At Insider, we take privacy seriously. The European Union’s General Data Protection Regulation (GDPR) took effect on May 25, 2018, and we have taken several technical and organizational measures to comply with it.
What is GDPR?
The General Data Protection Regulation is a codification of privacy and data protection regulations whose aim is to provide more consistent guidance on privacy and data protection and respect for the personal data of European Union citizens. In sum, it has replaced the previous EU privacy directive, which was outdated, while also introducing some interesting changes to privacy and data protection regimens. GDPR applies to any company handling the personal data of EU subjects, even if the company is headquartered outside of the EU.
Our Commitment
Insider has a Security, Privacy, and Compliance Committee with data protection specialists, legal consultants, and security experts who prepared our company and our products for GDPR and who continue to reassess our standards. The team also includes executive members, such as our co-founders, who are fully committed to improving transparency and trust to obtain acceptance and agreement from our entire company.
What has Insider done to comply with GDPR?
The table below details our organizational actions to comply with this new regulation.
GDPR Reference | Summary | Actions taken by Insider for compliance |
|---|---|---|
| Lawfulness, Fairness, and Transparency | As a data processor, Insider commits to following transparent processing activities. To show our processing activities, we published our product privacy policy for general applications. We also provide all necessary information about processing activities to our partners upon request. |
Purpose limitation | We have a Data Processing Agreement with our Partners to define the purpose of processing activities. Under the DPA, the parties' duties and responsibilities are defined. We ensure that, as a data controller, our partners obtain the specified, explicit, and legitimate consent from their end users. If the purpose of the data collection changes, our clients need to inform us, and we will update the DPA accordingly to reflect the new purpose of processing. | |
Data minimization | Unless the partners define other purposes, Insider products only process users’ behavioral data to provide the best personalized user experience. Based on our customers' needs, we process the data that is defined and collected by the partner. Our product, by default, collects only behavioral data anonymously. | |
Accuracy | Any data pushed by our partners that relates to user data can be easily rectified using our API endpoints to either merge or override data. | |
Storage limitations | Our platform does not store any user data unnecessarily unless indicated by our partners. All our data retention and storage policies are clearly defined and available to our partners. | |
Integrity and confidentiality | Our platform employs all required technical and organizational measures, including pseudonymization of data, to ensure its security and confidentiality. | |
Consent (Article 7) | Conditions for consent: | According to Article 7 of GDPR, freely given, clear consent will be collected by the data controller. In the relationship between Insider and our partners, Insider is the data processor and our partners are the data controller according to the roles defined under GDPR. Based on these roles, Insider is not responsible for obtaining end-user consent to process the data. To help our partners comply, we are committed to enabling them to collect data responsibly as controllers. For our product features where the controller can collect users’ personal data, we have provided the ability to add consent checkboxes that are active and explicit. |
Data Subject Rights (Article 15 – 23) | Expanded Individuals' Rights:
| Insider will cooperate with any requests from controllers to access, erase, or rectify end users' data through trained personnel who will service these requests. Additionally, our platform also provides multiple API endpoints to delete data or update data to keep user data accurate. |
Security of Processing (Article 32) | Confidentiality, integrity, availability, and resilience of processing systems and services | To ensure that the entire company and its employees are aware of GDPR, we have taken continuous training and process measures. We have quarterly training programs to ensure employees are enabled to comply with GDPR. In addition, we have a new employee onboarding that includes GDPR awareness and policy coverage. Among several policy documents, Employee Security Rules is one such document to enforce our commitment to data processing regulations. |
Data Breach (Article 33 – 34) | Responding to Data breaches and incidents | We fully commit to continuing to notify our customers and partners of any data incidents in line with our current terms of service and privacy agreements. We will continue investing in threat detection and avoidance technologies, as well as our round-the-clock incident management program, to help you respond to security or privacy events. We prepared a detailed Incident Response Plan and built a Security Team to comply with Articles 33-34. |
Data Protection Officer (Article 37-39) | Appointment of DPO | Any questions regarding data processing and how we comply with core tenets of the GDPR, such as “consent” and “product compliance,” can be directed to the Data Privacy Team (privacy@useinsider.com) and the Legal Team (legal@useinsider.com). Upon request and as necessary, DPO contact information may also be shared following the identification of the relevant Insider entity. |
Codes of Conduct and Certifications (Article 40 – 43) | Certifications | Insider is an ISO/IEC 27001 and ISO 22301 certified, and SOC 2 Type II attested company, demonstrating adherence to recognized information security and business continuity standards in line with Articles 40 to 43 of the GDPR regarding approved codes of conduct and certification mechanisms. |
Cross-border data transfer (Article 44-50) | Data storage | Insider stores data locally on regional servers wherever possible. All data collected from the EU is stored in an EU-based data center — Amazon Web Services (AWS) in Dublin, Ireland. This data center is available not only to our EU-based customers but to any customer who wishes their data to be stored within the territorial scope of the GDPR. |
Data Processing and Transfer | Our technical systems and products are GDPR-compliant, and Insider’s cloud-based AWS servers are located in the EU. When transferring data outside the EU, Insider signs data processing agreements and standard contractual clauses and applies the appropriate GDPR-required safeguards for international data transfers. |