Certify, Inc. has been busy reviewing policies for our Certify, Nexonia, Tallie, ExpenseWatch, and SpringAhead brands, and we are set to achieve GDPR compliance with the new law effective May 25, 2018.
What is GDPR?
The EU General Data Protection Regulation (GDPR) is the most comprehensive EU data privacy law in decades and will go into effect on May 25, 2018. Besides strengthening and standardizing user data privacy across the EU nations, it will require new or additional obligations on all organizations that handle EU citizens’ personal data, regardless of where the organizations themselves are located.
Will Certify, Inc. and its SaaS brands become compliant?
Yes. Brands include Certify, Certify Travel, Nexonia, and Tallie.
Is Certify, Inc. using a partner for compliance?
Yes. We have partnered with TrustArc to assist in compliance efforts. TrustArc consultants are former Chief Privacy Officers, working previously with EU officials and groups for GDPR.
What is DPA?
Certify Inc. will be offering customers and prospects a robust Data Protection Addendum (“DPA”), which governs the relationship between the customer (acting as a data controller) and Certify Inc. (acting as a data processor). The DPA facilitates our customers’ compliance with their obligations under EU data protection law.
Our DPA contains data transfer frameworks to ensure that our customers can lawfully transfer personal data to Certify, Nexonia and Tallie, which are systems that are hosted outside of the European Union. Such data transfers require the foundation of one of three mechanisms: our Binding Corporate Rules, our Privacy Shield certification, or Standard Contractual Clauses.
How does GDPR relate to PCI, SOC, and other standards?
The Certify, Nexonia and Tallie products provide our customers compliance with high security standards, such as strong encryption of data, auditing standards (PCI DSS, SOC 2, Privacy Shield), regular vulnerability scanning and penetration testing, and regular review of our security policies and procedures.
In some ways, GDPR overlaps with other standards, but GDPR calls for "compliance" rather than "certification. Other security standards and certifications serve as excellent starting points for pursuing GDPR compliance.
As a customer, what documentation will I receive from Certify, Inc?
We make security and compliance documents available to current customers and sales prospects through our own Mutual-NDA Security Documents Portal. The GDPR Data Processing Agreement will become available as a contract addendum. Our current plan is to require all customers to agree to this DPA.
My company does not have employees in the European Union. Why do I have to sign the Certify, Inc. DPA?
We may offer a simple waiver that customers with no EU nexus can sign instead of our DPA. However, it should be noted that customers who sign such a waiver would be choosing to retain all responsibility for compliance with GDPR. We recommend that all customers sign the DPA so that our GDPR compliance can benefit your organization.
Who do I contact with more questions?
As always, contact your Account Manager or our Support Team with any questions.