GDPR Awareness Notice and Frequently Asked Questions (FAQs)

On May 25th, 2018, a new European privacy regulation called the General Data Protection Regulation (more commonly known as the “GDPR”) came into force. EverCompliant has always taken privacy very seriously and the success of our customers in the GDPR era is very important to us. This document provides an overview of EverCompliant’s preparations for GDPR and also answers some frequently asked questions.

a. Is EverCompliant GDPR compliant?

EverCompliant has completed the following activities to prepare for GDPR:

  • We retained outside counsel to help us understand GDPR and prepare a GDPR compliance plan.
  • We built an internal taskforce with members of different departments (security, sales, product development, and others) to implement the GDPR compliance plan internally.
  • The COO has been personally involved in the supervision and implementation of the GDPR compliance plan.

As a result, we mapped EverCompliant’s data collection practices under GDPR regulations. We have determined that, when using EverCompliant products, our customers are data controllers and EverCompliant is a data processor.

We are not approaching GDPR compliance as a one-time exercise.

We are committed to regularly reviewing our roadmap to ensure ongoing compliance. 

 b. Do you have a US Privacy Shield certification?

 EverCompliant Inc. has a privacy shield certification. You can find it here: https://www.privacyshield.gov/list

c. As a European entity or one with business in the EU what should I know about working with EverCompliant and GDPR?

 EverCompliant is a data processor. Therefore, if customers subject to the GDPR are sharing personal data with EverCompliant or instructing EverCompliant to process personal data on their behalf, executing a Data Processing Agreement (“DPA”) will likely be necessary. Read more about our DPA below.

EverCompliant holds an ISO27001 certification.  Our security measures also include the implementation of robust encryption techniques, periodical penetration tests and a data breach policy.

 d. Do you have a standard DPA we can work with? Can we send you ours?

 EverCompliant can provide a standard DPA template which reflects our commitment to the protection of personal data as required by Article 28.3 of the GDPR. Our customers can also provide their own template DPA for review.

 e. Does EverCompliant store personal data? Where is the data physically stored?

EverCompliant’s primary IT infrastructure is hosted in Canada, with OVH. Our disaster recovery facility is in France, also with OVH. If we change or replace our existing sub-processors, we will notify our customers as required by Article 28.2 of the GDPR.

 f. How does EverCompliant approach data transfers?

The data accessed, collected or received by EverCompliant, Inc. is subject to EverCompliant, Inc.’s privacy-shield registration. The privacy-shield registration can be accessed here: https://www.privacyshield.gov/list

EverCompliant, Ltd.  Is based in Israel.  There are no data transfer concerns for data accessed, collected or received by EverCompliant, Ltd. as Israel was declared, by the European Commission, as a country that offers an adequate level of data protection. You can read more about this status here: https://ec.europa.eu/info/law/law-topic/data-protection/data-transfers-outside-eu/adequacy-protection-personal-data-non-eu-countries_en

and  here: https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX%3A32011D0061

 Any data transferred between EverCompliant, Inc. and EverCompliant, Ltd. is subject to an internal data transfer and data processing agreement executed by EverCompliant, Inc. and EverCompliant, Ltd.

Our primary IT infrastructure is hosted in Canada.  There is no data transfer concern because Canada was declared as a country that offers an adequate level of data protection(https://eur-lex.europa.eu/legal-content/en/TXT/?uri=CELEX%3A32002D0002).

Finally, we use our best efforts to only sh.are personal data that is subject to the GDPR with vendors and partners who have announced that will comply with the GDPR and have undertaken to do so. We regularly audit these engagements for GDPR compliance.

 g. Will you share policies like Information Security and BCP?

Yes, we will share these policies with our customers or potential customers, upon executing a non-disclosure agreement (“NDA”).

 h. How long do you store customer data?

Generally, EverCompliant processes customer data for the duration of the services and/or in accordance with the relevant agreement with the customer.

Please note that certain laws may require the retention of the data for a longer period, in which case we legally required to comply.

i. How does your organization handle instances when customers or prospects request their data be removed from your system(s)?

When processing personal data on behalf of our customers, EverCompliant is a data processor. Accordingly, the relevant data controller is responsible for handling, and responding to, data subject’s requests exercising their rights (including the right to be forgotten). In the particular situation described above, EverCompliant’s responsibility, as a processor, is set forth in Article 28.3 of the GDPR. EverCompliant assists the relevant controller with appropriate technical and organizational measures, insofar as this is possible and taking into account the nature of the processing, for the fulfilment of the controller’s obligation to respond to requests for exercising the data subject’s rights.

When processing personal data as a data controller, EverCompliant will treat the deletion request in accordance with the relevant applicable law.

j. How does your collection of data through automated means, such as through harvesting bots, robots, spiders, or scrapers comply with the GDPR?

EverCompliant uses different automated technologies to process data from third party sources to help us detect fraud, malware and illegal activities. In this case, EverCompliant is considered a controller since we collect this data for our own knowledge. In the event that such practices are subject to the GDPR, we do not inform data subjects because we believe that an exception of the GDPR would apply. Providing information to a potential suspect or fraudster would seriously frustrate the prevention of fraud, which is our goal. For the same reason, we cannot obtain the consent of the person in question and legitimate interest is the most appropriate legal basis (Recital 47 of the GDPR).

k. Where can I learn more about GDPR?

Additional information is available on the European Commission’s website here (http://ec.europa.eu/justice/data-protection/reform/index_en.htm).