GDPR Policy

Since our inception, SightCall’s approach has been anchored with a strong commitment to privacy, security, compliance and transparency. This approach includes supporting our customers’ compliance with EU data protection requirements, including those set out in the General Data Protection Regulation (“GDPR”), which replaced the EU Data Protection Directive (also known as “Directive 95/46/EC“) and became enforceable on May 25, 2018.

If a company collects, transmits, hosts or analyzes personal data of EU citizens, GDPR requires the company to use third-party data processors who guarantee their ability to implement the technical and organizational requirements of the GDPR. To further earn our customers’ trust, our DPA has been updated to provide our customers with contractual commitments regarding our compliance with applicable EU data protection law and to implement additional contractual provisions required by the GDPR. Our contractual commitments guarantee that customers can:

• Respond to requests from data subjects to correct, amend or delete personal data.
• Be made aware of and report personal data breaches to relevant supervisory authorities and data subjects in accordance with GDPR timeframes.
• Demonstrate their compliance with the GDPR as pertaining to SightCall’s services.

What is the GDPR?

The General Data Protection Regulation (“GDPR”) is the European privacy regulation which replaced the EU Data Protection Directive (“Directive 95/46/EC”). The GDPR addresses the processing of personal data and the free movement of such data. It aims to strengthen the security and protection of personal data in the EU and harmonize EU data protection law. Broadly, it sets out a number of data protection principles and requirements which must be adhered to when personal data is processed.

The GDPR also established the European Data Protection Board (“EPDB”), which ensures that the data protection law is applied consistently across the EU and works to ensure effective cooperation amongst data protection authorities.

How does the GDPR apply to customers?

SightCall customers that collect and store personal data are considered data controllers under the GDPR. Data controllers bear the primary responsibility for ensuring that their processing of personal data is compliant with relevant EU data protection law, including the GDPR and uniquely determine what personal data is submitted to, and processed by, SightCall in accordance with the Services.

What implications does GDPR have for organizations processing the personal data of EU citizens?

One of the key aspects of the GDPR is that it creates consistency across EU member states on how personal data can be processed, used, and exchanged securely. Organizations need to demonstrate the security of the data they are processing and their compliance with GDPR on a continual basis, by implementing and regularly reviewing robust technical and organizational measures, as well as compliance policies.

In its capacity as data processor, how does SightCall handle requests made by End-Users?

If SightCall receives a data subject request from a Customer’s End-User (i.e., a user of the Services to whom a Customer has provided our Services), SightCall is the Processor, and SightCall will, to the extent that applicable legislation does not prohibit SightCall from doing so, promptly inform the End-User to contact our Customer (i.e. the Controller) directly about any request relating to his/her Personal Data such as access or deletion. SightCall will not further respond to a data subject request without Customer’s prior consent.

What are some suggestions for SightCall customers with regard to GDPR?

SightCall encourages customers to continually review their privacy and data security processes and policies to ensure compliance with the GDPR. Data controllers bear the primary responsibility for ensuring that their processing of personal data is compliant with EU data protection law. Below are some key points to consider for GDPR compliance:

• Geographical Application: The GDPR may apply to organizations that are established in the EU as well as certain organizations established outside the EU but which are processing the personal data of EU citizens, depending on their activities.
• Rights of End-Users: Organizations should be cognizant of End-Users whose personal data they may be processing. The GDPR establishes enhanced rights for End-Users, and organizations should be able to accommodate those rights.
• Data Breach Notifications: Organizations that are controllers of personal data should have clear processes in place in order to comply with the GDPR requirement to report data breaches in accordance with the time frames set out within the GDPR. SightCall will notify affected customers without undue delay if we become aware of a data breach of our services.
• Appointment of Data Protection Officer (“DPO”): Customers may need to appoint DPOs to manage issues relating to the processing of personal data.
• Data Processing Agreement (“DPA”): Where personal data is transferred outside the EEA, a customer may need DPAs in place with its sub-processors to ensure an adequate level of protection for the transferred data.

Which SightCall services and features can support customers compliance with the GDPR?

Customers can use SightCall’s third-party SOC 2 audit reports to help conduct their risk assessments and determine whether appropriate technical and organizational measures are in place.

Below are examples of specific SightCall product features that customers can utilize to assist with the GDPR compliance program.

Auditing Standards:

• SOC 2 type 2 reports

Scanning:

• Regular penetration test assessments
• Dynamic scanning of live applications
• Static scanning of code repositories
• Web Application Firewalls

Encryption:

• Encryption of data in motion over public networks
• Encryption of certain data at rest with AES256

Does SightCall currently provide any product specific features or functionality in its products to assist us with our GDPR compliance program?

Yes, more detailed information on how to use SightCall products to stay compliant with GDPR can be found via our Help Center or contacting your sales representative.

What are the “Model Clauses”?

The European Commission has approved a set of standard provisions called the Standard Contractual Clauses (“Model Clauses”) which provide a data controller a compliant mechanism to transfer personal data to a data processor outside the European Economic Area (“EEA”). The Model Clauses are appended to the SightCall DPA to help provide adequate protection for data transfer outside of the EEA or Switzerland.

Does SightCall replicate the Service Data it stores?

SightCall periodically replicates data for purposes of archival, backup and audit logs. We use Amazon Web Services (AWS) to store some of the information that is backed up, such as database information. Data are encrypted before external storage.

What steps has SightCall taken to prepare for Brexit (the UK’s departure from the European Union)?

Irrespective of the outcome of the ongoing Brexit negotiations, SightCall remains committed to the success of our Customers and employees in the UK and the rest of Europe. We are closely monitoring the negotiations between the UK government and the European Union regarding the details of their future relationship. As the details become clear, we will take appropriate measures to ensure that our Customers can continue to use our services in compliance with both EU and UK laws, and for SightCall overall, business will continue as usual and will remain focused on our Customers’ success.