The GDPR & Siteimprove’s Commitment to Data Protection & Privacy

The GDPR

How Siteimprove Remains Accountable to Its GDPR-Obligations and What It is Doing to Assist Customers with Their Own GDPR-Obligations

Siteimprove is committed to GDPR compliance in both its own internal processing of personal data as well as customer-use of the Siteimprove Intelligence Platform. These compliance efforts have direct executive-team oversight and are implemented by the Siteimprove Legal, Information Security and IT departments. 

Siteimprove's approach towards GDPR compliance includes, but is not limited to, the technical and organizational measures below: 

  • Transparency in the processing of data and the subprocessors used
  • Offering customers a Data Processing Agreement to assist them in meeting their GDPR obligations
  • Implementing principles of privacy by default and privacy by design into the development process
  • Enhancing our infrastructure to implement encryption of data-at-rest and increased access controls
  • Conducting awareness sessions on what is personal data and how it should be treated
  • Regularly auditing individual departments to verify adherence to and identify any new personal data business processes and personal data flows
  • Increasing vendor security requirements in both vetting-processes as well as contracts

For our customers, Siteimprove processes personal data when a customer signs up and uses the Siteimprove Intelligence Platform. To assist prospective and current customers in understanding how Siteimprove addresses GPPR obligations, we have prepared the below FAQ (frequently asked questions). 

GDPR FAQ

Are you a Data Controller or a Data Processor?

Siteimprove is a Data Processor for any personal data that is processed through the Siteimprove Intelligence Platform. In that case, the customer is the Data Controller.

Siteimprove is a Data Controller for a customer's personal data (name, email, phone, address) that is provided to Siteimprove to facilitate billing, account setup, and support.

Do you have a Data Protection Officer?

No. The scale and nature of the data processing conducted by Siteimprove does not rise to the amount necessary to appoint a Data Protection Officer.

What is your retention policy? 

Data processed through the Siteimprove Intelligence Platform will be retained for the duration of the contractual agreement, subject to the regular overwriting and limitations set forth here: https://siteimprove.com/security/security-statement-eu-version/

As soon as the contractual agreement has ended, we delete the data that has been processed through the Siteimprove Intelligence Platform for that customer, pursuant to these processes: https://siteimprove.com/security/security-statement-eu-version/

What is your process to notify data subjects when the intended use of their data changes?

Customers are the Data Controllers for the personal data that Siteimprove processes on their behalf. In that case, Siteimprove only processes for the purpose contracted by the customer and does nothing further with that data.

Siteimprove is the Data Controller for the contact information of its customers and that data is only used by Siteimprove. It is never sold to any third party. In the event that Siteimprove were to use that data for a different purpose, then it would notify the data subject directly.

How will Siteimprove handle requests from data subjects under the GDPR (e.g. right to access, rectification, erasure, restriction of processing, data portability, object)?

Siteimprove aims to keep Personal Data accurate and up to date. Any data subject may send us an e-mail at privacy-eu@siteimprove.com (if in the EU/EEA) or privacy@siteimprove.com (everywhere else) together with a proof of identity to exercise personal data rights under the GDPR. Details on information that is required to accommodate any requests are available here: https://siteimprove.com/security/data-request 

Do you have processes for reporting of data breaches as defined by GDPR?

Siteimprove has internal processes and protocols to identify Siteimprove potential data breaches. Any breaches of personal data that are likely to result in a risk to the rights and freedoms of a data subject will be reported to the data authority within 72 hours of idenfication of the breach. Notification to the controller and/or data subjects will be made soon after that, to the extent permitted by law and pre-existing arrangements.

Where is your data physically stored?

All data that Siteimprove processes through the Siteimprove Intelligence Platform remains in the EU (Denmark and Germany). 

Personal data for which Siteimprove is the Data Controller is stored in a variety of locations, including the US. Any data transfers to the US are made in accordance with GDPR requirements and are available for review. 

Details on the specific locations and sub-processors are here: https://siteimprove.com/legal/privacy-policy/

What third party organisations do you work with that may also have access to the data we share with you?

Siteimprove does not sell or share personal data with any third parties. 

All third-party subprocessors process personal data at the instruction of Siteimprove and are listed here: https://siteimprove.com/legal/privacy-policy/

What are the terms of ownership over customer data?

Siteimprove customers retain ownership over all data that they provide to Siteimprove for processing.

What is your legal basis for storing personal data?

All data provided to Siteimprove for processing through the Siteimprove Intelligence Platform is at the instruction of each customer (Data Controller). It is the obligation of each customer to have established a legal basis.

All data that Siteimprove collects from the customer to facilitate billing, account setup, and support is legally necessary for the performance of the contract to access the Siteimprove Intelligence Platform.

How is privacy by default implemented in your services?

The Siteimprove Intellligence Platform collects data through a website crawler and, if Analytics is enabled, a script placed within website code by a customer or its agent. By default, the crawler portion of the Siteimprove Intellligence Platform will not search for personal data. Only if a customer has affirmatively signed up for access to the GDPR module which is designed to identify personal data on a website, will personal data be searched.

The analytics portion of the Siteimprove Intelligence Platform has a setting that will allow the customer to toggle on/off the masking of IP addresses, as described in https://support.siteimprove.com/hc/en-gb/articles/115000018831-IP-Anonymization-in-Siteimprove-Analytics 

How is privacy by design implemented in your services?

As part of the design process, Siteimprove conducts a PIA (Privacy Impact Assessment) to understand the purpose of the new/enhanced service, the personal data that might need to be collected to fulfill that purpose, and the necessary steps to ensure that the personal data is properly collected and processed. 

Appropriate technical and organizational security measures

Siteimprove considers Information Security to be an essential part of its products, services and an integral part of day-to-day operations. For that reason, Siteimprove recognizes that Information Security must be embedded in the company culture, business processes and at all levels of the organization to be effective. For more details, see: https://siteimprove.com/security/

Who can I contact with additional GDPR questions?

Our Information Security Manager is open to discuss any Security or GDPR compliance concern related to Siteimprove:

Victor Alexandru Truica - Information Security Manager - vat@siteimprove.com