Data Protection


Last Modified: May 2018

Overview
Brightidea prioritizes client trust. We know that client data is important to our clients’ values and operations. That is why we keep it private and safe.

Brightidea helps clients maintain control of their privacy and data security in many ways:

  • Data Security: We provide our clients compliance with high security standards, such as encryption of data in motion over public networks, Distributed Denial of Service (“DDoS”) mitigations, and a Support team that is on-call 24/7.
  • Disclosure of Client Service Data: Brightidea only discloses Service Data to third parties where disclosure is necessary to provide the services or as required to respond to lawful requests from public authorities.
  • Trust: Brightidea has developed security protections and control processes to help our clients ensure a secure environment for their information.
  • Access Management: Brightidea provides an advanced set of access and encryption features to help clients effectively protect their information. We do not access or use client content for any purpose other than providing, maintaining and improving the Brightidea services and as otherwise required by law.

What is Service Data?
Service Data is any information, including personal data, which is stored in or transmitted via the Brightidea services, by, or on behalf of, our clients and their end-users.

Who owns and controls Service Data?
From a privacy perspective, the client is the controller of Service Data, and Brightidea is a processor. This means that throughout the time that a client contracts services with Brightidea, the client retains ownership of and control over Service Data in its account.

Who are Brightidea’s sub-processors?
Brightidea maintains an up-to-date list of the names and locations of all sub-processors used for hosting or other processing of Service Data, which can be found here. The list includes the ability for our clients to sign up for notifications of changes. The list also may be obtained by contacting data-privacy@brightidea.com.

How does Brightidea use Service Data?
We use Service Data to operate and improve our services, help clients access and use the services, respond to client inquiries, and send communication related to the services.

What steps does Brightidea take to secure Service Data?
Brightidea prioritizes data security and combines enterprise-class security features with comprehensive audits of our applications, systems, and networks to ensure client and business data is always protected.

For example, Brightidea servers are hosted at Tier IV or III+, SSAE-16, PCI DSS, or ISO 27001 compliant facilities. Additionally, we engage third-party security experts to perform detailed penetration tests on a periodic basis, and our Support team is on call 24/7 to respond to security alerts and events.

How does Brightidea respond to information requests?
Brightidea recognizes that privacy and data security issues are top priorities for clients.

  • Brightidea does not disclose Service Data except as necessary to provide its services to its clients and comply with the law as detailed in our Privacy Policy found here.

How does Brightidea respond to legal requests for Service Data?
In certain situations, we may be required to disclose personal data in response to lawful requests by public authorities, including to meet national security or law enforcement requirements. We may disclose personal data to respond to subpoenas, court orders, or legal process, or to establish or exercise our legal rights or defend against legal claims. We may also share such information with relevant law enforcement agencies or public authorities if we believe same to be necessary in order to investigate, prevent, or take action regarding illegal activities, suspected fraud, situations involving potential threats to the physical safety of any person, violations of our Master Service Agreement, or as otherwise required by law.

EU Directive
The EU Data Protection Directive (also known as “Directive 95/46/EC“) addresses the processing of personal data and the free movement of such data. Broadly, this Directive sets out a number of data protection principles and requirements which must be adhered to when personal data is processed.

Directive 95/46/EC established the Article 29 Working Party (“WP29”), which is comprised of representatives from the data protection authorities of all the EU Member States as well as from the European Commission. WP29 works to harmonize the application of data protection rules throughout the EU and also advises the EU Commission on the adequacy of data protection standards in non-EU countries.

How does the EU directive apply to clients?
Brightidea clients that collect and store personal data are considered data controllers under Directive 95/46/EC. Data controllers bear the primary responsibility for ensuring that their processing of personal data is compliant with relevant EU data protection law, including Directive 95/46/EC and the GDPR as of May 25, 2018.

What is a Data Processing Agreement (DPA)?
Brightidea offers clients a robust Data Processing Agreement (“DPA”), governing the relationship between the client (acting as a data controller) and Brightidea (acting as a data processor). The DPA facilitates Brightidea’s clients’ compliance with their obligations under EU data protection law. Our DPA contains strong privacy commitments and has been updated to confirm our compliance with the GDPR as of and from May 25, 2018. Our DPA contains data transfer frameworks to ensure that our clients can lawfully transfer personal data to Brightidea outside of the European Union by relying on one of two mechanisms: our Privacy Shield certification or Standard Contractual Clauses.

What are the “Model Clauses”?
The European Commission has approved a set of standard provisions called the Standard Contractual Clauses (“Model Clauses”) which provide a data controller a compliant mechanism to transfer personal data to a data processor outside the European Economic Area (“EEA”). The Model Clauses are appended to the Brightidea DPA to help provide adequate protection for data transfer outside of the EEA or Switzerland.

Does Brightidea replicate the Service Data it stores?
Brightidea periodically replicates data for purposes of archival, backup and audit logs. We use Amazon Web Services (AWS) to store some of the information that is backed up, such as database information and attachment files.

GDPR
Brightidea’s approach has been anchored with a strong commitment to privacy, security, compliance and transparency. This approach includes supporting our clients’ compliance with EU data protection requirements, including those set out in the General Data Protection Regulation (“GDPR”), which becomes enforceable on May 25, 2018.

If a company collects, transmits, hosts or analyzes personal data of EU citizens, GDPR requires the company to use third-party data processors who guarantee their ability to implement the technical and organizational requirements of the GDPR. To further earn our clients’ trust, our DPA has been updated to provide our clients with contractual commitments regarding our compliance with applicable EU data protection law and to implement additional contractual provisions required by the GDPR. Our contractual commitments guarantee that clients can:

  • Respond to requests from data subjects to correct, amend or delete personal data.
  • Be made aware of and report personal data breaches to relevant supervisory authorities and data subjects in accordance with GDPR timeframes.
  • Demonstrate their compliance with the GDPR as pertaining to Brightidea’s Services.

What is the GDPR?
The General Data Protection Regulation (“GDPR”) is a new European privacy regulation which will replace the current EU Data Protection Directive (“Directive 95/46/EC”). The GDPR aims to strengthen the security and protection of personal data in the EU and harmonize EU data protection law.

To whom does the GDPR apply?
The GDPR applies to all organizations operating in the EU and processing “personal identifiable data” of EU residents. Personal data is any information relating to an identified or identifiable natural person.

What implications does the GDPR have for organizations processing the personal data of EU citizens?
One of the key aspects of the GDPR is that it creates consistency across EU member states on how personal data can be processed, used, and exchanged securely. Organizations will need to demonstrate the security of the data they are processing and their compliance with GDPR on a continual basis, by implementing and regularly reviewing robust technical and organizational measures, as well as compliance policies.

How has Brightidea been preparing for the GDPR
Brightidea will be compliant with the GDPR when it becomes enforceable in May 2018. Our privacy team is working with clients around the world to answer their questions and to help them prepare for using Brightidea’s Services after the GDPR becomes effective. Additionally, our privacy team is reviewing Brightidea’s current product features and practices to ensure we support our clients with their GDPR compliance requirements.

How can Brightidea clients prepare for GDPR enforcement?
Brightidea encourages clients to begin preparing for the GDPR by reviewing their privacy and data security processes and policies to ensure compliance by May 2018. Data controllers bear the primary responsibility for ensuring that their processing of personal data is compliant with EU data protection law. Below are some key points to consider for GDPR compliance:

  • Geographical Application: The GDPR may apply to organizations that are established in the EU as well as certain organizations established outside the EU but which are processing the personal data of EU citizens, depending on their activities.
  • Rights of End-Users: Organizations should be cognizant of End-Users whose personal data they may be processing. The GDPR establishes enhanced rights for End-Users, and organizations should be able to accommodate those rights.
  • Data Breach Notifications: Organizations that are controllers of personal data should have clear processes in place in order to comply with the GDPR requirement to report data breaches in accordance with the time frames set out within the GDPR. Brightidea will notify affected clients without undue delay if we become aware of a data breach of our services.
  • Appointment of Data Protection Officer (DPO): clients may need to appoint DPOs to manage issues relating to the processing of personal data.
  • Data Processing Agreement (DPA): Where personal data is transferred outside the EEA, a client may need DPAs in place with its sub-processors to ensure an adequate level of protection for the transferred data. Brightidea’s DPA addresses GDPR and can be obtained by submitting a request to data-privacy@brightidea.com.
  • Data Protection Impact Assessment (DPIA): DPIAs usually describe organizations data processes and protective measures, particularly those that may be risky. For data processing activities, clients need to conduct and file with authorities a DPIA.

Does Brightidea currently provide any product specific features/functionality to assist with GDPR compliance
Brightidea provides clients the option to delete Service Data that may contain personal data, such as profiles, images, and attachments, in active Brightidea accounts.

  • User profile deletion: Brightidea currently supports the deletion of User profile information.For assistance, Administrators should open a ticket through the Brightidea Support PortalFollowing this deletion action, the User profile is removed from the User Interface and the the User identity is deleted from the system.

What is Privacy Shield?
The U.S. Department of Commerce, with the European Commission and the Swiss government, created the EU-U.S. and Swiss-U.S. Privacy Shield Frameworks to provide companies with a mechanism to transfer personal data from the European Union to the United States in a manner that provides an adequate level of protection for the purpose of European data protection law.

Is Brightidea certified under the Privacy Shield?
Brightidea has certified its compliance with the EU-U.S. and Swiss-U.S. Privacy Shield frameworks to the U.S. Department of Commerce and has been added to the Department of Commerce’s list of self-certified Privacy Shield participants. Our certification confirm that we comply with the Privacy Shield Principles for the transfer of European and Swiss personal data to the United States.