On May 25th, 2018, a new European privacy regulation called the General Data Protection Regulation (more commonly known as the “GDPR”) came into force. EverC has always taken privacy very seriously and the success of our customers in the GDPR era is very important to us. This document provides an overview of EverC’s preparations for GDPR and also answers some frequently asked questions.
a. Is EverC GDPR compliant?
EverC has completed the following activities to prepare for GDPR:
- We retained outside counsel to help us understand GDPR and prepare a GDPR compliance plan.
- We built an internal taskforce with members of different departments (security, sales, product development, and others) to implement the GDPR compliance plan internally.
- The COO has been personally involved in the supervision and implementation of the GDPR compliance plan.
As a result, we mapped EverC’s data collection practices under GDPR regulations. We have determined that, when using EverC products, our customers are data controllers and EverC is a data processor.
We are not approaching GDPR compliance as a one-time exercise.
We are committed to regularly reviewing our roadmap to ensure ongoing compliance.
b. Do you have a US Privacy Shield certification?
EverC Inc. has a privacy shield certification. You can find it here: https://www.privacyshield.gov/list
c. As a European entity or one with business in the EU what should I know about working with EverC and GDPR?
EverC is a data processor. Therefore, if customers subject to the GDPR are sharing personal data with EverC or instructing EverC to process personal data on their behalf, executing a Data Processing Agreement (“DPA”) will likely be necessary. Read more about our DPA below.
EverC holds an ISO27001 certification. Our security measures also include the implementation of robust encryption techniques, periodical penetration tests and a data breach policy.
d.Do you have a standard DPA we can work with? Can we send you ours?
EverC can provide a standard DPA template which reflects our commitment to the protection of personal data as required by Article 28.3 of the GDPR. Our customers can also provide their own template DPA for review.
e. Does EverC store personal data? Where is the data physically stored?
EverC’s primary IT infrastructure is hosted in the United States with AWS. Our disaster recovery facility is in Ireland, also with AWS. If we change or replace our existing sub-processors, we will notify our customers as required by Article 28.2 of the GDPR.
f. How does EverC approach data transfers?
The data accessed, collected or received by EverC, Inc. is subject to EverC, Inc.’s privacy-shield registration. The privacy-shield registration can be accessed here: https://www.privacyshield.gov/list
EverC, Ltd. Is based in Israel. There are no data transfer concerns for data accessed, collected or received by EverC, Ltd. as Israel was declared, by the European Commission, as a country that offers an adequate level of data protection. You can read more about this status here: https://ec.europa.eu/info/law/law-topic/data-protection/data-transfers-outside-eu/adequacy-protection-personal-data-non-eu-countries_en
Any data transferred between EverC, Inc. and EverC, Ltd. is subject to an internal data transfer and data processing agreement executed by EverC, Inc. and EverC, Ltd.
Finally, we use our best efforts to only share personal data that is subject to the GDPR with vendors and partners who have announced that will comply with the GDPR and have undertaken to do so. We regularly audit these engagements for GDPR compliance.
g. Will you share policies like Information Security and BCP?
Yes, we will share these policies with our customers or potential customers, upon executing a non-disclosure agreement (“NDA”).
h. How long do you store customer data?
Generally, EverC processes customer data for the duration of the services and/or in accordance with the relevant agreement with the customer.
Please note that certain laws may require the retention of the data for a longer period, in which case we legally required to comply.
i. How does your organization handle instances when customers or prospects request their data be removed from your system(s)?
When processing personal data on behalf of our customers, EverC is a data processor. Accordingly, the relevant data controller is responsible for handling, and responding to, data subject’s requests exercising their rights (including the right to be forgotten). In the particular situation described above, EverC’s responsibility, as a processor, is set forth in Article 28.3 of the GDPR. EverC assists the relevant controller with appropriate technical and organizational measures, insofar as this is possible and taking into account the nature of the processing, for the fulfilment of the controller’s obligation to respond to requests for exercising the data subject’s rights.
When processing personal data as a data controller, EverC will treat the deletion request in accordance with the relevant applicable law.
j. How does your collection of data through automated means, such as through harvesting bots, robots, spiders, or scrapers comply with the GDPR?
EverC uses different automated technologies to process data from third party sources to help us detect fraud, malware and illegal activities. In this case, EverC is considered a controller since we collect this data for our own knowledge. In the event that such practices are subject to the GDPR, we do not inform data subjects because we believe that an exception of the GDPR would apply. Providing information to a potential suspect or fraudster would seriously frustrate the prevention of fraud, which is our goal. For the same reason, we cannot obtain the consent of the person in question and legitimate interest is the most appropriate legal basis (Recital 47 of the GDPR).
k. Where can I learn more about GDPR?
Additional information is available on the European Commission’s website here (http://ec.europa.eu/justice/data-protection/reform/index_en.htm).