Data Protection and Privacy at Infusionsoft
What is the General Data Protection Regulation (GDPR)?
The GDPR is the European Union’s new, comprehensive privacy and data protection law that will take effect on May 25, 2018. The primary aim of the GDPR is to regulate how the personal data of EU residents is processed – even by businesses that have no physical or legal presence in the EU. Organizations can face hefty fines for non-compliance: up to €20 million or 4 percent of annual global revenue, whichever is higher.
Is there a GDPR certification? Is Infusionsoft GDPR certified?
There is not yet any kind of recognized GDPR certification scheme. Infusionsoft is taking the necessary steps to ensure that it is in compliance with the GDPR in advance of the implementation date of the new law.
Infusionsoft will offer customers and partners a new Data Processing Addendum (“DPA”). Signing the DPA amends our standard terms of service to reflect obligations required under the GDPR. This is the instrument that you can rely on to have certainty that Infusionsoft will comply with the GDPR when it comes into effect on May 25, 2018. It amounts to a guarantee that Infusionsoft will be GDPR compliant.
How can Infusionsoft guarantee I will be able to use Infusionsoft after the GDPR comes into effect?
Infusionsoft will offer a new Data Processing Addendum, that will replace our prior DPA. The new DPA isn’t dramatically different from our old DPA, but it does address all of the GDPR-specific concepts. For reference, the old DPA is available here: https://www.infusionsoft.com/legal/dpa.
The new DPA will govern the terms by which Infusionsoft, as a data processor, processes data on behalf of its customers (who are typically data controllers) in accordance with Article 28 of the GDPR. According to Article 28 of the GDPR, data processors must act only upon the documented instructions of the data controller unless otherwise required by law. This, however, does not relieve Infusionsoft of any of its obligations or liabilities under the GDPR. Infusionsoft will be required to ensure that it is in compliance with the GDPR.
Who is Infusionsoft’s Data Protection Officer (DPO)?
Infusionsoft’s DPO is: Matthew Joseph, CIPP/US
Email address: [email protected]
In accordance with Article 38 of the GDPR, members of the public may contact the DPO with regard to issues related to processing of their personal data and to exercise their rights under the GDPR – for example, to object to the processing of their data in cases where the data controller (i.e., Infusionsoft’s customer) does not provide an adequate response.
Who is Infusionsoft’s representative in the European Union pursuant to Article 27 of the GDPR?
Infusionsoft’s Article 27 Representatives are:
Matthew Joseph, CIPP/US
Prague 150 00
VeraSafe Ireland LTD
Unit 3D North Point House
North Point Business Park
New Mallow Road
In accordance with Article 27 of the GDPR, supervisory authorities and persons whose personal data are being processed by Infusionsoft may contact VeraSafe (Infusionsoft’s Article 27 Representative) on all issues related to processing, for the purposes of ensuring compliance with the GDPR.
What is Infusionsoft doing to ensure that it is compliant with the GDPR?
Infusionsoft is currently re-papering vendor contracts and working with vendors to ensure they are compliant by adding a settings pane for customers to provide Infusionsoft with the information required under Article 30(2) of the GDPR.
Infusionsoft is continuing to review its security measures, as we always do, to stay at the forefront of evolving industry standards and best practices.
We have appointed a representative in the EU and an expert Data Protection Officer and are in the process of delivering a new Data Processing Addendum, all of which will ensure we’re satisfying the subcontracting obligations of a data processor under the law.
So Infusionsoft will be compliant with the GDPR. Does that mean that I’m automatically compliant too? If not, where can I learn more about my own obligations?
Each organization that processes personal data, and that’s regulated by the GDPR, will face its own obligations to comply with the GDPR. While using a GDPR-compliant software product like Infusionsoft can make it easier to comply, much of how you collect, use, and dispose of personal data is not determined by Infusionsoft. Thus, each organization should get its own professional guidance on the topic to help ensure compliance. Here are some resources from the UK Information Commissioner’s Office: https://ico.org.uk/for-organisations/resources-and-support/data-protection-self-assessment/getting-ready-for-the-gdpr/.
We've also compiled an Infusionsoft-specific guide to help you prepare for GDPR: https://www.infusionsoft.com/legal/gdpr-readiness-guide.
Watch our GDPR Readiness Webinar here.
Is Infusionsoft building new software features to help me comply with the GDPR?
Yes, we’re planning to release new features to help users manage their compliance with a number of key pain points in the law. This includes a set of features to help Infusionsoft users manage the basis of processing (such as consent management) for their contacts, to make it easy to anonymize personal data (i.e., the right to be forgotten), and a customizable “block list” feature to help ensure that if someone asks you to never process their personal data, that their personal data can’t be re-imported into your application. These features will help our users to comply with many of their fundamental obligations under the GDPR.
Am I a data controller? Is Infusionsoft a data processor?
Typically, an Infusionsoft customer will be considered as a data controller (i.e., an organization that determines the purposes and means of the processing of personal data) and Infusionsoft will always be considered a data processor under the law. Controllers and processors each have their own respective obligations under the law. Therefore, Infusionsoft’s GDPR compliance plan looks a bit different from that of many of our customers. This doesn’t mean Infusionsoft can’t be used by data controllers – quite the opposite. When a data controller engages a service provider like Infusionsoft, the service provider is typically a data processor acting on behalf of the controller, and the processor acts at the behest of the controller. As stated above, Infusionsoft’s DPA will govern the relationship, and the nature of the processing activities, as between Infusionsoft and its customers, regardless of which entity plays which role.
Do I need to obtain consent again from all my contacts?
Not necessarily. There are other permitted bases for processing personal data under Article 6 of the GDPR, such as the need to process personal data for the performance of a contract, or the legitimate interests of the data controller or another party. However, if you will be processing personal data based solely on the consent of the individual, you likely need to re-acquire consent from these “old” contacts.
What solution does Infusionsoft offer for cross-border data transfers?
Under the GDPR, personal data may only be transferred outside the European Economic Area (commonly referred to as the “EEA” and which consists of the EU, plus Norway, Iceland, and Liechtenstein) in certain circumstances, such as to a country whose data protection laws are deemed "adequate" by the European Commission, or by relying on an approved data transfer mechanism.
Infusionsoft currently offers customers the EU Model Contract to enable the lawful flow of personal data from the EEA to Infusionsoft in the United States. The EU Model Contract contains standard contractual clauses which are approved by the European Commission, and which govern the lawful transfer of data from the EEA to countries outside of the EEA. Under the GDPR, additional legitimate methods of exporting personal data outside the EEA may be introduced. In the event of any changes to or new rules associated with the GDPR, Infusionsoft will review and respond appropriately.
What security controls has Infusionsoft implemented to safeguard my data?
The Infusionsoft Data Security Statement goes well beyond the customary confidentiality clauses found in the business terms of many SaaS providers. The Statement describes some of the specific data security controls that Infusionsoft has implemented and, by publishing the information, legally obligates us to maintain the high standard of data security that’s described in the Statement.
The Data Security Statement can be found here: https://www.infusionsoft.com/legal/data-security
Is Infusionsoft PCI Compliant?
Infusionsoft adheres to, and is audited annually for compliance with, the Payment Card Industry Data Security Standard, which is a rigorous data protection framework oriented towards the protection of payment card data.
Our most recent PCI DSS audit documentation is available upon request. Please contact [email protected] if you require the documentation.