GDPR compliance

How the platform aids users in maintaining GDPR principles

Xtremepush prioritises customer trust. We know that customer data is important to our customers' values and operations. That is why we keep it private and safe.

Xtremepush helps customers maintain control of their privacy and data security in a range of ways:

  • Data Security: We provide our customers compliance with high security standards, such as encryption of data in motion over public networks, hosting at Tier IV or III+, and ISO 27001, ISO 9001, ISO 27017 and ISO 27018 compliant facilities, Distributed Denial of Service ("DDoS") mitigations, operation of a mature Information and Security Management System, and an Engineering team that is on-call 24/7 to respond to security alerts and events. Our ISMS is ISO 27001:2013 certified.
  • Access Management: Xtremepush provides an advanced set of access features to adhere to the principle of least privilege and help customers effectively protect their information. We do not access or use customer content for any purpose other than providing, maintaining and improving the Xtremepush services and as otherwise required by law.
  • Data Hosting Locality: Customers who purchase our Private Cloud Solution have the ability to select the region (from the available Xtremepush regional options) where the data centre which hosts their Service Data is located. On Premises solutions can also be provided to those who need to host internally.
  • Disclosure of Customer Service Data: Xtremepush only discloses Service Data to third parties where disclosure is necessary to provide the service(s) or as required to respond to lawful requests from public authorities in accordance with our Data Processing Agreement.

Xtremepush GDPR Product Readiness

The General Data Protection Regulation (GDPR), which came into effect on May 25, 2018, provides data subjects with an array of privacy rights, which provide individuals with greater transparency into, and control over uses of their personal information.

The purpose of the GDPR obligation:

To ensure transparent communication with data subjects regarding the processing of their personal data and ensure data subjects are notified of their rights under the GDPR.

Exceptions to the GDPR obligation:

A data controller is exempt from these obligations if it cannot identify which personal data in its possession relates to the relevant data subject (i.e., if personal data is anonymised and cannot be re-identified).

This page details how the Xtremepush product suite aligns with your customers privacy rights and where you can learn more about the features and functionality made available in Xtremepush's products that support a GDPR compliance program.

It is important that access to the features that allow you to support a GDPR compliance program is through appropriate roles with least privilege. And also that you have an audit trail of user actions related to servicing data subject requests like data rectification and deletion. With that in mind appropriate user access management and audit trail supports are also in place.

The Right To Be Informed

In general this right means that a customer has a right to know how their personal data will be used. Typically, this will be through a Privacy Notice. This Privacy Notice should be provided free of charge, be transparent and be easy for the customer to access. For any data provided by the customer, the Privacy Notice should include:

  • Contact details for the data controller and data protection officer
  • Legal basis and purpose for processing
  • Data retention period
  • A reference to the rights the customer has, such as the right to erasure, right to restrict processing etc.

Such a privacy notice should be made available when someone becomes a customer with updates provided periodically. The privacy notice should also be available to download at any time.

When using Xtremepush, you may collect data to enable engagement on marketing channels. Many of these channels and data sources contain system based opt-ins that check for user consent that are handled at the OS or browser level. Others, such as email and SMS, will require you to collect data with consent before passing both to the Xtremepush platform.

Details on how opt-ins work for channel and data sources in the Xtremepush product can be found in the Data permissions and retention pages.

Where you are depending on system based prompts and settings to allow users to opt in for and manage certain capabilities, it is a good idea to put information on how users can use those in supporting docs to your privacy policy.

Right to Rectification

In general this right means an individual has the right to have their data corrected if it is inaccurate or incomplete. The rectification must be done within a month.

If you have to process a request from a customer to rectify their data, for example, changing their email or a First Name or other attribute that requires updating their data on Xtremepush, then you can.

If you are not familiar with where user profile data can be found on the platform first read our User data guide to familiarise yourself with this part of the platform.

Right to Access and Data Portability

Right to Access

Under the right of access, the customer can submit a subject access request to access the data held about them. The company holding the data can no longer charge a standard fee for such a request; however, under Article 12, a "reasonable fee" can be charged where the requests are "manifestly unfounded or excessive", particularly if they are repetitive.

The institution holding the data may refuse to comply, but if they do, they must demonstrate why they feel the request is "manifestly unfounded" or excessive in character.

The data that is the subject of an access request should normally be provided within 1 month of the request being made; however, this timeline can be extended provided the individual is informed.

Right to Data Portability

Under GDPR, customers have the right to receive personal data in a "structured, commonly used and machine readable format".

If the data is not available for a customer to download immediately, then it should be made available to the customer within a month of receiving the request.

Servicing a Subject Access Request

If you have to process a request for data access from a customer and need to access their data from Xtremepush then you can.

If you are not familiar with where your user profile data can be found on the platform first read our user User data pages to familiarise yourself with this part of the platform. Details of how to export user data to service a subject access request can be found in the Download a user profile page.

Right to Restrict Processing

This is the right of an individual to block the processing of their data. This right is typically temporary, and is exercised while other investigations or requests are being executed, for example, a rectification request or if the user has requested that you cease processing personal data for direct marketing and provide them with access to their data.

To restrict processing of customer data, use an audience Suppression list.

Right to Erasure

The right of erasure is not an absolute right to be forgotten. Individuals have a right to be forgotten and the data to be erased in certain circumstances. For example, a customer's data should be erased when:

  • The personal data is no longer required in connection with the reason for which it was originally collected
  • The individual withdraws consent to the data being held
  • Where an individual objects to processing and there is no overriding legitimate reason for holding the data
  • The personal data was unlawfully processed or it has to be erased to comply with a legal obligation

The request for erasure can be refused if the data needs to be retained to comply with a legal obligation or to exercise defence of legal claims. For example, when the data of a closed customer must be kept for a time period at the request of the national authorities, the data can be kept for that period. Details of how to erase user data via the platform can be found in the Delete a user profile page. If you need to automate customer data deletion from the Xtremepush product (when a customer closes an account for example) this is possible using the PII deletion methods of our API.

Data retention periods and legal grounds for processing should be established and documented ready for inclusion in privacy notices. So, if personal data is retained for a certain period of time after a customer's account is closed, this should be included in the privacy notice made available to the customer.

User Access Management and Audit Trails

Xtremepush provides full support for multi-user access and enterprise workflows such as peer review for campaign creation. Individual users of the platform should be assigned individual user login details. A range of default roles are provided to allow you to stick to the principle of least privilege when providing access to your business' end users of the platform.

Details of User Access Management and available roles are detailed in the Create user accounts document.

Access to the Data section where personal data can be seen in user profiles is restricted to certain roles. When setting up your projects and integrating, some technical staff may need access to ensure that everything is working as expected and all the necessary data is coming through.

📘

Privileged roles used in setup should be deactivated once they are no longer needed.

In general, once a project is set up most day to day activity relating to business as usual use of the platform for customer marketing etc. does not require access to user profiles. Day to day users should have appropriate roles to reflect this.

There is a special Data Protection Officer role for users who need access to service data subject requests (rectification, access, deletion etc.). This supports appropriate separation of duties by allowing these users to perform their duties as outlined in the articles below without granting access to create and launch customer marketing campaigns etc.

Audit Trails

A full audit trail of user actions taken on the platform is kept. This can be used on request in cases where user activity must be audited. You can, for example, check what user created a specific campaign.

The user actions audit trail can also be used to check if personal data was edited, deleted or downloaded.

The utility of the audit trail will be diminished if you share user login credentials so it is extremely important that Individual users of the platform should be assigned individual user login details.