GDPR Compliance
Overview
ApexChat conducts live chats on behalf of its customers. These chats are initiated by prospects from customer’s website and are conducted on ApexChat software platform by ApexChat human chat agents. As a result ApexChat processes and stores information collected during chat sessions.
To ensure the privacy and security of this data ApexChat uses the following technologies and methodologies:
- Encryption via SSL
- Secured lead delivery via links back to a secure portal
- DDoS mitigation services
- Intrusion detection services
- Web application firewall
- Rate limiting for suspicious activity
- Enterprise-class SSL certificates
- Application level encryption for contact data
- Limiting access to backend production system to a handful of employees.
Disclosure of Customer Service Data
ApexChat only discloses data to third parties where disclosure is necessary to provide the services or as required to respond to lawful requests from public authorities.
Access Management
ApexChat provides an advanced set of access and encryption features to help customers effectively protect their information. We do not access or use customer content for any purpose other than providing, maintaining and improving the ApexChat services and as otherwise required by law.
What is Service Data?
Service Data is any information, including personal data, which is stored in or transmitted via the ApexChat services, by, or on behalf of, our customers and their end-users.
Who owns and controls Service Data?
From a privacy perspective, the customer is the controller of Service Data, and ApexChat is a processor. This means that throughout the time that a customer subscribes to services with ApexChat, the customer retains ownership of and control over Service Data in its account.
Who are ApexChat’s sub-processors?
ApexChat maintains an up-to-date list of the names and locations of all sub-processors used for hosting or other processing of Service Data, which can be found here. The list also may be obtained by contacting [email protected].
How does ApexChat use Service Data?
We use Service Data to operate and improve our services, help customers access and use the services, respond to customer inquiries, and send communication related to the services.
What steps does ApexChat take to secure Service Data?
ApexChat prioritizes data security and combines enterprise-class security features with comprehensive audits of our applications, systems, and networks to ensure customer and business data is always protected.
Where will Service Data be stored?
ApexChat has data centers located at Rackspace in their Chicago, Illinois data center.
How does ApexChat Respond to Information Requests
ApexChat recognizes that privacy and data security issues are top priorities for customers.
ApexChat does not disclose Service Data except as necessary to provide its services to its customers and comply with the law as detailed in our Privacy Policy.
How does ApexChat respond to legal requests for Service Data?
In certain situations, we may be required to disclose personal data in response to lawful requests by public authorities, including to meet national security or law enforcement requirements. We may disclose personal data to respond to subpoenas, court orders, or legal process, or to establish or exercise our legal rights or defend against legal claims. We may also share such information with relevant law enforcement agencies or public authorities if we believe same to be necessary in order to investigate, prevent, or take action regarding illegal activities, suspected fraud, situations involving potential threats to the physical safety of any person, violations of our customer agreements, or as otherwise required by law.
GDPR
ApexChat’s approach has long been anchored with a strong commitment to privacy, security, compliance and transparency. This approach includes supporting our customers’ compliance with EU data protection requirements, including those set out in the General Data Protection Regulation (“GDPR”), which becomes enforceable on May 25, 2018.
If a company collects, transmits, hosts or analyzes personal data of EU citizens, GDPR requires the company to use third-party data processors who guarantee their ability to implement the technical and organizational requirements of the GDPR.
ApexChat GDPR Product Readiness
The General Data Protection Regulation (GDPR), which goes into effect on May 25, 2018, provides data subjects with an array of privacy rights, which provide individuals with greater transparency into and control over uses of their personal information. ApexChat provides compliance with the GDPR in the following manner:
Obligation: Transparency and Accountability
Purpose of the GDPR Obligation |
Ensure transparent communication with data subjects regarding the processing of their personal data. Ensure data subjects are notified of their rights under the GDPR. |
Features/Functionality to Work Toward Compliance with the GDPR Obligations That Affect You |
ApexChat’s Privacy Policy provides a transparent notice to inform its customers of all steps taken to ensure the privacy and security of their data. |
Exceptions to the GDPR Obligation |
A data controller is exempt from these obligations if it cannot identify which personal data in its possession relates to the relevant data subject (i.e., if personal data is anonymized and cannot be re-identified). |
Obligation: Access and Rectification
Purpose of the GDPR Obligation |
Allow data subjects to require a data controller to rectify any errors in their personal data. |
Features/Functionality to Work Toward Compliance with the GDPR Obligations That Affect You |
End users may update profile information within individual chats. |
Exceptions to the GDPR Obligation |
Provision of this right to a data subject should not adversely affect an organization’s intellectual property (i.e., giving access to a data subject should not require disclosure of trade secrets). |
Obligation: Right to be Forgotten
Purpose of the GDPR Obligation |
Provide data subjects with the right to delete their personal data if the continued processing is not justified. |
Features/Functionality to Work Toward Compliance with the GDPR Obligations That Affect You |
ApexChat customers can email [email protected] with a request to delete their information from our system. We will require proof of identity, at which point your data will be purged. |
Exceptions to the GDPR Obligation |
A company is not required to delete data, except when one of the following reasons is present:
|
Obligation: Restriction Processing
Purpose of the GDPR Obligation |
Provide data subjects the right to limit the purposes for which the data controller can process personal data.
For example, your customer has filed a complaint or lawsuit against you, and it is your policy to stop processing while the complaint or lawsuit is pending. |
Features/Functionality to Work Toward Compliance with the GDPR Obligations That Affect You |
ApexChat does not conduct ongoing processing of customer data once a chat has been executed to satisfaction of the end user and a cooldown period of max 7 days has applied. |
Exceptions to the GDPR Obligation |
The requirement to restrict processing generally applies under the same circumstances as the right to be forgotten and/or when the following circumstances exist:
|
Obligation: Data Portability
Purpose of the GDPR Obligation |
Provide data subjects with the right to transfer their personal data between data controllers.
For example, your customer requests for you to export and provide them with all associated personal data that you store. |
Features/Functionality to Work Toward Compliance with the GDPR Obligations That Affect You |
ApexChat provides the ability to export chat transcripts, and reporting data can be exported. These exports can be provided by emailing [email protected] and including proof of identity |
Exceptions to the GDPR Obligation |
Inferred and derived personal data (e.g., a credit score or health assessment) are not included because they are not “provided by the data subject.”
Data controllers are not obligated to retain personal data simply for the purposes of providing a copy of the personal data pursuant to a potential data subject request. |
Obligation: Objection to Processing
Purpose of the GDPR Obligation |
Provide data subjects with the right to transfer their personal data between controllers. |
Features/Functionality to Work Toward Compliance with the GDPR Obligations That Affect You |
ApexChat has documented mechanisms to export user data from their system (see Data Portability and Restriction Processing) and, upon request via [email protected] with proof of identity has an internal mechanism for purging requested user data permanently from all records. |
Exceptions to the GDPR Obligation |
Data controller must cease processing upon request unless:
|
Note: These features and functionalities are currently available. As we approach May 25, 2018 (GDPR Effective Date), ApexChat will be updating and adding features and functionalities to further support our customers with their GDPR compliance programs.