Periscope Data operates on a shared responsibility model with our customers and we are committed to partnering to assist you in meeting GDPR requirements.
Periscope Data has been preparing for the European Union’s (EU) General Data Protection Regulation (GDPR) since 2017. In early 2018, Periscope enhanced processes and procedures to ensure we met both our Data Controller and Data Processor obligations. Looking forward, Periscope Data is continuing to monitor changes in the Privacy landscape and specifically has started the process of assessing expectations of California Consumer Privacy Act, which will go into effect in 2020.
With respect to GDPR, Periscope Data tracked to the effective May 25, 2018 target date set by the European Council. In support of GDPR compliance, Periscope Data enhanced our website for increased transparency related to our:
- Privacy Policy
- Opt-In Practices
- Legal Terms and Conditions
- Cookie Policy
- Data Subject Request
Preparation
Periscope Data’s security team had determined that our current security controls and certifications including SOC 2 Type II, HIPAA-HITECH and Privacy Shield compliance, allow us to adhere to the GDPR’s requirements. This analysis also includes supporting our customers in meeting their GDPR obligations in working with our legal partners in the United States and European Union.
To determine our readiness for GDPR, Periscope Data partnered with a third party expert — TrustArc. The letter of engagement with TrustArc can be made available upon request. It’s worth noting that, for GDPR, there is no official certification or mechanism to demonstrate compliance. However, in alignment with Periscope Data’s practices, we firmly believe in transparency and wanted to provide additional insight into what we are doing to meet ongoing GDPR obligations.
Transparency
GDPR requires clear, easily readable privacy policies that explicitly state which data is being collected, used, stored and shared. Periscope Data took the opportunity to refresh our privacy policy in conjunction with our legal counsel to ensure it is incorporating new areas of the policy, but also to make sure that it continues to be easily readable. Another step for Periscope Data was to enhance how we allow customers to opt-in to our services. We also recommend you take the time to gather and store your customer’s consent for your services.
Minimisation
Periscope Data only stores data that is necessary for the service to be operational for the duration it is required. As a customer, depending on how you set up Periscope Data, you will control which data is processed by our service. As such, you should follow your internal practices to ensure the security and privacy of your customers’ data and avoid introducing any unnecessary in-scope GDPR information with Periscope Data. We recommend following the “Goldilocks rule” of using what is “just right” and following the practice of minimization.
Right To Be Forgotten
For any of Periscope Data’s customers who receive requests from their customers, where Periscope Data is acts as a Data Processor (Subprocessor), if you remove the data from your origin database there is no heavy lifting as the requested customer’s information should be removed automatically. If you would like further details on how this works please reach out to your Customer Success Manager, Account Executive, or through Periscope Data chat.
For Periscope Data’s direct customers, where Periscope Data is the Data Controller, we have an established process to request and process the removal of your information in the case you would like to be forgotten from our various processes and systems. Please use our Contact Us page and let us know how we can help protect and respect your privacy.
Security
Periscope Data has implemented many controls to ensure confidentiality, integrity, and availability of data:
- Periscope Data has strong data protection controls, which include encryption in transit and at rest of customer data to safeguard customer data from unintended access or misuse.
- Periscope Data employs a continuous security testing strategy to aid in the proactive identification of software vulnerabilities.
- Periscope Data maintains incident response and customer notification processes. These procedures are tested on an appropriate cadence.
- Periscope Data is distributed across multiple AWS availability zones (AZs). This posture allows for a self-healing infrastructure with redundant servers for critical services present in each AZ.
- Periscope Data has reviewed all key subprocessors, i.e. Amazon Web Services (AWS), the security controls related to the physical and logical controls have been tested in AWS SOC audit report, ISO 27001 certification and FedRAMP ATO. A list of all subprocessors can be found here: https://www.periscopedata.com/privacy-policy/subprocessors
To read more about our practices, please see: https://www.periscopedata.com/security
Periscope Data’s Data Processing Addendum (DPA)
If your organization determines that you are subject to GDPR we will provide you with our DPA. Please reach out directly to your customer success manager for details or email us at [email protected].