Transfer Impact Assessment & GDPR Compliance Statement
The General Data Protection Regulation (the GDPR) provides certain rights to EU citizens’ regarding how their data is processed and shared. It went into effect on May 25, 2018, and applies to any company that handles personal data from EU citizens and those living in the EU.
Customer.io acts as a Processor (as defined in the GDPR) with respect to the information our customers upload to our services. Customer.io acts as a Controller (as defined in the GDPR) with respect to certain information that we collect about the use of our services.
In July 2020, the European Union’s top court invalidated the Privacy Shield, which previously helped protect data transfers between the EU and the US. In response to this new ruling, we updated our Data Processing Addendum to include the new Standard Contractual Clauses. We also offer the option to store your data in our EU region data center. For more information on EU data transfers, please refer to our “Transfer Impact Assessment” section below.
GDPR Basics
Replacing the previous EU privacy directive 95/46/EC, which had been in place for over 20 years, the GDPR strengthens and expands individuals’ privacy rights in an era in which much of life takes place online.
The GDPR is extensive, affecting not just businesses based in the EU but also any company that processes EU citizens’ data. For instance, if you’re sending data about a person in the EU to Customer.io, the GDPR likely applies to your transfer of data to Customer.io.
The Data Protection Principles outlined in the GDPR include requirements like the following:
- Personal data collected must be processed in a fair, legal, and transparent way and should only be used in a way that a person reasonably expects.
- Personal data should only be collected to fulfill a specific purpose, and it should only be used for that purpose. Organizations must specify why they need personal data when they collect it.
- Personal data should be held no longer than necessary to fulfill its purpose.
- Individuals covered by the GDPR have the right to access their data. They can also request a copy of their data and be updated, deleted, restricted, or moved to another organization.
How Does Customer.io Comply With GDPR?
As a customer of Customer.io, you decide what personal data is uploaded into our product. In many cases, you can also mask certain data elements, such as sensitive data elements, so that we do not receive sensitive information about your customers. In face, under GDPR’s principles of privacy by design, we strongly encourage all customers to mask data or information that does not need to be uploaded to the product. Please talk to our customer support team if you have questions.
As described in more detail in our Data Processing Addendum, we act as a data processor with respect to the information that our customers upload to our products. That means that our customers direct and control what information is provided to us. In some cases, we act as a data controller when supplying services to you (as our customer), and for this reason, we have the right to make decisions about your data on your behalf. We describe how we act as a data controller in more detail in our Data Processing Addendum.
Data Residency in the EU
We provide more control and confidence by ensuring your data stays in accordance with the GDPR by allowing you to choose where your data is stored. Upon creating an account, simply select where you would like your data to be hosted, United States or Europe, based on your organization’s needs. Point your data in the right direction with the use of our unique regional API keys here: https://customer.io/docs/api/?region=eu
Transfer Impact Assessment
Overview
A Transfer Impact Assessment is an assessment of the privacy protections of the laws and regulations of a recipient country outside of the EU or EEA. Transfer Impact Assessments were introduced in the decision of the Court of Justice of the European Union (“CJEU”)in the case C-311/18, Data Protection Commissioner v. Facebook Ireland Ltd and Maximillian Schrems (“Schrems II”). In the decision, the CJEU made clear that data exporters must evaluate whether adequate levels of privacy protection that are provided on a case-by-case basis, focusing on the laws of the jurisdictions to which they export data. A data exporter should assess the laws, regulations and rules of the third country to which it exports data.
Data Protection Framework
To address the concerns raised in Schrems II, in October 2022, President Biden signed Executive Order 14086 on Enhancing Safeguards for United States Signals Intelligence Activities, which requires certain changes to the way U.S. intelligence agencies collect data under its collection authorities. In furtherance of Executive Order (EO) 14086, the Department of Commerce created the EU-U.S. Data Privacy Framework (DPF)—a framework to allow for international data transfers to the U.S.—for which the European Commission adopted an adequacy decision on July 10, 2023.
Customer.io is listed as an active member of under DPF. That said, we continue to believe that being transparent about our data-transfer practices is important to our customers, so we will continue to maintain this Transfer Impact Assessment Statement available so that our customers are confident in their ability to use our services no matter where they are located.
Relevant U.S. Collection Authorities
The Schrems II court primarily focused on two US legal frameworks related to the collection of personal data: Section 702 of the Foreign Intelligence Surveillance Act (FISA 702) and Executive Order (EO) 12333. Here, we briefly summarize those two frameworks and their impact on Customer.io.
FISA 702 permits a specialized US court to authorize the federal government to issue orders to US companies to disclose data about specific non-US persons reasonably believed to be outside the US under FISA 702, these orders may only be issued to “electronic communication service providers.” We have analyzed the scope of FISA 702 and do not believe that we are subject to government orders for communications under the statue.
EO 12333 outlines how US intelligence agencies can collect the communications of non-US persons reasonably believed to be outside of the US. Importantly, EO 12333 does not include any authorization to compel private companies to disclose personal data to the US government. We do not believe that EO 12333 introduces a substantial risk to our customers with respect to our products and services because (1) kinds of data that our customers send to us through the services would not constitute the types of communications that are relevant for the US government during intelligence operations, and (2) we encrypt all customer data in transit across public networks. As a result, we believe we are at little risk of having any Customer Personal Data in the clear intercepted under EO 12333 operations.
It is important to note that certain communications channels may not support encrypted messages, such as SMS. If you use our service to send text messages MMS messages may be converted to SMS messages by Twilio in some cases. Also, if your recipients do not use an encrypted email messaging service, messages will only be sent in an unencrypted format. It’s also important to note that our customers are required to set up an account directly with Twilio in order to use Twilio services. Therefore, Twilio’s data processing agreement applies to our customer’s use of that service and is entered into directly between Twilio and our customer. We encourage customers to refer to Twilio’s Transparency Reports for more information.
Government Access Requests in General
Taken together, we believe that there is little risk that the US government would collect the personal data of our customers.
That said, if we ever were to receive any kind of request from a governmental body requesting the personal data submitted to our services, to the extent permitted by applicable laws, we would (1) attempt to fight or quash the request by raising nonfrivolous objections; (2) provide our customer with reasonable notice of the request so that our customer would have the opportunity to seek a protective order or other appropriate remedy; (3) attempt to redirect the governmental body to request the information directly from our customer; and (4) if ultimately required to disclose personal data to the government, limit the disclosure to the minimum amount of data legally necessary to comply with the request.
Onward Transfers
Information about our subprocessors is available on our Subprocessor List. There, we identify each of our subprocessors along with the specific services that they provide to us and their locations.
Before we engage a new subprocessor, we subject the processor to an information security review to ensure that the subprocessor meets our information security requirements for receiving customer data. This includes reviewing each vendor’s security and privacy practices to ensure that they meet our legal requirements, as well as requiring them to sign a data processing addendum with us that (1) provides protections for personal data, as required by applicable law, and (2) includes GDPR GDPR-compliant transfer mechanisms for any onward transfers of customer personal data.
We do want to note, that when our customers use Twilio with respect to our services, they engage with Twilio independently and that Twilio does not act as a subprocessor on our behalf with respect to our services. Please refer to Twilio’s “Security Overview” page and its “Binding Corporate Rules” page for more information.
Contractual Agreements
We regularly review our legal agreements and make changes that may be required by applicable law. We post our Data Processing Agreement, Standard Contractual Clauses, Terms of Service, and Privacy Policy to our site for easy access. You can find a complete list of our sub-processors here: https://customer.io/legal/sub-processors.
Security and Data Management
Customer.io employs policies and procedures around security and data management. Additionally, we have a designated internal team and engaged outside expertise to enhance security standards that protect our customers’ data:
- Our Data Protection Officer ensures ongoing GDPR compliance. You can contact them at dpo@customer.io.
- We ensure prompt notifications to customers and GDPR authorities as required in the unlikely event of a data breach.
- We have formalized and documented internal policies related to data security.
- We use safeguards to ensure secure and proper handling of data stored outside of the EU as required.
- We only process personal data according to our customer’s instructions.
For more information on our security practices, please refer to our “Security” page.
Expanding Product Capabilities
To help you comply with Article 24 (responsibility of the controller) and your end-users’ requests related to the right to access, data portability, right to erasure, right to object and the right to restrict processing — our platform easily allows for:
- Easy profile export: Export all data about a single profile in a simple, standardized format to help you with requests from your end-users regarding access and data portability.
- Automatic suppression: API endpoint that allows us to block any associated incoming personal data to help you comply with requests regarding the right to object or restrict.
- Audit trail: Customer.io provides limited auditing information upon request to date. We expanded and enhanced this capability by adding full audit trails for all changes to your Customer.io account.
Existing Product Capabilities
Customer.io enables compliance with requirements regarding the right of data rectification and the right to be forgotten:
- Right to rectify user data: GDPR gives individuals the right to rectify any inaccurate or incomplete personal data. In Customer.io, data can be adjusted at any time with a simple identify call. This will create or update the associated profile with the newly provided data.
- Right to be forgotten: We make it easy for you to honor deletion requests from your end-users by calling the DELETE API or using the UI to delete a profile. We ensure that any associated user data and historical data are quickly and permanently deleted from our data stores.
- Accountability: Customer.io has role-based permissions, supports encryption at rest of all associated account data, and many data management tools.
If you have any questions or concerns regarding GDPR and Customer.io, please send us a detailed message to gdpr@customer.io.