Periscope Data has been preparing for the European Union’s (EU) General Data Protection Regulation (GDPR) since 2017. We are in the process of implementing processes and procedures to ensure we meet both our Data Controller and Data Processor obligations. Periscope Data operates on a shared responsibility model with our customers and we are committed to partnering to assist you in meeting GDPR.
At Periscope Data we are continuing to enhance our processes and procedures to ensure that we are compliant with the May 25, 2018 target date set by the European Council. In support of GDPR compliance, we are enhancing our website for increased transparency related to our:
- Privacy Policy
- Opt-In Practices
- Legal Terms and Conditions
- Cookie Policy
- Data Subject Request
Preparation
Periscope Data’s security team has determined that our current security controls and certifications including SOC2, HIPAA and Privacy Shield compliance, allow us to adhere to the GDPR’s requirements. This analysis also includes supporting our customers in meeting their GDPR obligations in working with our legal partners in the United States and European Union.
To determine our readiness for GDPR, Periscope Data partnered with a third party expert — TrustArc. We are in the process of consultation and a copy of the letter of engagement with TrustArc can be made available upon request. It’s worth noting that, for GDPR, there is no official certification or mechanism to demonstrate compliance. However, in alignment with Periscope Data’s practices, we firmly believe in transparency and wanted to provide additional insight into what we are doing to meet GDPR obligations.
Transparency
GDPR requires clear, easily readable privacy policies that explicitly state which data is being collected, used, stored and shared. Periscope Data is taking the opportunity to refresh our privacy policy in conjunction with our legal counsel to ensure it is incorporating new areas of the policy, but also to make sure that it continues to be easily readable. Another step for Periscope Data is to enhance how we allow customers to opt-in to our services.We also recommend you take the time to gather and store your customer’s consent for your services.
Minimisation
Periscope Data only stores data that is necessary for the service to be operational for the duration it is required. As a customer, depending on how you set up Periscope Data, you will control which data is processed by our service. As such, you should follow your internal practices to ensure the security and privacy of your customers’ data and avoid introducing any unnecessary in-scope GDPR information with Periscope Data. We recommend following the “Goldilocks rule” of using what is “just right” and following the practice of minimisation.
Security
Periscope Data has implemented many controls to ensure confidentiality, integrity and availability of data:
- Periscope Data has strong data protection controls, which include encryption in transit and encryption at rest of customer data to safeguard customer data from unintended access or misuse.
- Periscope Data employs a continuous security testing strategy to aid in the proactive identification of software vulnerabilities.
- Periscope Data maintains incident response and customer notification processes. These procedures are tested on an appropriate cadence.
- Periscope Data is distributed across multiple AWS availability zones (AZs). This posture allows for a self-healing infrastructure with redundant servers for critical services present in each AZ.
- Periscope Data has reviewed all key subprocessors, i.e. Amazon Web Services (AWS), the security controls related to the physical and logical controls have been tested in AWS SOC audit report, ISO 27001 certification and FedRAMP ATO. A list of all subprocessors can be found here: https://www.periscopedata.com/privacy-policy/subprocessors
To read more about our practices, please see: https://www.periscopedata.com/security
Periscope Data’s Data Processing Addendum (DPA)
If your organization determines that you are subject to GDPR we will provide you with our DPA. Please reach out directly to your customer success manager for details or email us at [email protected].