What is Delphos doing about GDPR?
Delphos has undertaken several initiatives to meet our responsibilities under GDPR, specifically in relation to users & subscribers to our mobile app platform. These are:
Hosting of EEA customers exclusively within EU data centres
All data for customers identified as being located in the EEA is hosted with Microsoft Azure data centres in West Europe (Amsterdam) and North Europe (Dublin).
Encryption of data at rest and in transit
All data stored within the Delphos Platform is encrypted on our servers, be this within a database, storage service or file backups. All data transport between servers, services and/or devices (both internally and externally) occur exclusively over SSL encrypted transport protocols.
Data Protection Officer (DPO)
The Delphos DPO supervises our entire data privacy program and works in close conjunction with Delphos team members on matters relating to security, data protection and privacy.
“Is Personal Data” flags for data entities in the platform (e.g., forms and data sources)
The Delphos Platform now provides new checkbox options to allow Delphos customers to flag/identify data fields that contain personal data. This, in turn, allows the Delphos Platform to anonymise these fields when data leaves the Delphos Platform (e.g., via manual export, connector integrations, and/or the Delphos Platform API).
Careful vetting of sub-processors
Each sub-processor is vetted in the areas of security, contractual terms, data processing agreements, and EU standard contractual clauses / Privacy Shield.
Up-to-date contractual documents/privacy policies
Our contractual documents have been updated to contain necessary GDPR provisions, including data processing addendum, end-to-end confidentiality, and privacy policies.
Product development
All new Delphos Platform functionality that is introduced from May 2018 onwards will include consideration of the following:
- the GDPR principles of “privacy by design” and “privacy by default”,
- giving flexibility to all customers while remaining within GDPR guidelines
- keeping all changes as simple as possible
What kinds of data do we process?
For registered users on the platform, basic contact information is processed (i.e. direct identifiable personal data such as e-mail addresses or name) as well as minimal device information, connection information and geolocation.
Other personal information may also be processed by the Delphos Platform through data captured and stored by Delphos customers. While it’s not up to us to control what data we receive, this can include items such as contact information, IP addresses, and other data.
We process customer-submitted data as part of our contractual obligation to our customers and in accordance with applicable laws, including the GDPR.
Does Delphos use sub-processors?
We use certain sub-processors to assist in providing the Delphos Platform to customers. A sub-processor is a third-party data processor engaged by Delphos, that has or potentially will have access to or process customer data (which may include personal data). See Table Below.
How long does data remain on the Delphos Platform?
Delphos production (live) environments
Registered users
All personal data relating to a user is either deleted or anonymised within 7 days of the user deletion action. The 7-day period allows for fast recovery if the deletion was accidental. For the avoidance of doubt, deactivation of a user account does not remove the account or its personal data; the account is simply archived.
All other data entities
This is determined and configured by Delphos’s customers, based on their own agreements with data subjects in turn. The Delphos Platform provides customers with functionality to delete data entities as needed.
Delphos backups
Backups are performed on a regular basis and are kept in encrypted, secure storage for up to 60 days. This means that items deleted in production environments are available for restoration from backups for up to 60 days thereafter.
Delphos test/development environments
Data is occasionally extracted from production to development/testing environments for support, testing and debugging purposes. When this occurs, personal data is anonymised to assure privacy.
Who has access to personal data stored on the Delphos Platform?
Personal data stored on the Delphos Platform may be visible to:
Delphos customers
Depending on their assigned access permissions, users can view, and access personal data collected and/or stored within their Delphos customer account.
Delphos employees & contractors
All employees & contractors are trained and contractually committed to following Delphos’s privacy, security, and data protection practices.
Sub-processors
We work with carefully selected services to provide aspects of the Delphos Platform and may process data with these services as necessary to provide Delphos Platform services.
Other third parties if required by applicable law or where Delphos has a good-faith belief that such disclosure is reasonably necessary to:
(a) protect the safety of any person from death or serious bodily injury, or
(b) prevent fraud or abuse
Access only occurs to the extent and is limited to such personal data as necessary for that specific purpose of the respective party.
Where is personal data stored? Does it leave the European Economic Area?
All customers that identify themselves as being located within Europe are hosted exclusively within our West Europe (Amsterdam & Dublin) data centres. As such, all data captured and/or stored on the Delphos Platform for European customers will remain within the EEA by default.
Delphos only exports personal data outside of the European Economic Area (“EEA”) if and when required by:
- a respective sub-processor for the correct functioning of the service they offer (e.g. push notifications),
- other recipients, only to the extent required to support the correct and/or compliant functioning of the Delphos Platform
Where data export occurs, Delphos ensures that such export occurs under the adequacy decisions as allowed by GDPR (EU-US Privacy Shield, binding corporate rules, applicable EU standard contractual clauses, such other methods as allowed per the GDPR), and keeps the exported data to a minimum as necessary.
Delphos also provides software features to Delphos customers which allows them to anonymise personal data upon export out of the Delphos Platform.
Is data processed by Delphos used for direct marketing or automated decision making?
Registered administrator users may be contacted by Delphos with news or offers about the Delphos Platform. This communication can be unsubscribed at any time by the user.
Delphos does not and will never use personal data processed through the Delphos Platform for direct marketing purposes, nor does the Delphos Platform employ automated decision-making processes/techniques which create or deny rights to individual persons.
We only process personal data under instruction and under control of the Delphos customer for the purpose of the Delphos Platform solution.
| Sub-Processor | Country of Processing | Purpose |
|---|---|---|
| Microsoft Azure | Netherlands and Ireland for EU customer accounts | Cloud services, data storage, computation, and backup |
| USA | Analytics and device push notifications | |
| Apple | USA | Device push notifications |
| Freshdesk | USA | Helpdesk and knowledgebase |
| SendGrid | USA | Email delivery |
| Stackify | USA | Service monitoring |
| Appenate | Australia | Platform Support |