At Infusionsoft, we see data protection and privacy as a fundamental part of who we are. To help our customers succeed, data protection is built into our software and our culture from the ground up.
Thousands of small businesses depend on us to keep their data secure and to enable their compliance with a variety of data protection laws around the world. Our comprehensive data protection program is designed to help you meet the challenges of a tough, complex regulatory environment.
Scroll down to read more about our comprehensive data protection program.
EU-U.S. and Swiss-U.S. Privacy Shield Frameworks
Infusionsoft recognizes that our customers located in the European Economic Area and Switzerland operate under strict local privacy laws. These laws prevent EEA/Swiss businesses from making available any data that can be used to identify a specific, individual person (also known as “PII” or “personal data”) to companies that are not subject to such strict privacy laws. However, U.S. businesses such as Infusionsoft have the option to participate in a U.S. government-sponsored program that entitles us to an exception from this export ban, so that European customers can lawfully use Infusionsoft; but in exchange for this privilege, Infusionsoft must protect the PII to a similar standard as that required by European law.
This voluntary-to-join program was formerly known as the U.S.-EU Safe Harbor Program. In October 2015, a European court decided that the U.S.-EU Safe Harbor Program wasn’t robust enough to protect PII transferred to the United States.
In 2016 the European Commission approved a replacement transatlantic data protection framework. The new framework is known as the EU-U.S. Privacy Shield Framework. In 2017, Switzerland followed suit, and approved the new Swiss-U.S. Privacy Shield Framework. As of the date of this article, Infusionsoft is working diligently to verify our compliance with, and certify our adherence to the new frameworks. We recognize how important this initiative is to our customers in the EEA and Switzerland.
In the meantime, EEA and Swiss businesses can continue to lawfully use Infusionsoft by executing our Data Processing Addendum. The Addendum includes the EU Model Contract Clauses (for more details, refer to the section “European Privacy Laws” below).
U.S.-EU Safe Harbor Framework and U.S.-Swiss Safe Harbor Framework
Infusionsoft remains committed to complying with the U.S.-EU and U.S.-Swiss Safe Harbor Frameworks, although their legal recognition in various non-U.S. countries is in doubt.
Our EEA/CH Safe Harbor Notice describes our continued commitment to comply with the U.S.-EU and U.S.-Swiss Safe Harbor Frameworks.
The Notice is available here: https://www.infusionsoft.com/legal/safe-harbor
European Privacy Laws
Infusionsoft complies with the European Union’s current comprehensive privacy law: the Directive on Data Protection (Directive 95/46/EC). Note that in 2018, the current Directive on Data Protection will be replaced by a new privacy law, known as the General Data Protection Regulation.
By way of demonstrating the maturity of our data protection program, and to help enable our European customers’ continued, lawful use of Infusionsoft, we pledge to comply with current and future comprehensive European privacy laws and agree to be regulated by the European data protection authorities.
To that end, Infusionsoft offers our European customers a Data Processing Addendum, which is a specialized legal instrument designed to enable their lawful use of Infusionsoft across European borders. The Addendum incorporates the European Union’s “Model Contract Clauses” (also known as “Standard Contractual Clauses”) and enables the lawful exportation of PII by European entities to service providers outside of the EEA (e.g., Infusionsoft), on the basis of European Commission Decision 2010/87/EU. Every customer wishing to take advantage of the Addendum’s benefits must sign it in accordance with the instructions here: https://www.infusionsoft.com/legal/dpa
Data Security Statement
The Infusionsoft Data Security Statement goes well beyond the customary confidentiality clauses found in the business terms of many SaaS providers. The Statement describes some of the specific data security controls that Infusionsoft has implemented and, by publishing the information, legally obligates us to maintain the high standard of data security that’s described in the Statement.
The Data Security Statement can be found here: https://www.infusionsoft.com/legal/data-security
PCI DSS (the Payment Card Industry Data Security Standard)
Infusionsoft adheres to, and is audited annually for compliance with, the Payment Card Industry Data Security Standard, which is a rigorous data protection framework oriented towards the protection of payment card data.
Our most recent PCI DSS audit documentation is available upon request.
Data Protection Officer: Infusionsoft has appointed an independent Data Protection Officer to provide oversight for our data protection program. You may contact our DPO with any data protection questions or concerns.
Contact the DPO: [email protected]