directed by the customer.
The Centercode Platform production systems are behind a stateful inspection firewall. We conduct a third-party network penetration test annually and internally perform regular vulnerability scans using industry-standard scanning tools. We also employ an intrusion detection system.
Centercode’s Security Program
We maintain a written security program designed for the security, integrity, and protection of Customer Data against unauthorized disclosure or loss. Our security program includes administrative, technical, and physical safeguards appropriate for our size and resources and the types of information that we process.
Appropriate measures are taken against accidental destruction or loss of production data, including backup of all production data on a regular basis. We make a service-level agreement available to our customers which includes response and resolution times. In addition, the infrastructure at the data center, including uninterruptible power supply (UPS) systems, diesel generators for backup power, fire detection and prevention systems, and redundant HVAC equipment, is designed to minimize the impact of external environmental risks. Centercode maintains a business continuity/disaster recovery plan that identifies and addresses risk factors associated with the Services.
We hold Customer Data in strict confidence. Our employees, contractors, and sub-processors are under obligations of confidentiality and are trained in the importance of maintaining the confidentiality and privacy of Customer Data.
We conduct appropriate background checks on all Centercode personnel.
Data in transit is encrypted using the most current version of HTTPS/TLS. In addition, we encrypt all Customer Data at rest and all backups of Customer Data using AES-256.
Request Tracking, Monitoring and Logging
When a request is made to Centercode Support from a customer, a ticket is created in our internal request tracking system and progress is tracked until final resolution. Centercode monitors and logs access to the production systems and logs are maintained for at least ninety days.
Sub-processors for Subscription Services
Centercode uses an audited and secure cloud hosting provider, with servers located in the United States (unless otherwise specified in an order), in order to provide the environments needed to perform the services and store the Customer Data. Centercode’s current sub-processor for cloud hosting is Amazon Web Services, Inc. Prior to the onboarding of any sub-processor, we conduct a review of the security and practices of the sub-processor to ensure an appropriate level of security. We require our sub-processors to enter into appropriate security, confidentiality, and privacy contract terms and have GDPR-compliant data processing addenda in place with our sub-processors. For our managed Customer Validation service customers, additional sub-processors are identified below in “Managed Services Sub-processors.” Finally, the platform includes features which can allow the customer to integrate its other systems, including the systems of its third-party providers. Where the customer uses these features to integrate a third-party system, the third-party system that the customer integrates is the customer’s sub-processor and not Centercode’s. Customers subject to GDPR should review integrations and any tracking or tagging technologies they include in their platform implementation to ensure they are compliant.
Personal Data and Right to Erasure
Data Removal at Subscription Termination
If a Centercode customer chooses to terminate its subscription, its Customer Data (including all Personal Data) will be deleted within 90 days. Optionally, the customer may request its Customer Data be deleted sooner, in which case Centercode will expedite the deletion process to remove all Customer Data within 7 days of the request. In all cases, backups of deleted Customer Data are purged within 30 days.
Personal Data in the Centercode Platform is intended to be restricted to core user account fields (including username, full name, email address, birth date, and password), and all fields marked by the customer’s Administrator as Personal Data Fields, typically including “User Profiles.” The Platform clearly indicates fields intended for Personal Data Fields to the customer’s community members during submission and update.
The customer’s community members may access and update their own User Accounts and User Profile information at any time, unless deliberately restricted by an Administrator. Fields flagged as Personal Data in surveys and feedback are typically non-updatable due to their nature, but are erased on opt-out. If necessary, the Administrator can modify these fields.
Right to Erasure (i.e. Opting-Out)
The Centercode Platform offers users the ability to easily remove their own accounts. If a user chooses to opt out, or their account is deleted by an Administrator, their identity, including all User Account and Personal Data Fields, will be deleted in accordance with the deletion preferences set by the Administrator. Additional data initially associated with the user that is not marked as Personal Data (such as perhaps Bug Reports and Survey results) remains in the platform and is re-associated with an anonymized User Account containing no Personal Data. This allows the user to actively protect their privacy while retaining data integrity within the platform.
Maintaining Digital Agreements
The Centercode Platform offers a facility to assign and manage digital contractual agreements (such as Non-Disclosure or Participant Agreements). Agreements, including Personal Data in agreements, are maintained in the system after a user has been removed (via delete or opt-out) in order to give our customers the flexibility they will need to maintain important contractual records in circumstances where a user has made a Right to Erasure request.
The GDPR contains requirements to report data breaches in accordance with set timeframes. Controllers of Personal Data should ensure they have clear processes in place for responding to data breach notifications quickly. Centercode has processes in place for responding to and tracking security incidents involving its customers’ Personal Data.
We will notify our customers without undue delay and within no more than forty-eight (48) hours upon first becoming aware of a security incident involving their Personal Data. We will notify our customers using the method(s) agreed to in our customer agreements, or if not provided there, we will provide email notification to the customers’ Administrators.
Any security incident will be tracked in our internal tracking system and we will provide our customers with the information they need in order to fulfill any data breach reporting obligations under the GDPR.
Assistance With Best Practices
As always, we’re happy to work with you to enhance your use of the Centercode Platform, including sharing our best practices to ensure that personally identifiable and other sensitive information is collected, stored, and used in a way that minimizes exposure risks and assists in your ability to respond to user requests.
GDPR for Centercode Managed Services
Centercode’s customers include companies that, in addition to obtaining an annual software subscription to the Centercode Platform, engage Centercode to perform managed Customer Validation test services, from managing one or more test projects to managing the customer’s entire Customer Validation program.
In these situations, some of the commitments in “The GDPR For Centercode Platform Subscribers” vary as follows:
Secure Storage of Data Removed from the Platform
In order to perform managed Customer Validation test services for the customer (e.g. services involving shipping test products to testers, managing tester participation, or customer requests for reports), in some circumstances we need to remove Customer Data (including Personal Data) from the production systems.
In this event, we remove the data only to the extent necessary to perform the services, and we abide by strict internal policies governing the handling of Personal Data removed from the production systems. These policies ensure that (1) the data is still only accessible by Centercode employees, contractors, and sub-processors as necessary to perform the managed Customer Validation services; and (2) that we maintain a record of the location(s) of the Personal Data.
Where we manage a customer’s Customer Validation program, while we can assist with project or other deletion requests, we require our customer to provide a written request to delete any project or the Customer Data as a whole during the term of the Centercode Platform subscription (see Data Removal at Subscription Termination above for our post-term Customer Data deletion practices). In other words, we do not manage your Customer Data retention policies and procedures. Where we are managing your Customer Validation program and where we receive a Personal Data deletion request from your users, we will direct the user to any available opt out functionality in your platform implementation. Beyond that, the customer will manage any request.
In addition, when performing managed Customer Validation services, the Centercode managed Customer Validation services team adopts best practices to ensure that Personal Data is only collected in fields marked as Personal Data. This allows for effective Personal Data deletion where the user opts out.
Platform Access and Administration
Because managed Customer Validation services are conducted by Centercode the customer’s platform implementation unless otherwise expressly agreed, Centercode’s staff are appointed as the platform Administrators along with the customer’s own appointed Administrators. As with all platform customers, a managed Customer Validation service customer still ultimately manages access to its Customer Data and to our services by appointing its own Administrators who govern its team’s access to the Customer Data and to our services. The Administrator can do this through the use of Teams and Roles, as described above. Even where we manage the Customer Validation program, the customer is responsible for managing its users and reviewing its user accounts regularly.
Managed Services Sub-processors
In addition to the cloud-based hosting providers identified above in “Sub-processors for Subscription Services,” we use G-Suite for general office services. Google, Inc. is therefore a sub-processor for our managed Customer Validation services customers. Where we handle incentive distribution as a part of the managed Customer Validation services, we may use Tango Card, Inc. as a gift card provider and share with Tango Card the first name and email addresses of test participants receiving an incentive. We have GDPR-compliant data processing addenda in place with these sub-processors. In addition, where we are asked to perform managed shipping, the contact information and shipping address is provided to the shipping provider, as is always the case when shipping.
What You Should Do
Because we don’t monitor or govern how our customers leverage the Centercode Platform and the specific countries of residence of their test participants and users, our customers must determine whether and how various privacy and data protection laws, including the GDPR, apply to them.
Below are some critical items to consider for your GDPR compliance:
Extra-Territorial Reach of GDPR
The GDPR applies to organizations that are established outside of the EU but that process the Personal Data of EU residents. Therefore, even our customers located entirely outside of the EU should be determining whether the GDPR applies to their activities.
The GDPR provides certain rights to “data subjects” (the customer’s end-users) whose Personal Data they may be processing. Organizations need to ensure they are able to accommodate these rights.
Data Processing Addendum (“DPA”) and Standard Contractual Clauses (“SCCs”)
If you have determined that the GDPR applies to your organization’s activities relating to Centercode’s services, in addition to preparing your own internal GDPR-compliance program, please execute our Data Processing Addendum (DPA) immediately if you have not already executed a GDPR-compliant DPA with Centercode.
Data Protection Impact Assessment (“DPIA”)
Under the GDPR, some data collection practices require customers to conduct, and sometimes file with authorities, a DPIA. You should review your collection practices and consider this requirement.
We are here to assist you at any time. If you have any questions, please don’t hesitate to reach out to firstname.lastname@example.org.