Trust center

General Data Protection Regulation (GDPR)

On May 2018, a European privacy law, the General Data Protection Regulation (GDPR), came into effect. The GDPR imposes rules on companies, government agencies, non-profits, and other organizations that offer goods and services to people in the European Union (EU), or that collect and analyse data tied to EU residents. The GDPR applies no matter where you are located.

dotdigital has extensive expertise in protecting data, championing privacy, and complying with complex regulations. We believe that the GDPR is an important step forward for clarifying and enabling individual privacy rights. We want to help you focus on your core business while efficiently complying with the GDPR.

We are committed to our principles of cloud trust, data protection, and data security. We intend to provide platform functionality to address the privacy demands of our customers. As the GDPR enforcement takes full swing, here is what else you can expect from us:

• Technology that meets your needs – You can leverage our specific platform functionality to meet your GDPR obligations for areas including deletion, rectification, transfer of, access to, and objection to processing of personal data.
• Contractual commitments – Relationships with dotdigital are supported with contractual commitments for our services, including security standards, support, and timely notifications in accordance with the new GDPR requirements.
• Sharing our experience – We will share the information that we gather through various Data Protection Authorities and other reputable organizations, so you can adapt what we have learned to help you craft the best path forward for your organization.

While dotdigital is fully committed to helping you successfully comply with the GDPR, it is important to recognize that compliance is a shared responsibility. New requirements – like greater data access and deletion rules, risk assessment procedures, a Data Protection Officer role for many organizations, and data breach notification processes – will mean changes for your organization. When it comes to GDPR compliance, it’s not just European organizations that are affected, but also those outside of the EU who process data in connection with the offering of goods and services to, or monitoring the behaviour of, EU residents. As such, it is important to understand your obligations related to the GDPR, regardless of where your organization resides.

It will take time, tools, processes, and expertise for you to comply with the GDPR. To do this, you need to make changes to your privacy and data management practices.

Model Contract Clauses

European Union (EU) data protection law regulates the transfer of personal data from EU customers to countries outside the EU. dotdigital has EU Standard Contractual Clauses in place that provide specific guarantees around transfers of personal data for platform services. These Model contracts exist as contractual privacy protections between dotdigital and its third-party service providers who process data, as well as all dotdigital subsidiaries (to include North America, Australia, South Africa, and Belarus) - copies of which are available upon request and under NDA. Individual model contract clauses for dotdigital clients are available as well, on an as-need basis.

EU-U.S. Privacy Shield

dotdigital complies with the EU-U.S. Privacy Shield Framework and the Swiss-U.S. Privacy Shield Framework, as set forth by the U.S. Department of Commerce regarding the collection, use, and retention of personal information transferred from the European Union and Switzerland to the United States, respectively. dotdigital has certified to the Department of Commerce that it adheres to the Privacy Shield Principles. If there is any conflict between the terms in this privacy policy and the Privacy Shield Principles, the Privacy Shield Principles shall govern. To learn more about the Privacy Shield program, and to view our certification, please visit www.privacyshield.gov. For more information on dotdigital’s privacy practices, please visit our Privacy Statement.

Australian Privacy Principles

For customers who are concerned about compliance with Australia's Privacy Principles, dotdigital complies with a wide range of international, industry, and local standards, best common practice, regulations, legislation, and policy. Many of these are identified here in the dotdigital Trust Center. Should data sovereignty be of concern, dotdigital offers the ability to control where data lives by allowing the choice of sending instances in various regions, including Australia, North America, and Europe.

Although the dotdigital platform addresses the compliance, security, and privacy requirements that Australia identifies, some requirements are the responsibility of the customer and it is important for customers to understand the shared responsibilities.

Canadian Privacy Law

Canadian privacy laws—such as the Privacy Act and Personal Information Protection and Electronic Documents Act (PIPEDA) — aim to protect the privacy of individuals, and give them the right to access information gathered about them. The laws require organizations to take reasonable steps to safeguard information in their custody or control, and cover personal information that is held and processed by governments and private organizations in data files, registers, and elsewhere.

Ultimately, the responsibility and ownership of personal data lies with our business customers, per the dotdigital Terms and Conditions. However, dotdigital commits that third-party services have implemented security safeguards to help them protect the privacy of individuals, based on established industry standards. We have assessed our practices in risk, security, and incident management; access control; data integrity protection; and other areas relative to the recommendations from the Office of the Privacy Commissioner of Canada, and have determined that the in-scope services are capable of meeting those recommendations.

Scalable, protected and accredited

The engagement cloud platform is built to protect your company and its data, when managing your communications.

• Pages pass data over TLS.
• Engagement cloud supports encrypted data transfers.
• Access to the Engagement cloud platform is through a web form login with optional two-factor authentication.
• All users of the Engagement cloud platform are required to change their passwords every 90 days.
• Passwords are hashed using a NIST approved cryptographic implementation.
• Our web login page and API enforces rate limiting to protect against brute force attacks.
• Account access rights (import, export, read, write and send) are configurable to your needs and managed by your administrator user.
• All your users are set up in the platform by your administrator user. Verification is by email and SMS.
• All data is virus scanned when uploaded to the platform.
• Our Watchdog service constantly monitors customer contact uploads. If these change from a usual pattern it automatically stops uploading. This process also protects our customers from sending to spam traps that can affect delivery.
• Emails are sent using opportunistic TLS, employing authentication and validation systems such as DKIM and DMARC.
• Payment processes are fully PCI-DSS compliant.
• Granular access control permissions can be assigned to managed users.
• Campaign links are checked against lists of high risk domains to prevent malicious use of the platform.

You can trust us with your data

We've worked hard to ensure our infrastructure and the team behind it is world class.

• We are Cyber Essentials Plus Certified.
• We use secure data centers within the EU, US or Australia, depending on your region. All hold a broad set of industry standard accreditations such as ISO27001, ISO9001 and List X.
• Our data centers are connected to the internet with redundant internet links and bandwidth can be easily upgraded on requirement.
• There is redundancy at every component and service level, as well as spare capacity and we can scale our servers on demand. This means engagement cloud can continue to run for prolonged periods even after experiencing major component failures, and we don't run out of space.
• Where available, new dotdigital employees are background checked.
• Our infrastructure is protected by firewalls and all management access requires two-factor authentication.
• We make use of leading cloud providers and content distribution networks to host our email images, as well as many other application resources.
• Virus scan technology is implemented throughout our infrastructure.
• We commission annual independent third party security assessments.
• An ongoing vulnerability scanning and management program is in place.
• Machines are built from approved hardened images, and verified in third party security assessments.
• A monthly patching cycle is in place to ensure the latest security updates have been applied.
• We have restore points for critical data and these are taken every 5 minutes. Backup data is securely kept at same geographic regions, yet sufficiently distant to ensure data is not lost in the event of a disaster, whilst complying with local data protection regulation.
• We employ skilled information security and data privacy specialists in our team to ensure security is always a priority.
• EU Model Contracts are in place between dotdigital and its subsidiaries, as well as subcontractors processing data.
• Role based permissions are used to control staff access to systems and data.
• Management access to infrastructure is tightly controlled, and employs multi-factor authentication protection.
• Intrusion Detection Technology is in place.