GDPR at Brand Embassy

Brand Embassy product readiness

The “General Data Protection Regulation,” or GDPR, is a new comprehensive data protection law in the EU (including the UK post-Brexit) which comes into effect on May 25, 2018. The GDPR updates existing EU privacy laws in order to strengthen them in light of rapid technological developments and more complex international flows of personal data, and to give EU citizens better control over their personal data in the digital world. With a single set of rules, the GDPR regulates and unifies across the EU how organizations can collect, store, process and transfer the personal data of EU individuals.

Because Brand Embassy has had operations in the EU for years, we are familiar with these types of data privacy rules on various levels. Brand Embassy sees the GDPR as an opportunity to deepen our commitment to data protection and to build a stronger data protection system for the benefit of all. As an SaaS (software as a service) provider, we already have robust security measures in place meeting high-level standards in the industry with enterprise-level security features.

Between now and May 25th (and beyond), we are fully committed to enhancing the Brand Embassy platform to enable easier compliance with the GDPR.

We are also dedicated to helping our customers comply with the GDPR. We are working to make enhancements to our products, contracts, and documentation to help support our customers’ compliance with the GDPR.

Highlights related to the GDPR compliance program at Brand Embassy:

  1. Data security is our top priority and we have robust security measures in place to meet high-level standards in the industry. We combine enterprise-level security features with comprehensive processes, procedures, and audits of our applications, systems and networks to ensure that your and your customers’ data is always protected. Brand Embassy stores data in AWS SOC 2-certified data centers.
  2. We already offer a number of state-of-the-art data protection measures, including masking payment cards (PCI), masking for chat transcripts, encryption when data is being transited, and optional encryption for data at rest.
  3. We have audited our processes, architecture and workflows in depth. Data Protection Impact Assessments has been performed, impact has been mapped, and our security measures have been updated and aligned. We have also updated our security infrastructure as needed in order to achieve compliance under the GDPR.
  4. Brand Embassy has implemented processes and tools to help you manage requests from data subjects including the deletion of personal data (“the right to be forgotten”), access to personal data, modification (rectification), and portability.
  5. For every new feature, product and enhancement, we are already applying data protection mechanisms and procedures to our design principles.
  6. We’ve made a new data processing addendum (available here https://cdn2.hubspot.net/hubfs/484339/legal/BE-data-processing-addendum_20180430.pdf), which reflects the standards of the GDPR.

What personal data does Brand Embassy process, for what purpose and based on what legal perspective?

Brand Embassy processes personal data based on the Service Agreement with a Controller and upon instructions from the Controller. Brand Embassy is a Processor.

Brand Embassy collects the following personal data with related purposes: