What's Social Intents EU GDPR compliance
The European Union General Data Protection Regulation (GDPR) is a regulation that aims at unifying EU member state data privacy regulations into a single regulation, enforced on the EU single market. This article describes the GDPR compliance status of Social Intents.
If your company needs to ensure it is GDPR-compliant, it also needs to ensure its providers (ie. Social Intents) are also GDPR compliant. Social Intents is GDPR-compliant, and strictly enforces the regulation as to protect the user data we store. The list of our providers (ie. Data Processors) is available, and kept up to date, in our Data Processing Agreement (DPA).
Social Intents and GDPR
Here at Social Intents, we believe that strong privacy practices are good for both your customers and your business. We are committed to supporting your compliance with applicable data and privacy regulations, and to providing you with relevant, accurate information about Social Intents data and privacy practices.
The GDPR regulation can be reduced to the following important points. For each point, we explain how Social Intents handles its compliance. If we did not answer your questions in this article, you can still email or chat with us.
Also, please note that all Social Intents data processor providers have been checked to be all GDPR-compliant ( Amazon Web Services, Stripe, PayPal).
All Social Intents data is held on servers hosted in the United States. Servers are hosted by Amazon Web Services.
1. Data Controller
Social Intents, LLC acts as the data controller for the personal data collected and processed through our SaaS platform.
2. Awareness
All employees responsible of software development & infrastructure maintenance of Social Intents are fully aware of the GDPR requirements.
Also, code reviews are performed by the Data Protection Officers (as listed in this article), before any code deployment to the platform. This ensures security breaches and bad practices are not implemented by eg. a third party temporary contractor or a Social Intents employee, even if aware of GDPR requirements.
3. Types of Personal Data Collected
Social Intents stores data on 2 kinds of parties:
Our customers (ie. the operators using the Social Intents dashboard or Teams integrations replying to their users)
Our customers end-users (ie. the users of our customers)
Social Intents does not share, or resell, any kind of user data (whether data described in point 1 or 2 above). The data is not used for advertising (both 1 and 2) or analytics (on 2). Our business model is solely based on paid subscriptions (ie. the user is not the product).
3.1. Information held on our users
Social Intents collects account information for each user, including:
User first and last name, and profile picture
User payment details (includes invoicing information, eg. company address and country — the credit card number and payment information is stored by either Stripe or PayPal)
We don't log user activity, except for system logs including IP, user agents and time of connection. They are solely used for debugging and lawful purpose and retained maximum 1 week.
3.2. Information held on our users' end-users
Information held on our users' end-users include:
End-user email address
End-user phone number
End-user name
End-user message exchanges
End-user last activity date and time
The information stored on our users' end-users is solely the responsibility of our users (ie. the individual websites using Social Intents). Our users can optionally turn off the storing of transcripts, so that no end user data is store in our database and systems. It is the responsibility of our users to manage the data they hold in their Social Intents accounts, and to remove sensitive data if someone happens to share it with them. It is our responsibility to secure access to this data (ie. only website operators can access it and have the right to rectification and deletion).
3.3. Purposes of Data Processing
- Facilitating live chat communication between users and our customer support team.
- Identifying users and providing personalized support.
- Responding to inquiries, resolving issues, and delivering requested services.
- Improving the functionality and user experience of our live chat service.
4. Data Processing Principles
We adhere to the following principles when processing personal data:
- Lawfulness, fairness, and transparency: Personal data is processed lawfully, fairly, and transparently in accordance with GDPR requirements.
- Purpose limitation: Personal data is collected for specified, explicit, and legitimate purposes and not further processed in a manner incompatible with those purposes.
- Data minimization: We only collect personal data that is adequate, relevant, and limited to what is necessary for the purposes for which it is processed.
- Accuracy: We take reasonable steps to ensure that personal data is accurate, complete, and up-to-date.
- Storage limitation: Personal data is retained only for as long as necessary to fulfill the purposes for which it was collected, or as required by law.
- Integrity and confidentiality: We implement appropriate technical and organizational measures to ensure the security, integrity, and confidentiality of personal data.
- Accountability: We maintain records of data processing activities and take responsibility for compliance with GDPR requirements.
5. Data Security Measures: We implement the following technical and organizational measures to ensure the security of personal data:
- Encryption: Personal data is encrypted both in transit and at rest to prevent unauthorized access.
- Access controls: Access to personal data is restricted to authorized personnel on a need-to-know basis.
- Regular security assessments: We conduct regular security assessments and audits to identify and address potential vulnerabilities.
6. Communicating privacy information
Social Intents customers and users privacy terms are clearly communicated in our Privacy Policy.
7. Individuals’ rights
Social Intents customers rights regarding to GDPR are considered and enforced, including:
Right to be informed: we clearly inform our users about the use that will be made of their data
Right of access: our users can access all their data, without restriction
Right of rectification: it's as simple as contacting us, we'll process all your rectification queries
Right of erasure: it's as simple as contacting us, we'll process all your erasure queries
Right to restrict processing: we don't process the data of our customers (and our customers end-users)
Right to data portability: our users may contact us anytime if they wish to get an export of their data
Right to object: we handle all requests on this matter from our users and users' end-users
Right not to be subject to automated decision-making including profiling: we don't do that (and never will)
8. International Data Transfers
To facilitate international data transfers, we incorporate EU Standard Contractual Clauses (SCCs) into our contractual agreements with relevant parties involved in the processing of personal data. These SCCs ensure that adequate safeguards are in place for the protection of personal data transferred outside the European Economic Area (EEA) to countries that do not provide an adequate level of data protection.
9. Subject access requests
Social Intents replies to all access requests in under 2 weeks. We offer this free of charge for our customers.
10. Consent
Consent is provided by our users explicitly when the data consent checkbox is enabled on the pre-sales form.
Social Intents allows its customers to submit user data in an automated way, via a frontend JavaScript API and backend REST API, for instance assigning an email to a chat session, when the chat session user is already identified to their customer website account. This data must have been provided by the customer user in a consented way, as it will get propagated to Social Intents in an automatic way (if the customer implemented such API in their source code).
11. Children
Social Intents does not offer online services to children, due to the nature of the service provided (business-to-business). Thus, we did not identified it as relevant to control the age of users signing up for services.
Children might still be able to use the Social Intents chat services, from the website or apps of a Social Intents customer. To this extent, the Social Intents customer is responsible for checking against their own users and activities regarding children regulations.
12. Data breaches
Our team closely monitors any unauthorized system access, and has put in place multiple preventive measures to reduce the attack surface on our systems and services.
Security researchers and users can submit a security report to our email service@socialintents.com.
Here are a few measures we take to reduce any attack surface:
Leverage Amazon Web Services infrastructure to maintain security throughout the app
Aggressive use of firewalls and network isolation in our infrastructure
We monitor any security flaw in any library we may use in our running backends, and patch them as soon as an update is issued
Isolate data stores and sensitive backends on different servers
Social Intents will notify their users of any data breach, 24h maximum after knowing about it and fixing the flaw. It is then the responsibility of our users to report this data-breach to their end-users in due time.
13. Data Protection Officers
Social Intents has designated a Data Protection Officer. You can contact us for details.
14. International
Social Intents, LLC is based in the United States.
Address:
Social Intents, LLC
Address: 4880 Lower Roswell Rd, Suite 165-112, Marietta, GA 30068
Email: james@socialintents.com
Phone: 404-669-6609