I. What is GDPR?
The General Data Protection Regulation (GDPR) is a European Union (EU) regulation, which is designed to improve the data security and privacy of EU citizens and residents. GDPR is a comprehensive EU data privacy law, which has been in effect since May 25, 2018. In addition to strengthening and standardizing user data privacy across the EU nations, it requires obligations for all organizations handling EU citizens’ and residents’ personal data, regardless of where the organizations themselves are located. For more information on GDPR, please refer to Wikipedia or the GDPR main site.
Zingtree is committed to partnering with customers, service providers, partners, users and employees to help them meet the requirements of the GDPR.
To comply with EU data protection laws around international data transfer mechanisms, Zingtree is self-certified under the EU-U.S. Privacy Shield and the Swiss-U.S.Privacy Shield. Designed by the U.S. Department of Commerce and the European Commission and Swiss Administration, Privacy Shield was developed to provide a framework for companies to comply with data protection requirements when transferring personal data from the European Union and Switzerland to the United States. In addition, Zingtree offers the EU Model Clauses, also known as Standard Contractual Clauses, to meet adequacy and security requirements for our customers who operate in the EU.
Updates to GDPR have expanded the requirements significantly, and Zingtree is always working diligently to ensure our product offerings and contractual commitments remain compliant with new standards. Active measures to achieve this include, but are not limited to:
- Continuously investing in the security of our infrastructure
- Ensuring appropriate contractual terms are in place
- Executing Standard Contractual Clauses along with our Data Processing Agreement
- Supporting international data transfers by maintaining our EU-US and Swiss-US Privacy Shield Certifications (to validate certifications, please see Privacy Shield Certification Validation List.)
Zingtree also monitors for changes to GDPR compliance from privacy-related regulatory bodies, and reviews guidance from our privacy compliance legal counsel. As GDPR and other applicable privacy regulations are amended, Zingtree will update its contractual, procedural and other such changes, as required.
II. DATA SUBJECT’S GDPR RIGHTS
Depending on your location and subject to applicable law, you may have the following rights with regard to the Personal Data, for which Zingtree is a custodian (Please note: Under GDPR, Zingtree is considered a Processor and, therefore, will first notify the controller associated with your Personal Data before acknowledging the possession of a Subject’s Personal Data):
- Request Access: The right to request confirmation of whether Zingtree processes Personal Data relating to you, and if so, to request a copy of that Personal Data;
- Rectify Information: The right to request Zingtree rectify or update your Personal Data that is inaccurate, incomplete, or outdated;
- Data Deletion: The right to request Zingtree to erase your Personal Data;
- Data Restriction: The right to request Zingtree to restrict/stop the processing of your Personal Data;
- Data Portability: The right to request Zingtree to export your Personal Data to another company, where technically feasible;
- Notification: The right to be notified about the uses of your Personal Data, where the processing of your Personal Data is based on your previously given consent, you have the right to withdraw your consent if you feel your rights are being impeded;
- Objection: The right to object to the processing of your Personal Data, including the withdrawal of previously provided consent; and
- Automated Individual Decision-Making: The right to refuse the automated processing of your Personal Data to make individual decisions about you if it significantly affects the data subject or produces legal effects.
III. GDPR SUPPLEMENTAL INFORMATION
- Zingtree may disclose your information to third parties to provide services and for a variety of business, advertising, referral, etc. purposes. Additionally, Zingtree may provide your information to protect us or others, or in the event of a major business transaction such as a merger, sale, or asset transfer. Zingtree will not share your information with third parties for a purpose that is materially different from original purposes without your consent.
- Zingtree is subject to the investigatory and enforcement powers of theFederal Trade Commission (FTC). European Union and Swiss individuals have the possibility, under certain conditions, to invoke binding arbitration.
- Zingtree may access, preserve, and disclose any information we store associated with you to external parties if we, in good faith, believe doing so is required or appropriate to: comply with law enforcement or national security requests and legal process, such as a court order or subpoena; protect your, our or others’ rights, property, or safety; enforce our policies or contracts; collect amounts owed to us; or assist with an investigation or prosecution of suspected or actual illegal activity.
- Zingtree’s liability regarding the onward transfer of personal information to third parties shall be governed by the applicable mutually executed agreements and in compliance with the EU-US & Swiss-US Privacy Shield requirements.
IV. GDPR FOR YOUR PUBLISHED TREES
When you create a decision tree using the Zingtree platform, and you have customers residing in the EU, Zingtree suggests you adhere to the following general guidance:
- Consent: If you are collecting any personal information using Data Entry fields (name, email, address, etc.), you are required to ask for consent first. We recommend using Zingtree's Require Confirmation feature to do this.
- Breach notification policy: If we discover a data breach on our side, Zingtree will notify you as soon as possible or in accordance with the mutually executed agreement via your login email. It is your responsibility to notify any of your customers who may be affected.
- Data Access: Individuals must have the right to request confirmation of whether you have their personal data, and this must be provided free of charge, in a format that is easily readable. If you are collecting personal data via Zingtree, you can use the Session List or Form Data reports to find, gather and deliver this information.
- Right to be Forgotten: If a customer asks to have their data erased, you can do this via the Session List Report, Session Details. Individual sessions can be erased, including their session transcript and any data collected.
- Privacy by Design: Be judicious about what data you are collecting from the users of your trees. If it's not necessary, it's best to not ask.
V. ZINGTREE INFRASTRUCTURE (U.S.- and EU-BASED DATA CENTERS)
Zingtree has established data center operations in both the U.S. (U.S.-East-1 -Virginia) and in the EU (EU-West-1 - Ireland). Thus, Zingtree can host a customer’s data in either location. Also, Zingtree will execute the requisite data protection agreements.
VI. ZINGTREE SECURITY AND PRIVACY PROGRAM
Zingtree highly values the security and privacy of Customer information and, therefore, is most committed to proactively ensuring its confidentiality, integrity, and availability. Consequently, Zingtree has designed security and privacy upfront into its products and services rather than just as an afterthought. Zingtree’s security and privacy program is designed to not just satisfy compliance standards, but to go beyond to embrace the concept of industry’s “best practices.”
Safeguarding our customer’s information is a top priority of Zingtree. Thus, Zingtree has implemented a wide array of security controls to ensure we meet and/or exceed multiple security compliance standards. Specifically, Zingtree has been awarded its SOC2/Type2 and HIPAA third-party compliance attestation. To supplement its security compliance program, Zingtree has adopted the National Institute of Technology and Standards’ (NIST) risk management framework (RMF) and the associated security policies and controls, as presented in its SP 800-53, r5. For details on Zingtree’s Security Program, please refer to Zingtree's Security Program.
To comply with EU data protection laws around international data transfer mechanisms, Zingtree has applied to become self-certified under the E.U.-U.S. Privacy Shield and the Swiss-U.S. Privacy Shield. Designed by the U.S. Department of Commerce and the European Commission and Swiss Administration, Privacy Shield was developed to provide a framework for companies to comply with data protection requirements when transferring personal data from the European Union and Switzerland to the United States. In addition, we offer European Union Model Clauses, also known as Standard Contractual Clauses, to meet adequacy and security requirements for our customers who operate in the EU.
VII. Data Processing Agreement
If you require a customized Data Processing Agreement with Standard Contractual Clauses, either send us your own copy, or download and complete this Word document, and send to Zingtree for signature.
VIII. COMPLAINTS AND ENFORCEMENT
In compliance with the Privacy Shield Principles, Zingtree commits to resolve complaints about our collection or use of your personal information. EU and Swiss individuals with inquiries or complaints regarding our Privacy Shield policy should first contact Zingtree at firstname.lastname@example.org.
Zingtree has further committed to cooperate with the panel established by the EU data protection authorities (DPAs) and the Swiss Federal Data Protection and Information Commissioner (FDPIC) with regard to unresolved Privacy Shield complaints concerning data transferred from the EU and Switzerland.
IX. Contact Us
If you have any questions about Zingtree’s GDPR program and/or would like to request a list of our sub processors, please send an email to email@example.com or contact us at:
Attn: Security & Privacy Officer
700 Larkspur Landing Circle, Suite 199
Larkspur, CA 94939