NotifiedBy is firmly committed to privacy and values the rights of our users. In preparation for the implementation of the GDPR (the new EU privacy law effective 25 May 2018), we have diligently developed several features that provide customers with greater control over the data stored on our platform. These features are available to all our customers, regardless of whether the GDPR specifically applies to them.
This document aims to clarify how the GDPR applies to your use of NotifiedBy and detail the measures we have undertaken to ensure compliance with the new regulations. We encourage you to review this document carefully and discuss it with your privacy team.
The GDPR is designed to harmonize data privacy laws across the European Union (EU). It grants individuals in the EU greater transparency and control over how their personal data is used, while holding companies accountable for their data practices. Businesses outside the EU must also comply with the GDPR if they handle the personal data of individuals located in the EU.
If your data processing activities fall within the scope of the GDPR, one of the first questions to consider is whether you are a data controller or a data processor. This distinction helps clarify your compliance obligations under the GDPR.
The controller determines the purposes and means of processing. As a customer of NotifiedBy, you act as the controller when using our products and services. It is your responsibility to ensure the personal data you collect is processed lawfully and that you employ processors, such as NotifiedBy, who provide sufficient guarantees to meet key requirements of the GDPR.
NotifiedBy functions as a processor, acting on the instructions of the controller (you) through forms such as API or SMTP requests. Similar to controllers, processors are required to comply with the GDPR.
As a processor, we depend on our customers to ensure that personal data is collected on one of the GDPR's lawful grounds for processing. You, as a controller, can collect personal data based on these legal bases: (i) consent; (ii) processing is necessary for the performance of a contract with the data subject; (iii) processing is required for compliance with a legal obligation; (iv) it is necessary to protect the vital interests of the data subject or another person; or (v) a legitimate interest exists that is not overridden by the data subject’s interests, rights, and freedoms.
We are committed to transparency in our handling and processing of personal data. As one of our customers, you should be informed of how we manage personal data on your behalf.
We retain data only as necessary to provide our services. Where feasible, we utilize mechanisms that allow automatic data removal once it is no longer needed.
NotifiedBy stores message bodies for up to seven days for both incoming and outgoing messages. This temporary storage enables our systems to re-deliver messages that failed on the first attempt. Customers using our parsing features can retrieve messages received as inbound messages.
For some customers, the message retention period may be adjusted based on written agreements with NotifiedBy. We also offer features to prevent programmatic message retrieval or to securely delete messages post-delivery.
Our staff may access message bodies to assist customers with delivery issues or in response to potential Acceptable Use Policy (AUP) violations. Employee access is routinely audited, and all staff handling personal data are bound by confidentiality agreements.
Message metadata, including sender, recipient(s), subject line, originating IP address, and routing data, is indexed and maintained for 30 days. As messages are processed by NotifiedBy, discrete events are generated. This data aids in troubleshooting processing and delivery issues and is accessible through our logs and Events API.
Staff may use event data to support customer requests or respond to potential AUP violations.
Suppressions are permanently stored email addresses resulting from hard bounces, complaints, or unsubscribes. We store suppressions until you remove them or your account is deleted. When suppressions are removed, they'll be permanently deleted from the system but may be stored in backup systems for disaster recovery purposes for up to 30 days after removal.
NotifiedBy stores recipient email address activity information in a hashed format to facilitate pre-validation of email addresses, detect potentially risky senders, and optimize delivery processes. This data is solely used to deliver NotifiedBy services.
As a processor, NotifiedBy has specific obligations under the GDPR. Here's how we manage personal data and the steps we have taken to ensure compliance:
These steps represent ongoing efforts towards GDPR compliance. Additional information on our GDPR compliance measures is available upon request.
Processors often use third-party entities, known as sub-processors, in data processing. NotifiedBy employs cloud infrastructure providers like Amazon Web Services. We have implemented appropriate measures with our sub-processors to secure the personal data processed on your behalf. As a customer, we will provide you with a comprehensive list of our sub-processors.
GDPR grants EU data subjects the rights to access, correct, remove, or export their personal data and to restrict processing. Our platform includes self-service features to assist customers in managing these requests, supporting the rights to data portability, access, and erasure.
When NotifiedBy receives a direct request from a data subject, we will engage the respective customer within seven days to respond, unless otherwise required by law.
Under the GDPR, data controllers must establish an agreement with data processors called a Data Processing Agreement (DPA). This document clarifies how both entities meet GDPR requirements. To simplify this process, we offer a DPA addressing Article 28 of the GDPR. Our DPA outlines the respective obligations of NotifiedBy, as a processor, and our customers, as controllers.
GDPR regulates the transfer of personal data outside the European Economic Area (EEA) through various mechanisms. NotifiedBy safeguards customer data via strong technical and organizational measures, including data retention, storage, transfers, and encryption. We adhere to the principles of accountability and transparency and employ EU Model standard contractual clauses with all vendors to ensure secure data transfers.