What's Social Intents EU GDPR compliance

The European Union General Data Protection Regulation (GDPR) is a regulation that aims at unifying EU member state data privacy regulations into a single regulation, enforced on the EU single market. This article describes the GDPR compliance status of Social Intents.

If your company needs to ensure it is GDPR-compliant, it also needs to ensure its providers (ie. Social Intents) are also GDPR compliant. Social Intents is GDPR-compliant, and strictly enforces the regulation as to protect the user data we store. The list of our providers (ie. Data Processors) is available, and kept up to date, in our Data Processing Agreement (DPA).

Social Intents and GDPR

Here at Social Intents, we believe that strong privacy practices are good for both your customers and your business. We are committed to supporting your compliance with applicable data and privacy regulations, and to providing you with relevant, accurate information about Social Intents data and privacy practices. 

Please note that this information is not legal advice. We strongly encourage you to discuss compliance questions with a lawyer who is familiar with your business.

The GDPR regulation can be reduced to the following important points. For each point, we explain how Social Intents handles its compliance. If we did not answer your questions in this article, you can still email or chat with us.

Also, please note that all Social Intents data processor providers have been checked to be all GDPR-compliant ( Amazon Web Services, Stripe, PayPal). 

All Social Intents data is held on servers hosted in the United States. Servers are hosted by Amazon Web Services.

1. Awareness

All employees responsible of software development & infrastructure maintenance of Social Intents are fully aware of the GDPR requirements.

Also, code reviews are performed by the Data Protection Officers (as listed in this article), before any code deployment to the platform. This ensures security breaches and bad practices are not implemented by eg. a third party temporary contractor or a Social Intents employee, even if aware of GDPR requirements.

2. Information we hold

Social Intents stores data on 2 kinds of parties:

Our customers (ie. the operators using the Social Intents dashboard or Teams integrations replying to their users)
Our customers end-users (ie. the users of our customers)

Social Intents does not share, or resell, any kind of user data (whether data described in point 1 or 2 above). The data is not used for advertising (both 1 and 2) or analytics (on 2). Our business model is solely based on paid subscriptions (ie. the user is not the product).

2.1. Information held on our users

Social Intents collects account information for each user, including:

User first and last name, and profile picture
User payment details (includes invoicing information, eg. company address and country — the credit card number and payment information is stored by either Stripe or PayPal)

We don't log user activity, except for system logs including IP, user agents and time of connection. They are solely used for debugging and lawful purpose and retained maximum 1 week. 

2.2. Information held on our users' end-users

Information held on our users' end-users include:
End-user email address
End-user phone number
End-user name
End-user message exchanges
End-user last activity date and time

The information stored on our users' end-users is solely the responsibility of our users (ie. the individual websites using Social Intents).  Our users can optionally turn off the storing of transcripts, so that no end user data is store in our database and systems.  It is the responsibility of our users to manage the data they hold in their Social Intents accounts, and to remove sensitive data if someone happens to share it with them. It is our responsibility to secure access to this data (ie. only website operators can access it and have the right to rectification and deletion).

3. Communicating privacy information

Social Intents customers and users privacy terms are clearly communicated in our Privacy Policy.

4. Individuals’ rights

Social Intents customers rights regarding to GDPR are considered and enforced, including:

Right to be informed: we clearly inform our users about the use that will be made of their data
Right of access: our users can access all their data, without restriction, from the Crisp apps
Right of rectification: it's as simple as contacting us, we'll process all your rectification queries
Right of erasure: it's as simple as contacting us, we'll process all your erasure queries
Right to restrict processing: we don't process the data of our customers (and our customers end-users)
Right to data portability: our users may contact us anytime if they wish to get an export of their data
Right to object: we handle all requests on this matter from our users and users' end-users
Right not to be subject to automated decision-making including profiling: we don't do that (and never will)

5. Subject access requests

Social Intents replies to all access requests in under 2 weeks. We offer this free of charge for our customers.

6. Consent

Consent is provided by our users explicitly when the data consent checkbox is enabled on the pre-sales form. 

Social Intents allows its customers to submit user data in an automated way, via a frontend JavaScript API and backend REST API, for instance assigning an email to a chat session, when the chat session user is already identified to their customer website account. This data must have been provided by the customer user in a consented way, as it will get propagated to Social Intents in an automatic way (if the customer implemented such API in their source code).

7. Children

Social Intents does not offer online services to children, due to the nature of the service provided (business-to-business). Thus, we did not identified it as relevant to control the age of users signing up for services.

Children might still be able to use the Social Intents chat services, from the website or apps of a Social Intents customer. To this extent, the Social Intents customer is responsible for checking against their own users and activities regarding children regulations.

8. Data breaches

Our team closely monitors any unauthorized system access, and has put in place multiple preventive measures to reduce the attack surface on our systems and services. 

Security researchers and users can submit a security report to our email service@socialintents.com. 

Here are a few measures we take to reduce any attack surface:

Leverage Amazon Web Services infrastructure to maintain security throughout the app

Aggressive use of firewalls and network isolation in our infrastructure 

We monitor any security flaw in any library we may use in our running backends, and patch them as soon as an update is issued 

Isolate data stores and sensitive backends on different servers 

Social Intents will notify their users of any data breach, 24h maximum after knowing about it and fixing the flaw. It is then the responsibility of our users to report this data-breach to their end-users in due time.

9. Data Protection Officers

Social Intents has designated a Data Protection Officer.  You can contact us for details.

10. International

Social Intents, LLC is based in the United States.

Address:  

Social Intents, LLC
Address: 4880 Lower Roswell Rd, Suite 165-112, Marietta, GA 30068 
Email: james@socialintents.com
Phone: 404-669-6609