Centercode and EU Data Protection Laws
On May 25, 2018, the current EU Data Protection Directive (also known as “Directive 95/46/EC”) will be replaced by the EU General Data Protection Regulation (the “GDPR”), which is a new European data privacy regulation aiming to strengthen the security and protection of personal data in the EU and harmonize the EU data protection law between member states. Like Directive 95/46/EC, the GDPR governs information relating to an identified or identifiable natural person (“Personal Data”).
Under the GDPR, organizations must demonstrate the security of the Personal Data they’re processing and their compliance with the GDPR on a continual basis by implementing and regularly reviewing robust technical and organizational measures and policy compliance.
Based on this preparation, Centercode will be compliant with the GDPR when it becomes enforceable in May 2018.
Customer Data and Centercode’s Role Under The GDPR
Our customers always own the data they collect and supply (the “Customer Data”) to their Customer Validation communities and projects using the Centercode Platform.
Based on this context, our customers are considered the “controllers” of this Customer Data under EU data protection law. We process the Customer Data on our customers’ behalf and are considered the “processor” of the Customer Data under EU data protection law.
As our customers’ processor, one important feature of compliance with EU data protection law is our Data Processing Addendum (DPA). This contract addendum governs the relationship between our customer (as data controller of the Customer Data) and Centercode (acting as data processor).
Our DPA contains privacy and security commitments, and has been updated to confirm our compliance with the GDPR beginning on May 25, 2018. GDPR requires that customers subject to the GDPR enter into GDPR-compliant DPAs with processors who process Personal Data on their behalf.
In addition, because Centercode and its production systems are located in the United States, Customer Data is located in the United States. EU data protection law provides that EU Personal Data may be transferred outside of the EU and European Economic Area when an adequate level of protection for that data is guaranteed. To achieve this level of protection, we enter into controller-to-processor Standard Contractual Clauses with customers who request them and have been doing so for several years.
The European Commission has approved this standard set of contractual provisions (also sometimes called “Model Clauses”) in order to provide a data controller with a legally-compliant mechanism for transferring Personal Data outside the European Economic Area. Centercode’s DPA includes the Standard Contractual Clauses to ensure that all customers subject to the GDPR have entered into an appropriate mechanism to lawfully transfer Personal Data from the EU and European Economic Area to Centercode, which is located in the United States.
To obtain a copy of the DPA and Standard Contractual Clauses for execution, please contact your Centercode account manager, or email firstname.lastname@example.org. Even if you have an existing DPA in place with Centercode, in order to be compliant with the GDPR, you will need a revised DPA to be in place that references the GDPR specifically.
The GDPR for Centercode Platform Subscribers
The Centercode Platform, upon which all of our services operate, has been designed to provide our customers with a secure platform for their Customer Validation needs.
Centercode C14.5 – The GDPR Enhancement Release
While data privacy and access control have always been core to the Centercode Platform, the C14.5 release has been designed to address the specific requirements of the GDPR and to further strengthen our facilities for Personal Data and data privacy.
The following new features and enhancements will be introduced with this release, which will debut to all Centercode Platform subscribers in May 2018:
Personal Data Fields
The Centercode Form Engine allows Administrators to flag specific form fields which are intended to contain personally identifiable or sensitive personal data. The platform will use this flag to clearly instruct users of the intended use of both personal and non-personal fields, as well as appropriately remove this data on opt-out or user delete. This functionality will be available in all form types, including User Profiles, Test Platforms, Surveys, and Feedback.
A new centralized system allows administrators to search for and export digital agreements associated with any user across the entire platform. This includes archived projects and users who have previously opted-out. This system also allows end-users (active or opted out) to review the entirety of their own community and/or project agreements at any time.
The opt-out system now removes all flagged Personal Data Fields (see above), in addition to identity (account) information. The new system provides an enhanced end-user experience, allowing users to opt out via an email verification, as opposed to requiring login credentials. This system also offers an opportunity for the user to indicate why they’re opting out via both a selection and anonymous open text field. This information is available in a new Opt-Out Dashboard, which is intended to allow Administrators to obtain anonymous feedback which can be used to enhance their community user experience.
Previously, active participants were unable to willingly opt out of active projects, nor were they allowed to opt out of the platform (i.e. remove their personal data). This was broadly necessary as it was feasible that as participants, they were actively in control of proprietary pre-production equipment. This release introduces a new project role which allows the Administrator to determine which users may actively leave their project. The new opt-out system will reference this role before allowing a user to opt out. In the event that the user cannot opt out due to lacking this role in one or more projects, appropriate Administrator contact information will be shared in order to facilitate the process.
Automatic Report Expiration
All cached reports throughout the platform will now expire (and be deleted) automatically after 30 days. This ensures that any Personal Data relative to users that have opted out will not be retained unnecessarily.
Enhanced Project Delete
Previously, projects deleted from the platform interface were placed into a deleted “state” within the database, but technically not deleted for at least 90 days (not including personal data, which was deleted immediately). We’ve enhanced this to delete projects 7 days after they are deleted from the interface. This is intended to ensure data is fully erased, and cannot be undone.
Customer Data Request Form
Our general community contact form and process has been enhanced to offer community members options specific to request types, including Personal Data and related requests. These requests are all logged within the platform. Contact and request choices may be easily customized to fit the needs of the Administrator.
The GDPR and the Centercode Platform
Based on this new release, as well as our existing features, infrastructure, policies, and processes, we make the following commitments to Centercode Platform subscribers relative to the GDPR:
Ownership of and Access to Customer Data
Our customers own their Customer Data. We do not access or use Customer Data except as directed by the customer and in order to perform services for the customer. Our employees and contractors are provided access to Customer Data on a limited, as-needed basis.
Password complexity standards default to an eight-character minimum with alpha and numeric requirements and prohibitions on using other identity fields (username, first and last name, or email) within the password. These settings can be easily modified by the platform Administrators to add additional characters and complexity requirements.
Customers can also optionally integrate their Centercode Platform implementation with their own single sign-on systems (such as SAML). Where the customer’s single sign-on system supports 2-factor authentication, the customer can then extend this feature to its Centercode Platform implementation.
Limiting Access to Personal Data or Sensitive Information
Customer Administrators govern access to the Customer Data and to our services through the use of groups (“Teams“) and permissions (“Roles“). Leveraging these and other features, the platform includes capabilities which allow Administrators to determine which specific fields of information are shared or exposed both internally and externally.
Responses to Legal Requests for Customer Data
In certain situations, we may be required by law to disclose Personal Data in response to lawful requests by public authorities. We may also disclose Personal Data to respond to subpoenas, court orders, or legal process, or to establish or exercise our rights or defend against legal claims. We may also share such information with law enforcement agencies or public authorities if we believe it is necessary in order to investigate, prevent, or take action regarding illegal activities, suspected fraud, situations involving potential threats to the safety of any person, violations of our customer agreements or user agreements, or as otherwise required by law.
The Centercode Platform infrastructure, including Customer Data and regular back-ups of Customer Data, is located in a secure cloud-computing environment in an audited, United States-based data center with 24 x 7 on-site security and monitoring. We will not remove Customer Data from these systems except as directed by the customer.
The Centercode Platform production systems are behind a stateful inspection firewall. We conduct a third-party network penetration test annually and internally perform regular vulnerability scans using industry-standard scanning tools. We also employ an intrusion detection system.
Centercode’s Security Program
We maintain a written security program designed for the security, integrity, and protection of customer data against unauthorized disclosure or loss. Our security program includes administrative, technical, and physical safeguards appropriate for our size and resources and the types of information that we process.
Appropriate measures are taken against accidental destruction or loss of production data, including backup of all production data on a regular basis. We make a service-level agreement available to our customers which includes response and resolution times. In addition, the infrastructure at the data center, including uninterruptible power supply (UPS) systems, diesel generators for backup power, fire detection and prevention systems, and redundant HVAC equipment, is designed to minimize the impact of external environmental risks. Centercode maintains a business continuity/disaster recovery plan that identifies and addresses risk factors associated with the Services.
We hold customer data in strict confidence. Our employees, contractors, and sub-processors are under obligations of confidentiality and are trained in the importance of maintaining the confidentiality and privacy of customer data.
We conduct appropriate background checks on all Centercode personnel.
Data in transit is encrypted using the most current version of HTTPS/TLS. In addition, we encrypt all backups of our customers’ data using AES-256. Encryption of Customer Data at rest using AES-256 has always been available to customers ordering dedicated cloud-based infrastructure for their Centercode Platform implementation, and by May 25, 2018, encryption at rest will be an additional option available to all customers.
Request Tracking, Monitoring and Logging
When a request is made to Centercode Support from a customer, a ticket is created in our internal request tracking system and progress is tracked until final resolution. Centercode monitors and logs access to the production systems and logs are maintained for at least ninety days.
Centercode uses audited and secure cloud hosting providers, with servers located in the United States, in order to provide the environments needed to perform the services and store the Customer Data. Centercode’s current sub-processors include Rackspace US, Inc. and Amazon Web Services, Inc. Prior to the onboarding of any sub-processor, we conduct a review of the security and practices of the sub-processor to ensure an appropriate level of security. We require our sub-processors to enter into appropriate security, confidentiality, and privacy contract terms and will have GDPR-compliant data processing addenda in place with our sub-processors by May 25, 2018.
Personal Data and Right to Erasure
Data Removal at Subscription Termination
If a Centercode customer chooses to terminate its subscription, its Customer Data (including all EU Personal Data) will be deleted within 90 days. Optionally, the customer may request its Customer Data be deleted sooner, in which case Centercode will expedite the deletion process to remove all Customer Data within 7 days of the request (with backups being purged within 30 days).
Personal Data in the Centercode Platform is intended to be restricted to core user account fields (including username, full name, email address, birth date, and password), and all fields marked by the Customer’s Administrator as Personal Data fields, typically including “User Profiles“. The Platform clearly indicates fields intended for Personal Data fields to the Customer’s community members during submission and update.
The Customer’s community members may access and update User Account and User Profile information at any time, unless deliberately restricted by an Administrator. Fields flagged as Personal Data in surveys and feedback are typically non-updatable due to their nature, but are erased on opt-out. If necessary, the Administrator can modify these fields, or grant access for the subject to do so themselves.
Right to Erasure (i.e. Opting-Out)
The Centercode Platform offers users the ability to easily remove their own accounts. If a user chooses to opt out, or their account is deleted by an Administrator, their identity, including all User Account and Personal Data designated fields, will be deleted in accordance with the deletion preferences set by the Administrator. Additional data initially associated with the user that is not marked as Personal Data (such as perhaps Bug Reports and Survey results) remains in the platform and is re-associated with an anonymized User Account containing no Personal Data. This allows the user to actively protect their privacy while retaining data integrity within the platform.
Maintaining Digital Agreements
The Centercode Platform offers a facility to assign and manage digital contractual agreements (such as Non-Disclosure or Participant Agreements). Agreements are maintained in the system after a user has been removed (via delete or opt-out) in order to give our customers the flexibility they will need to maintain important contractual records in circumstances where a user has made a Right to Erasure request. However, the Administrator does have the ability to delete or otherwise remove Agreements from the Centercode Platform as desired.
The GDPR contains requirements to report data breaches in accordance with set timeframes. Controllers of Personal Data should ensure they have clear processes in place for responding to data breach notifications quickly. Centercode has processes in place for responding to and tracking security incidents involving its customers’ Personal Data.
We will notify our customers without undue delay and within no more than forty-eight (48) hours upon first becoming aware of a security incident involving their Personal Data. We will notify our customers using the method(s) agreed to in our customer agreements, or if not provided there, we will provide email notification to the customers’ administrators.
Any security incident will be tracked in our internal support tracking system and we will provide our customers with the information they need in order to fulfill any data breach reporting obligations under the GDPR.
Assistance With Best Practices
As always, we’re happy to work with you to enhance your use of the Centercode Platform, including sharing our best practices to ensure that personally identifiable and other sensitive information is collected, stored, and used in a way that minimizes exposure risks and assists in your ability to respond to user requests.
GDPR for Centercode Managed Services
Centercode’s customers include companies that, rather than obtaining an annual software subscription to the Centercode Platform, engage Centercode to perform managed Customer Validation test services, managing the customer’s entire test on a shared (and not customer-branded) database implementation of the Centercode Platform (a “Common Implementation”).
In addition, sometimes a Centercode customer with its own annual software subscription to the Centercode Platform requests that Centercode perform managed Customer Validation services on a Common Implementation and/or to perform managed Customer Validation services on the customer’s own implementation. In these situations, some of the commitments in “Our Commitments to Our Software Customers” vary as follows:
Secure Storage of Data Removed from the Platform
In order to perform managed Customer Validation test services for the customer (e.g. services involving shipping test products to testers, managing tester participation, or customer requests for reports), whether on a Common Implementation or the customer’s own implementation, in some circumstances we need to remove Customer Data (including EU Personal Data) from the production systems.
In this event, we remove the data only to the extent necessary to perform the services, and we abide by strict internal policies governing the handling of Personal Data removed from the production systems. These policies ensure that (1) the data is still only accessible by Centercode employees, contractors, and sub-processors as necessary to perform the managed Customer Validation services; and (2) that we maintain a record of the location(s) of the EU Personal Data.
For managed Customer Validation services performed on a Common Implementation, Centercode commits to deleting its customers’ EU Personal Data at the end of services. Because the services end-date is often fluid, Centercode requires its managed Customer Validation customers to provide a written request to begin the account deletion process. EU Personal Data deletion requests will be handled by deleting all of the users provided to Centercode by the customer (i.e. from the proprietary user lists supplied by the Customer), which deletes the user identity and all associated Personal Data Fields, leaving the remaining data re-associated with an anonymized User Account containing no Personal Data.
In addition, the Centercode managed Customer Validation services team adopts best practices to ensure that EU Personal Data is only collected in fields marked as Personal Data. EU Personal Data will be deleted within 90 days of the customer’s request for deletion. Optionally, the customer may request that its EU Personal Data be deleted sooner, in which case Centercode will expedite the deletion process to remove all EU Personal Data within 7 days of the request (with backups being purged within 30 days).
Platform Access and Administration
For managed Customer Validation services conducted by Centercode on a Common Implementation, Centercode is the platform Administrator. A customer manages access to its Customer Data and to our services by notifying Centercode of which individuals it wishes to assign to the customer’s internal access “team.” Password complexity standards are set to an eight-character minimum with alpha and numeric requirements, and access cannot be integrated with the customer’s own single sign-on system.
Managed Services Sub-processors
In addition to the cloud-based hosting providers identified above in “Sub-processors,” we use G-Suite for general office services. Google, Inc. is therefore a sub-processor for our managed Customer Validation services customers. We have a GDPR-compliant data processing addenda in place with Google. In addition, where we are asked to perform managed shipping, the contact information and shipping address is provided to the shipping provider, as is always the case when shipping.
What You Can Do
We encourage our customers to prepare for GDPR by reviewing their privacy and security processes and policies. Because our customers are the data controllers, Centercode customers subject to EU data protection law that collect and store EU Personal Data using our services bear the primary responsibility of ensuring that their processing of this EU Personal Data is compliant with EU data protection law, including Directive 95/46/EC and, as of May 25, 2018, the GDPR.
Because we don’t monitor or govern how our customers leverage the Centercode Platform and the specific countries of residence of their test participants and users, our customers must determine whether and how EU data protection law, including the GDPR, applies to them.
Below are some critical items to consider for your GDPR compliance:
Extra-Territorial Reach of GDPR
The GDPR may apply to organizations that are established outside of the EU but which process the Personal Data of EU residents. Therefore, even our customers located entirely outside of the EU should be determining whether the GDPR applies to their activities.
The GDPR provides certain rights to “data subjects” (the customer’s end-users) whose personal data they may be processing. Organizations need to ensure they are able to accommodate these rights.
If you have determined that the GDPR applies to your organization’s activities relating to Centercode’s services, in addition to preparing your own internal GDPR-compliance program, please inform your Centercode account manager that you wish to enter into the DPA and SCCs and we will provide them for your execution.
Data Protection Impact Assessment (“DPIA”)
Under the GDPR, some data collection practices require customers to conduct, and sometimes file with authorities, a DPIA. You should review your collection practices and consider this requirement.
We look forward to working with you as we rapidly head towards May 25, 2018. In the meantime, if you have any questions, please don’t hesitate to reach out to email@example.com.