GDPR Compliance Overview

At Azuqua, we’ve been working hard to ensure GDPR compliance across the organization – including teams, processes, tools, and the Azuqua platform. Equally important is helping our customers and partners understand how GDPR affects our relationship with you and your use of the Azuqua platform.

In the months leading up to May 25, 2018, when the GDPR regulation went into effect, we took several key actions to enhance the Azuqua platform and ensure our customers and partners have the tools they need to support their GDPR operations and compliance efforts.

We are fully committed to information security and privacy and will continue to invest in our privacy and security programs as the regulatory landscape evolves.

Azuqua GDPR Product Readiness

Below is a detailed list of the features we’re building or have already built to help support your GDPR compliance.

Key definitions used throughout:

  • Data Subjects – GDPR defines “data subjects” as “identified or identifiable natural person[s].” In other words, data subjects are just people—human beings from whom or about whom Azuqua collects information in connection with our business and its operations.
  • Data Controllers – The GDPR definition of a controller is “the natural or legal person, public authority, agency or another body which, alone or jointly with others, determines the purposes and means of the processing of personal data.” Basically, if your business processes personal data of data subjects for your own business purposes and needs—not just as a service provider acting on behalf of another business—then you’re likely a controller.
  • Data Processors – Those entities that process personal data on behalf of data controllers, and as directed by data controllers. Basically, when the controller outsources the actual data processing function to another entity, that other entity is a processor. In many cases, Azuqua acts as a data processor.
AreaGuidanceWhat Azuqua Is Doing
ConsentEach individual must give consent to use their personal data. The data collected must also be necessary to complete a task or transaction initiated by the individual.

One type of lawful basis of processing is consent with proper notice.

In order for data subjects to grant consent under the GDPR, a few things need to happen:

  • The data subject needs to be told what they’re opting into. That’s called “notice.”
  • The data subject needs to affirmatively opt-in (pre-checked checkboxes aren’t valid). Filling out a form alone cannot implicitly opt a person into everything a company sends.
  • The consent needs to be granular and cover the various ways personal data is processed or used (e.g. marketing email or sales calls). A log of what a person consented to, what they were told (notice), and when they consented must be stored as auditable evidence.
We've added features to make collecting, tracking, and managing consent as straightforward as possible and in a GDPR-compliant way.

The most common ways that Azuqua customers provide personal data is during initial sign-up, user onboarding, support/chat, and in FLOs.

Once a data subject or data controller provides their consent, we store a copy of the notice that was provided, information about what was consented to, and a timestamp of the interaction.

Available
CookiesIndividuals need to be given notice that cookies are being used (in language they can understand) and need to consent to being tracked by cookies.New users are now prompted to provide consent for use of cookies and will have the ability to opt-in to only the cookies they’d like.

From within the settings menu, existing users are able to toggle this feature as well.

 
Withdrawal of ConsentData subjects need the ability to see what they’ve signed up for, and withdraw their consent (or object to how their data is being processed) at any time. In other words, withdrawing consent needs to be just as easy as giving it.
  1. Azuqua has established processes to allow users to withdraw consent, and to provide a contact point for customers to do so at privacy@azuqua.com.

  2. In the product, customers are able to revoke their consent for Execution History storage and a GDPR-specific page now provides additional details and documentation around this.

  3. The Azuqua account preferences page has been updated to support the needs of the GDPR including withdrawal of consent. The account preferences page will be updated to support opt-in and opt-out preferences and allow for data subjects to opt-out of different types of communications and consent.

  4. All consent is logged and auditable, allowing for us to clearly report what customers have opted into and when.
Available
Right to Be Forgotten (Deletion)Organisations must also protect individuals' right to be forgotten when their data is no longer relevant or necessary.

Data subjects have the right to request deletion of all personal data you have about them. The GDPR requires the permanent removal of the data subject contact from your database, including email tracking history, call records, form submissions and more.

In many cases, you’ll need to respond to the request within 30 days. The right to deletion is not absolute, and can depend on the context of the request, so it doesn’t always apply.
1.If our customer would like to have their data deleted from Azuqua entirely, that customer can contact privacy@azuqua.com to have all of their data removed from all systems. We will work with customers requesting this to ensure that other members of their Azuqua organizations will be minimally impacted. Azuqua will use reasonable efforts to process requests within 30 days.

2.If a customer would like specific execution data to be cleared in order to comply with their own GDPR deletion requests, they can contact privacy@azuqua.com with the specific executions in their execution history they would like removed.

3.We will provide a way for customers to search through execution history data based on a certain field making it easier for customers to find specific execution records and respond to requests from their own customers asking for deletion of data (requests to be forgotten).

Coming later this year
ModificationJust as data subjects can request to delete or access their data, they can ask your company to modify their personal data if it’s inaccurate or incomplete. If and when a request for modification is made, you need to be able to accommodate that request.All personal information that we use is kept within our product under your user profile. It can be directly edited at any time.
Security MeasuresThe GDPR requires a slew of data protection safeguards, from encryption at rest and in transit to access controls to data pseudonymization and anonymization.As part of Azuqua’s approach to the GDPR, we’ve been strengthening our security controls across the board.

In addition to industry standard practices around encryption, additonal steps have been taken to secure data, including pseudonymization, stability and uptime, backup and disaster recovery, and regular security testing. For additional information refer to the Azuqua Security Overview.

FAQ

When will Azuqua be updating its legal documentation (Terms of Service, Privacy Policy, and Data Processing Agreement)?

Updates to Azuqua’s Privacy Policy and Data Processing Agreement were completed June 2018.

What is Services Data?

Services Data is any information, including personal data, which is stored in or transmitted via the Azuqua services, by, or on behalf of, our customers or partners and their end-users.

Who owns and controls Services Data?

From a privacy perspective, the customer is the controller of Services Data, and Azuqua is a processor. This means that throughout the time that a customer subscribes to services with Azuqua, the customer retains ownership of and control over Services Data in its account.

Does Azuqua have subprocessors?

Azuqua maintains an up-to-date list of the names and locations of all subprocessors used for hosting or other processing of Services Data, which can be found here. The list also may be obtained by contacting privacy@azuqua.com.

How does Azuqua use Services Data?

We use Services Data to operate and improve our services, help customers access and use the services, respond to customer inquiries, and send communication related to the services.

What steps does Azuqua take to secure Services Data?

Azuqua prioritizes data security and combines enterprise-class security features with comprehensive audits of our applications, systems, and networks to ensure customer and business data is always protected.

For example, Azuqua servers are hosted at Tier IV or III+, SSAE-16, PCI DSS, or ISO 27001 compliant facilities. Additionally, we engage third-party security experts to perform detailed penetration tests on a periodic basis, and our Support team is on call to respond to security alerts and events.

Where will Services Data be stored?

Azuqua has data centers in three main regions — all within the United States. Services Data may be stored in any region.

How does Azuqua respond to information requests?

Azuqua recognizes that privacy and data security issues are top priorities for customers. Azuqua does not disclose Services Data except as necessary to provide its services to its customers and comply with the law as detailed in our Privacy Policy found here.

How does Azuqua respond to legal requests for Services Data?

In certain situations, we may be required to disclose personal data in response to lawful requests by public authorities, including to meet national security or law enforcement requirements. We may disclose personal data to respond to subpoenas, court orders, or legal process, or to establish or exercise our legal rights or defend against legal claims. We may also share such information with relevant law enforcement agencies or public authorities if we believe same to be necessary in order to investigate, prevent, or take action regarding illegal activities, suspected fraud, situations involving potential threats to the physical safety of any person, violations of our Terms of Service or Subscription Agreements, or as otherwise required by law.

Does Azuqua have a Data Processing Addendum (DPA) for their role as a processor?

Azuqua’s full Data Processing Addendum (DPA) can be found here. Alternatively, if customers have a DPA that they’d like Azuqua to sign, they can do so by sending a copy of the DPA to privacy@azuqua.com.

DISCLAIMER: This website is neither a magnum opus on EU data privacy nor legal advice for your company to use in complying with EU data privacy laws like the GDPR. Instead, it provides background information to help you better understand how Azuqua has addressed some important legal points. This information is not the same as legal advice, where an attorney applies the law to your specific circumstances, so we insist that you consult an attorney if you’d like advice on your interpretation of this information or its accuracy. In a nutshell, you may not rely on this paper as legal advice, nor as a recommendation of any particular legal understanding. The products, services, and other capabilities described herein are not suitable for all situations and may have restricted availability.