Apptimi UK:

152 City Road,
London,
United Kingdom, EC1V 2NX

Apptimi Ireland:

34 Christchurch Place,
Dublin 8,
Ireland

Email:

info@apptimi.com
Other Links

This is our GDPR Policy. If you want to see information on our GDPR product, to here

INTRO
General Data Protection Regulation (GDPR)

On 25 May 2018, the most significant piece of European data protection legislation to be introduced in 20 years will come into force. The EU General Data Protection Regulation (GDPR) replaces the 1995 EU Data Protection Directive. The GDPR strengthens the rights that individuals have regarding personal data relating to them and seeks to unify data protection laws across Europe, regardless of where that data is processed.

We are committed to helping our customers with their GDPR compliance by providing robust privacy and security protections built into our services and contracts over the years.
WHAT YOU CAN DO

What are your responsibilities as a customer?

Apptimi customers will typically act as the data controller for any personal data they provide to Apptimi in connection with their use of Apptimi's services. The data controller determines the purposes and means of processing personal data, while the data processor processes data on behalf of the data controller.

Apptimi is a data processor and processes personal data on behalf of the data controller when the controller is using Apptimi Platform.

Data controllers are responsible for implementing appropriate technical and organisational measures to ensure and demonstrate that any data processing is performed in compliance with the GDPR. Controllers’ obligations relate to principles such as lawfulness, fairness and transparency, purpose limitation, data minimisation, and accuracy, as well as fulfilling data subjects’ rights with respect to their data.

If you are a data controller, you may find guidance related to your responsibilities under GDPR by regularly checking the website of your national or lead data protection authority under the GDPR (as applicable), as well as by reviewing publications by data privacy associations such as the International Association of Privacy Professionals (IAPP).

You should also seek independent legal advice relating to your status and obligations under the GDPR, as only a lawyer can provide you with legal advice specifically tailored to your situation. Please bear in mind that nothing on this website is intended to provide you with, or should be used as a substitute for, legal advice.
Where should you start?

As a current or future customer of Apptimi Cloud, now is a great time for you to begin preparing for the GDPR. Consider these tips:

Familiarize yourself with the provisions of the GDPR, particularly how they may differ from your current data protection obligations.

Consider creating an updated inventory of personal data that you handle. You can use some of our tools to help identify and classify data.

Review your current controls, policies, and processes to assess whether they meet the requirements of the GDPR, and build a plan to address any gaps.

Consider how you can leverage the existing data protection features on Apptimi as part of your own regulatory compliance framework.

Monitor updated regulatory guidance as it becomes available, and consult a lawyer to obtain legal advice specifically applicable to your business circumstances.
WHAT WE’RE DOING

Apptimi Platform commitments to the GDPR

Among other things, data controllers are required to only use data processors that provide sufficient guarantees to implement appropriate technical and organisational measures in such a manner that processing will meet the requirements of the GDPR. Here are some aspects you may want to consider when conducting your assessment of Apptimi Platform services.
Processing According to Instructions

Any data that a customer and its users put into our systems will only be processed in accordance with the customer’s instructions, as described in our current as well as our GDPR-updated data processing agreements.

Personnel Confidentiality Commitments

All Apptimi employees are required to sign a confidentiality agreement and complete mandatory confidentiality and privacy training, as well as our Code of Conduct training. Apptimi's Code of Conduct specifically addresses responsibilities and expected behavior with respect to the protection of information.
USE OF SUBPROCESSORS

Apptimi directly conducts the majority of data processing activities required to provide the Apptimi Cloud Platform services. However, we do engage some third-party vendors to assist in supporting these services. We make information available about Apptimi subprocessors supporting Apptimi Platform services, as well as third-party subprocessors involved in those services, and we include commitments relating to subprocessors in our current and updated data processing agreements.
SECURITY OF THE SERVICES

According to the GDPR, the controller and the processor shall implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk.

Apptimi operates an infrastructure designed to provide state-of-the-art security through the entire information processing lifecycle. This infrastructure is built to provide secure deployment of services, secure storage of data with end-user privacy safeguards, secure communications between services, secure and private communication with customers over the Internet, and safe operation by administrators.

Apptimi Platform runs on this infrastructure.

We designed the security of our infrastructure in layers that build upon one another, from the physical security of data centers, to the security protections of our hardware and software, to the processes we use to support operational security. This layered protection creates a strong security foundation for everything we do.
ENCRYPTION

Apptimi uses encryption to protect data in transit and at rest. Data in transit to Apptimi is protected using HTTPS, which is activated by default for all users. Apptimi Platform services encrypt customer content stored at rest, without any action required from customers, using one or more encryption mechanisms. A detailed discussion of how we encrypt data is available on request.
ACCESS TO INFORMATION

For Apptimi employees and contractors, access rights and levels are based on job function and role, using the concepts of least-privilege and need-to-know to match access privileges to defined responsibilities. Requests for additional access follow a formal process that involves a request and an approval from a data or system owner, manager, or other executives, as dictated by Apptimi's security policies.
DATA RETURN AND DELETION

Administrators can export customer data, via the functionality of the Apptimi Platform services, at any time during the term of the agreement. We have included data export commitments in our data processing terms for several years, and we will continue offering those after the GDPR comes into force, and working to enhance the robustness of the data export capabilities of the Apptimi services and each of the Apptimi Platform services (consult the Apptimi Platform documentation for further information).

You can also delete customer data, via the functionality of the Apptimi Platform services, at any time. When Apptimi receives a complete deletion instruction from you , Apptimi will delete the relevant customer data from all of its systems within a maximum period of 90 days unless retention obligations apply.
DATA SUBJECT RIGHTS

Data controllers can use the Apptimi Platform administrative consoles and services functionality to help access, rectify, restrict the processing of, or delete any data that they and their users put into our systems. This functionality will help them fulfill their obligations to respond to requests from data subjects to exercise their rights under the GDPR.
INCIDENT NOTIFICATIONS

Apptimi Platform have provided contractual commitments around incident notification for many years. We will continue to promptly inform you of incidents involving your customer data in line with the data incident terms in our current agreements and the updated terms that will apply from 25 May 2018, when the GDPR comes into force
INTERNATIONAL DATA TRANSFERS

The GDPR provides for several mechanisms to facilitate transfers of personal data outside of the EU. These mechanisms are aimed at confirming an adequate level of protection or ensuring the implementation of appropriate safeguards when personal data is transferred to a third country.

Apptimi does not transfer any data outside the EU. All data is stored in data centres located in Northern Europe.
If you have any questions on GDPR and how Apptimi conforms to this regulation please contact us at any time.