Great news! CloudSponge complies with the GDPR’s Data Processing requirements.
The General Data Protection Regulation (GDPR) is in effect (as of May 25, 2018) and affects all companies with customers in the European Union regardless of whether or not your company is based in the European Union. It creates a more consistent regulatory environment for companies to operate in and in turn is intended to streamline privacy considerations for affected companies.
CloudSponge As A Data Processor
Data controllers are companies that supply goods or services to EU residents, or that track or monitor EU residents and decide why and how data is collected and processed. As one of our customers, you are likely a data controller under the GDPR. One of your requirements as a data controller is to only work with compliant data processors (like us! 🎉).
Data processors are vendors or businesses that process data on behalf of data controllers. As your address book processing service, CloudSponge is considered one of your data processors.
How We Handle Your Users’ Address Book Data
We purge every email address that passes through our system after it’s delivered to you. It has been this way since the company was founded. It’s a guiding principle that we’ve always cherished.
Address books never get saved to disk, ever. They stay in our server’s memory for a few minutes before getting deleted forever.
We wouldn’t have a business if we did it any other way. Security experts from dozens of companies have audited us before coming aboard and we’ve either passed or taken remediation steps to satisfy them. This ongoing collaboration has enabled us to evolve into a world-class organization that you can trust with your users’ address books.
Your users who interact with contact picker may be cookied with one called
_cloudspongea that we use to identify a repeat visitor. We don’t capture any of your users’ data in the cookie, it’s a randomly generated value.
This cookie is used when sending tracking data to our servers. We track events in the browser to analyze and improve our service. We track events like:
- When a user chooses a source
- When they complete importing their address book
- When they choose to share their contacts with your site
- When they close the widget without sharing any contacts
We also track the number of contacts in the address book and the number of contacts that were shared with your site.
We never track any identifying data about the user or the contents of their address book.
We provide a
noTracking option that you can enable for users who wish to opt-out of any of our tracking or cookies. Setting it turns off all of our tracking and removes the CloudSponge cookie from their browser.
We want the contact importing and sharing process to be as easy as possible, so we track your actions so that we can measure how well we are succeeding at this. It also helps us to identify and fix problems that you may experience.
We use this data within our business only and never share it with anyone else.
We track the following events and data points:
- When you choose a source
- When you successfully connect your address book and how many entries it contains
- When you choose to share your contacts and how many contacts you shared
- When you close the widget without sharing any contacts
- When you encountered an error connecting your address book
We use CloudSponge, as a third-party address book processing service, but we only share with them information that is required for the service offered. We also contractually bind them to keep any information we share with them confidential and to process your personal data only according to our instructions.
Should you elect to provide us with your address book information, will have access to the address book information we collect using the software, which typically includes the names, email addresses, phone numbers, and other contact information relating you and members of your social circles so that it can provide us with assistance in uploading your contacts to our website.
Our Service’s Subprocessors
As required by the GDPR, we only choose subprocessors for our service that are also GDPR-compliant. In our case, the main subprocessor that we use is Amazon Web Services, but there are also some analytics services that we use to help us monitor our service and debug problems occasionally.
- Amazon Web Services, GDPR Center
- Sentry, Data Processing Addendum
- Papertrail, GDPR Resource Center
- Google Analytics, How Google complies with data protection laws
As one of your trusted vendors, we’re excited about further exploring ways to help your company stay in compliance with evolving data privacy laws and regulations.
We’ll be making significant improvements to our service to help your company comply with GDPR’s Data Minimisation Principle (Art. 5(1)(c)) as well as publishing product design guidelines for navigating GDPR’s Article 14.
If you have any questions or suggestions, we’d love to hear from you at firstname.lastname@example.org.