Reactful’s GDPR Compliance: Everything You Need to Know
Roger Ruttimann, CTO Reactful, Inc.
As a part of Reactful’s continued commitment to security and data privacy, we’re proud to report that we are in compliance with GDPR, which will go into effect on May 25. We feel that a critical component of this commitment is transparency, so we would like to share some background on GDPR, what our compliance process looks like, how GDPR affects Reactful customers and how Reactful can help customers to be GDPR compliant.
What is GDPR?
The EU General Data Protection Regulation (GDPR) is a new EU regulation that outlines six data protection principles that organizations need to follow when collecting, processing and storing individuals’ personal data.
Six protection principles:
1. Lawfulness, fairness and transparency
2. Purpose limitation
3. Data minimisation
5. Storage limitation
6. Integrity and confidentiality
For more details on each principle please refer to the GDPR Information portal.
To summarize the key principals:
- Organisations need to make sure their data collection practices don’t break the law and that they aren’t hiding anything from data subjects (users).
- Organisations should only collect personal data for a specific purpose, clearly state what that purpose is, and only collect data for as long as necessary to complete that purpose.
- Individuals have the right to request that inaccurate or incomplete data be erased or rectified within 30 days.
- Organisations need to delete personal data when it’s no longer necessary.
How GDPR Affects Reactful Customers
So, how will things change for Reactful’s customers on the May 25, 2018 GDPR compliance deadline? In terms of a Reactful customer’s experience in the platform, it will be business as usual.
As outlined in more details below, Reactful does not persist PII (Personally Identifiable Information) data of the website visitors in its infrastructure and therefore minimizes the risk of compromising PII data in case of a breach.
Reactful’s GDPR Compliance Process
Getting in compliance with GDPR is a huge undertaking for any organization. As part of the compliance review, we made sure to analyze and categorize the collected data and make sure it complies to the six principles of the GDPR. Fortunately, Reactful’s exposure is minimal since the majority of the data collected is user behavior data (clicks, scrolls, swipe, mouse movements) which does not fall into the PII category.
PII data that is transmitted through the secure REST API to the Reactful application is not stored in the Reactful infrastructure and is processed as follows:
- The IP address of the device that the user used to visit the customer’s website is used to lookup the user’s country/state and is not persisted inside the Reactful infrastructure.
- Lead Form content is transitioned directly to a third party system configured and maintained by the customer. None of the Lead Form content is persisted inside the Reactful infrastructure.
- Data flowing into the Reactful system through the tracking API is not accessible to be queried by a public API. Tracking event data is only available to the internal analytic module that creates aggregated data for reporting. None of the raw event data is available through a publicly exposed API.
Reactful’s exposure in case of a data breach is minimal since none of the website visitor PII/SPI information is persisted inside the Reactful infrastructure. The secure RESTFul API’s don’t allow query of raw (un-aggregated) data which adds an additional layer of security.
How can we help Reactful customers for their GDPR readiness
Reactful has created a set of documents that customers can use to show their vendor’s GDPR compliance to their auditors. The following documents for Reactful customers are available:
- GDPR DATA PROCESSING ADDENDUM (DPA)
- APPENDIX 1 & 2 TO THE STANDARD CONTRACTUAL CLAUSES
- Appendix 1: Definition of Data Importer
- Appendix 2: Product security architecture
- Security, data processing and SLA agreements for Reactfuls IT infrastructure
Contact the Customer Success team at Reactful (firstname.lastname@example.org) and they will make these documents available to you.
Reactful is committed to data transparency, data security and foremost to protecting personal data at every step. Personal data is anonymized since the focus is to analyze and react to user behavior patterns which are not traceable to individuals.
Reactful customers will be able to rest assured that the entire company is committed to achieving a high standard of data security and privacy and that our products and practices meet all GDPR standards.