GDPR compliance.
Last edited on April 15, 2023
Crosslist is committed to privacy, security, compliance, and transparency. This approach includes supporting our customers’ compliance with EU data protection requirements, including those set out in the General Data Protection Regulation (“GDPR”), which becomes enforceable on May 25, 2018.
What is GDPR?
The General Data Protection Regulation (GDPR) (Regulation (EU) 2016/679) is a regulation by which the European Parliament, the Council of the European Union, and the European Commission intend to strengthen and unify data protection for all individuals within the European Union (EU).
To Whom Does the GDPR Apply?
One way in which the personal data of an EU citizen could be collected when using Crosslist is when you build a database of contacts, their information, and business dealings with them (i.e. a CRM system).
Not all customers will be “data subjects”, as data subjects are only individuals. Some of your customers may be businesses or government organizations, to which the GDPR does not apply to.
Is Crosslist GDPR compliant?
Yes, Crosslist is compliant with GDPR. This document outlines all the provisions we took to make sure we are complying fully with the regulation.
Information We Hold
Registration and Contact Information. We collect information about you when you (a) register to use the Services and (b) otherwise provide contact information to us via email, mail, or through our Service. This information you provide may include your username, first and last name, and email address.
Payment Information. When you purchase the Services, we will also collect transaction information, which may include your company name, company VAT (when applicable), credit card or other payment information, billing, and mailing address.
Technical, Usage, and Location Information. We automatically collect information on how you interact with the Service, such as the IP address from which you access the Service, date and time, referrer website, and campaign information (“UTM” parameter fields). We may also collect location information, including location information automatically provided by your computer or device. We use cookies and similar technologies to collect some of this information.
Third-Party Platforms. We may collect information when you interact with our service on third-party sites or platforms, such as analytical sites. This may include information such as actions or the fact that you viewed or interacted with our content.
Other Information. We may collect other information from you that is not specifically listed here. We may use any such information in accordance with this Privacy Policy or as otherwise permitted by you.
Data Security and Data Breaches
We take data protection and security very seriously at Crosslist. We constantly monitor for security flaws and unauthorized access and we will take action immediately if something suspicious is been detected. In an unlikely case of a data breach, we will notify all of our customers within 72 hours after the breach was detected.
Some of the preventive measures we take include:
- Encrypted HTTPS communication layers for all data transfers.
- Regular encrypted backups of the database and server are performed.
- Data retention for expired trial and canceled users of 2 years.
- Bcrypt is used to store all customer-sensitive data, such as e.g. passwords.
Data Subject Rights
All individual rights regarding GDPR will be enforced by our Crosslist team. If you want to exercise your GDPR rights, you can reach out to us at [email protected].
Those rights include:
- Right To Be Informed: for the parties where we act as a controller, we inform our users what we do with their data.
- Right To Access: we can show all the data stored.
- Right To Object: you can use the form above for any objection you or a user has about how Crosslist is processing your/their personal data.
- Right To Be Forgotten: we can erase data we hold about any individual.
- Right To Data Portability: we can export data held by an individual as a CSV on request.
- Right To Rectification: a person’s data can be updated either by API, from the user account, or manually by us on request.
Data Processing Agreements
We act as a data processor for our customers (see “Information we hold”) which means we need to provide a signed Data Processing Agreement on request. If you are a customer (paid user) of Crosslist and you need the DPA, please contact us via email and we’ll send it to you.
We also requested and signed DPAs from each of our sub-processors and made sure they are GDPR compliant.
GDPR-Ready Privacy and Cookie Policy
We updated our privacy policy to be GDPR compliant. It can be consulted here.
Frequently Asked Questions
How will you verify to customers that you are in compliance with the new regulation?
If you wish for formal verification, you can provide us with your Data Processing Agreement template, which we can return filled and signed.
How is sensitive information stored, and do you have processes in place in the event of a data breach?
Sensitive information is stored securely, with limited access. We react to Data breaches immediately, by notifying affected parties.
For how long do you store customer data?
We store customers’ data only for the time of using our services or until they request to delete their data.
Where is your customer data physically stored?
Data of our customers are stored in our CA (Canadian) data center hosted by OVH.
Which of your teams will have access to customer personal information?
We access customers’ personal information only based on prior requests by the customer or with the customer’s approval. In most common cases, it is the customer support team, development team, or marketing team.
How does your organization handle instances when customers request their data be removed from your system(s)?
When a customer requests the deletion of their data, we proceed with the deletion immediately, with no further delay.
How do you handle data protection requirements with any of your sub-processors?
We sign Data Processing Agreements with each of our sub-processors or subcontractors.
What processing operations are done by the Data Processor (Crosslist)?
All actions are necessary to provide adequate customer support and reliable service.
Additional security measures
HTTPS Encryption
All Crosslist-hosted accounts run over a secure connection using the HTTPS protocol. Hyper Text Transfer Protocol Secure (HTTPS) is the secure version of HTTP, the protocol over which data is sent between your browser and the website that you are connected to. It means all communication between your browser and Crosslist is encrypted, including your chat and email communication.
Secure Credential Storage
We follow the latest best practices to store and protect user login credentials and passwords in the cloud, by for example using Bcrypt.
Additional Resources
Do you have questions?
Contact us at [email protected] and we will be happy to help!