GroupBy is GDPR Ready
The General Data Protection Regulation (GDPR) is a European Union regulation that regulates the collection and processing of personal information (“PI”) (a) of European residents or (b) in the context of an establishment in the European Union. The GDPR became effective on May 25, 2018, and obligates organizations globally to protect this information.
This FAQ provides answers to questions from our customers about the steps GroupBy has taken with respect to the GroupBy platform to address the GDPR.
What Personal Information ("PI") Data Does GroupBy Collect
In accordance with GDPR, GroupBy only collects PI required to provide services for our platform. GroupBy believes in the importance of privacy, and end-user privacy should be protected. To that end, the only PI GroupBy collects from end-users of our customers' websites is end-user IP addresses using cookies placed on an end-user device, and only with consent provided by the end-user via customer’s website privacy controls. The GroupBy platform never collects, accepts, processes or stores names or email addresses from end-users of our customers' websites.
GroupBy employs a wide range of security controls to protect customer data:
- Data encryption (AES-256) at rest and in transit.
- Secured service APIs and authenticated access.
- Intrusion detection and resolution.
- Access to systems is based on the principle of business need and requires approval.
- Security is configured to grant the least amount of access required for functionality.
- Watch Dogs monitor system functionality and notify appropriate staff when operational issues are identified.
- Full system logging on all systems and applications is enabled.
- Physical data center controls include electronic access cards, vehicle access barriers, perimeter fencing, metal detectors, bio-metrics access, and 24/7 monitoring of high-resolution interior and exterior cameras for intrusion detection.
Where Is Data Stored (Locality)
For North American customers, data is stored in data centers in the U.S., with the primary data center located in Idaho. For European customers or subsidiaries, data is stored in a data center in Belgium.
Customers can only access data associated with their specific account via user accounts and passwords managed by the customer in combination with a randomly generated security key. All data is encrypted at rest and in transit by default using AES256.
Data Deletion and Date Retention
GroupBy permanently deletes all customer data within 180 days of the end of a contract, or at an earlier date upon customer request. Data is never retained beyond 180 days except to the extent permitted by applicable law.
Third-Party Audits and Certifications
GroupBy completes annual audits for their Subscription Service for the following standards:
- SOC 2 Type II (Security, Confidentiality, Availability, Processing Integrity, and Privacy)
The GroupBy Subscription Service operates on the Google Cloud Platform ("GCP").
Where can I obtain more information about Data Privacy at GroupBy?
Any questions or general comments can be directed to firstname.lastname@example.org
2 Berkeley Street, Suite 210
Toronto, Ontario M5A 4J5
ATTN: Privacy Officer