Alexa ConvergeHub is fully compliant with GDPR | ConvergeHub

GDPR Compliance

May 25, 2018, marks a new landmark privacy law called the General Data Protection Regulation (GDPR) takes effect in the European Union (EU). The GDPR expands the privacy rights of EU individuals and places new obligations on all organizations that market, track, or handle EU personal data. It strengthens the protection of personal data in light of rapid technological developments, increased globalization, and more complex international flows of personal data.

What does it Protect?
The GDPR regulates the “processing” of data for EU individuals, which includes collection, storage, transfer, or use. Any organization that processes personal data of EU individuals is within the scope of the law, regardless of whether the organization has a physical presence in the EU. Importantly, under the GDPR, the concept of “personal data” is very broad and covers any information relating to an identified or identifiable individual (also called a “data subject”).

GDPR data in EU or outside?
No, the GDPR does not require EU personal data to stay in the EU, nor does it place any new restrictions on transfers of personal data outside the EU.

ConvergeHub is built with security to protect your data and applications. You can also implement your own security scheme to reflect the structure and needs of your organization. Protecting your data is a joint responsibility between you and ConvergeHub. ConvergeHub security features enable you to empower your users to do their jobs safely and efficiently. Various security schemes are as below:

Compliant Infrastructure
ConvergeHub uses Amazon EC2, RDS ,S3 and many other Amazon AWS related services, providing end-to-end security and privacy features built in and is already declared GDPR Compliant by Amazon with the CISPE Code of Conduct. Our team takes additional proactive measures to ensure a secure infrastructure environment. For additional, more specific details regarding AWS security, please refer to https://aws.amazon.com/security/.

SSL Encryption
ConvergeHub uses SSL encryption to transport data from users to our secured databases. The encryption uses SHA256 algorithm for the encryption.

Separate Instance
Each customer has their separate database schema in ConvergeHub. So, there is no intervention or probability of incorrect data exposure of databases of other users.

Table level security
Using table permissions, users can be restricted from seeing, creating, updating or deleting tables. Table permissions let you hide whole menus of tables from particular users so that they don’t even know if this table exists.

Field level security
In some cases, you may want users to have access to a table, but limit their access to individual fields in that table. Field-level security-or field permissions-control whether a user can see, edit, the value for a particular field on a table. They let you protect sensitive fields without having to hide the whole table from users.

Row level security
Along with tables and fields, if you want to control the record themselves, Record-level security lets you give users access to some table records, but not others. Every record is owned by a user. The owner has full access to the record. In a hierarchy, users higher in the hierarchy always have the same access to users below them in the hierarchy. There are two ways in which you can specify record-level security.

  1. Organization Sharing Settings: The first step in row-level security is to determine organization sharing settings. By default, all records are visible to all users in an organization. We can use organization sharing settings to lock down data to the owners and the managers. After this is done, you can selectively give access of records to other users using other row-level security settings.
  2. Team Hierarchy:Once you’ve specified organization-wide sharing settings, You can use a team hierarchy to share wider access to records. A team hierarchy grants users access to records based on criteria such as zip code, industry, or a custom field that is relevant to your business. For example, you could create a team hierarchy in which a user with the “North America” role has access to different data than users with the “Canada” and “United States” roles.

Report Sharing
Each report is added to a folder. Users can be restricted to view/edit some reports using report sharing. They can be allowed or disallowed to view/edit reports.

Monitoring
You can select certain fields in any of the tables to track & monitor edits on those fields. Modifying any of these fields adds a non-deletable activity in activity of that table.

Consent
ConvergeHub strives to help you comply with the data protection and privacy regulations by implementation of various actions like email opt-outs etc. We ask for consent before signups etc. We store consent, the time of consent, context of consent for legal obligations. To make it easier for our customers to store consent of their users, ConvergeHub gives an option to create custom tables to store fields of consent of users. These consent records can be linked to records in desired tables.

Data processing restrictions
When situations require you to do so, prevent the processing of your customers’ data. We give guidance to help you restrict forms of data processing. That way, you can work toward complying with the laws that are important to your Converge. You can export data from ConvergeHub that you don’t want to be processed.

Data portability
There are various options for data portability. You can use APIs, Import Wizard to import data from CSV files to ConvergeHub. You can allow your customers to export their data as per various data regulations. Data can be extracted from various methods such as UI-driven export, reports, REST API. Export formats include JSON and CSV.

Data Transfer
We may transfer, process and store Personal Data we collect through the Services in centralized databases and with service providers located in the US. The US may not have the same data protection framework as the country from which you may be using the Services. When we transfer Personal Data to the US, we will protect it as described in this Privacy Policy and Terms & Conditions.

The Service is hosted in the United States. Regardless of the database being hosted in the European Union, if you choose to use the Service from the EU or other regions of the world with laws governing data collection and use that may differ from US law, then please note that you may be transferring your Client Data and Personal Data outside of those regions to the United States for storage and processing by our service providers listed in the our Terms of Service. We will comply with GDPR requirements providing adequate protection for the transfer of personal information from Europe to the US. Also, we may transfer your data to the US, the EEA, or other countries or regions deemed by the European Commission to provide adequate protection of personal data in connection with storage and processing of data, fulfilling your requests, and operating the Service.

Data Controller and Data Processor
ConvergeHub does not own, control or direct the use of any of the Client Data stored or processed by a Client or User via the Service. Only the Client or Users are entitled to access, retrieve and direct the use of such Client Data. ConvergeHub is largely unaware of what Client Data is actually being stored or made available by a Client or User to the Service and does not directly access such Client Data except as authorized by the Client, or as necessary to provide Services to the Client and its Users.

Because ConvergeHub does not collect or determine the use of any Personal Data contained in the Client Data and because it does not determine the purposes for which such Personal Data is collected, the means of collecting such Personal Data, or the uses of such Personal Data, ConvergeHub is not acting in the capacity of data controller in terms of the European-Union’s General Data Protection Regulation (Regulation (EU) 2016/679, “GDPR”) and does not have the associated responsibilities under the GDPR. ConvergeHub should be considered only as a processor on behalf of its Clients and Users as to any Client Data containing Personal Data that is subject to the requirements of the GDPR. Except as provided in this Privacy Policy, ConvergeHub does not independently cause Client Data containing Personal Data stored in connection with the Services to be transferred or otherwise made available to third parties, except to third party subcontractors who may process such data on behalf of ConvergeHub in connection with ConvergeHub’s provision of Services to Clients. Such actions are performed or authorized only by the applicable Client or User.

The Client or the User is the data controller under the Regulation for any Client Data containing Personal Data, meaning that such party controls the manner such Personal Data is collected and used as well as the determination of the purposes and means of the processing of such Personal Data.

ConvergeHub is not responsible for the content of the Personal Data contained in the Client Data or other information stored on its servers (or its subcontractors’ servers) at the discretion of the Client or User nor is ConvergeHub responsible for the manner in which the Client or User collects, handles disclosure, distributes or otherwise processes such information.

Data Retention
We only retain the Personal Data collected from a User for as long as the User’s account is active or otherwise for a limited period of time as long as we need it to fulfill the purposes for which we have initially collected it, unless otherwise required by law. We will retain and use information as necessary to comply with our legal obligations, resolve disputes, and enforce our agreements as follows:

  • the contents of closed accounts are deleted within 6 months of the date of closure.
  • backups are kept for 12 months.
  • information on legal transactions between Client and ConvergeHub is retained for a period of 10 years.

We hope this makes your use of ConvergeHub and the transition to GDPR much easier. As always, please contact us if you have any questions: support@ConvergeHub.com.

List of Sub-Processors 
We work with the best in the market to ensure complete compliance, data safety and peace of mind.

List of Processors

  1. Amazon Web Services
    Hosting services in the US
  2. BluePay
    Payment gateway (PCI compliant)
  3. Paypal
    Payment gateway (PCI compliant)
  4. Sendgrid
    Email API Provider
  5. Google (Gmail)
    To allow customers to send emails via Gmail
  6. Google (Google Analytics)
    Business Analytics
  7. Twilio
    2FA Authentication

Right to object (opt-out)
You can easily add a contact to Opt Out list to stop any outbound emails and SMS to the mentioned contact. Your customer can even text you Stop to opt-out of any future text messages.

Right to be forgotten
With ConvergeHub, deleting a contact will permanently delete all data related to that individual. You can delete any contact from your ConvergeHub Contacts.
If your customer (data subject) wishes to exercise his/her Right To Be Forgotten under GDPR, you can done so by

  1. Deleting his/her contact information on ConvergeHub
  2. Delete all emails related to his/her contact
  3. Add the contact to Opt Out list (so that no one from your team can ever contact that person again either via email or SMS)

And, for double confirmation & any help, you can write to our support team at support@ConvergeHub.com

Last updated on August 26, 2019