This article provides comprehensive information regarding the General Data Protection Regulation (GDPR) as applied to SpotlerCRM. The content explains the regulation’s purpose, outlines the Statement of Compliance, and details the subprocessors involved in handling customer data. Users will find information about data protection measures, compliance processes, and a list of subprocessors arranged in tables.
On this page you have the following options:
GDPR – General Data Protection Regulation
The General Data Protection Regulation came into force on 25th May 2018 and is designed to protect the privacy of EC citizens, ensure their personal data is not exported outside the EU and give them control of how the data is used. GDPR is also implemented in the UK, post Brexit, and among others in Switzerland, Iceland, Norway, Liechtenstein, New Zealand and Argentina. The legislation covers all entities worldwide that hold data on EC citizens, not just entities resident in the EC.
Under GDPR terminology, each customer is considered their own Data Protection Officer, while the Data Processor is SpotlerCRM.
SpotlerCRM is fully compliant with GDPR. All data is hosted in the EC and the CRM includes multiple GDPR compliance features such as Mailing & Consent Lists. Read our Statement of Compliance.
The General Data Protection Regulation (GDPR) came into effect in May 2018 to protect EC citizens’ personal data, enshrining the principle that a citizen’s personal data belongs to them and not to the organisation collecting it.
GDPR Statement of Compliance
SpotlerCRM complies with the provisions of GDPR both in the capacity of Data Controller for customers’ personal data and as Data Processor for customers of the CRM.
- All customer data is stored within the EC in data centres that are ISO27001 compliant, with data on production servers encrypted at rest.
- All subprocessors that store or process personal data are GDPR compliant.
- A Data Protection Officer, a Breach Notification Process and policies for Right to Erasure & Data Portability are in place.
- All staff are subject to the Customer Data Access Policy enforced in their employment contracts.
SpotlerCRM is one of the few CRM products that has built-in GDPR compliance features, allowing users to capture and store consents. See Mailing & Consent Lists for more details.
GDPR Subprocessors
As part of GDPR compliance, SpotlerCRM ensures that all subprocessors who can access customer data are GDPR compliant and that individual contracts with them enforce this compliance.
Authorised Subprocessors
The following subprocessors are authorised to access customers’ data:
| Entity | Location | Service |
|---|---|---|
| SendGrid Inc | United States of America | Delivery of emails and return of statistics such as opens, clickthroughs and bounces. For customers using the Marketing tool only. |
Infrastructure Subprocessors
The following subprocessors provide infrastructure services but are not authorised to access customers’ data:
| Entity | Location | Service |
|---|---|---|
| CloudFlare | United States of America | DNS and anti-DDOS |
| Google Cloud | Belgium, United Kingdom | Cloud hosting |
| Amazon Web Services | France and Sweden | Data Centre |
Services for Business and Communication
The following services are used to run business operations and communicate with customers and prospects:
| Entity | Location | Service |
|---|---|---|
| GoCardless | United Kingdom | Payment services |
| Google Analytics | United States of America | Web site analytics |
| Google Apps | United States of America | Email and document storage |
| BigMarker | United States of America | Web Conferencing |
| PayVector | United Kingdom | Payment services |
| SnapEngage | United States of America | Online Chat |
| SurveyMonkey | United States of America | Online Surveys |
Third-party Products
If the following third-party products are used, data from the CRM will be passed to them. These are not considered subprocessors as the contract is directly with the third party:
| Entity | Location | Service |
|---|---|---|
| KashFlow | United Kingdom | Cloud Accounting |
| SageOne | United Kingdom | Cloud Accounting |
| Xero | New Zealand | Cloud Accounting |
| Zapier | United States of America | Integration to other cloud services |