Insider One takes privacy seriously. The European Union’s General Data Protection Regulation (GDPR) took effect on May 25, 2018, and Insider One has implemented several technical and organizational measures to comply with it.
What is GDPR?
The General Data Protection Regulation is a codification of privacy and data protection regulations, aimed at providing more consistent guidance on privacy and data protection and on respecting the personal data of European Union citizens. In sum, it has replaced the previous EU privacy directive, which was outdated, while also introducing some interesting changes to privacy and data protection regimens. GDPR applies to any company that handles the personal data of EU subjects, even if the company is headquartered outside the EU.
Insider One’s Commitment
Insider One has a Security, Privacy, and Compliance Committee comprising data protection specialists, legal consultants, and security experts who prepared our company and our products for GDPR compliance and continue to reassess our standards. The team also includes executive members, such as our co-founders, who are fully committed to improving transparency and trust to obtain acceptance and agreement from our entire company.
What has Insider done to comply with GDPR?
The table below details our organizational actions to comply with this new regulation.
GDPR Reference | Summary | Actions taken by Insider for compliance |
|---|---|---|
| Lawfulness, Fairness, and Transparency | As a data processor, Insider One commits to following transparent processing activities. To show its processing activities, Insider One has published its product privacy policy for general applications. Insider One also provides all necessary information about processing activities to its partners upon request. |
Purpose limitation | Insider One has a Data Processing Agreement with its partners to define the purpose of processing activities. Under the DPA, the parties' duties and responsibilities are defined. Insider One ensures that, as a data controller, its partners obtain the specified, explicit, and legitimate consent from their end users. If the purpose of data collection changes, partners need to inform Insider One, and Insider One will update the DPA accordingly to reflect the new purpose of processing. | |
Data minimization | Unless partners define other purposes, Insider One products only process users’ behavioral data to provide the best personalized user experience. Based on Insider One’s partners' needs, Insider One processes the data that is defined and collected by partners. By default, the Insider One product collects only behavioral data anonymously. | |
Accuracy | Any partner-pushed data related to user data can be easily rectified using Insider One’s API endpoints to either merge or override it. | |
Storage limitations | Insider One’s platform does not store any user data unnecessarily unless its partners indicate otherwise. All Insider One’s data retention and storage policies are clearly defined and available to partners. | |
Integrity and confidentiality | Insider One’s platform employs all required technical and organizational measures, including data pseudonymization, to ensure its security and confidentiality. | |
Consent (Article 7) | Conditions for consent: | According to Article 7 of GDPR, freely given, clear consent will be collected by the data controller. In the relationship between Insider One and its partners, Insider One is the data processor, and its partners are the data controllers, according to the roles defined under the GDPR. Based on these roles, Insider One is not responsible for obtaining end-user consent to process the data. To help partners comply, Insider One is committed to enabling them to collect data responsibly as controllers. For Insider One’s product features that allow the controller to collect users’ personal data, Insider One has provided the ability to add active, explicit consent checkboxes. |
Data Subject Rights (Article 15 – 23) | Expanded Individuals' Rights:
| Insider One will cooperate with any requests from controllers to access, erase, or rectify end users' data, with trained personnel handling these requests. Additionally, Insider One’s platform provides multiple API endpoints to delete or update data, keeping user data accurate. |
Security of Processing (Article 32) | Confidentiality, integrity, availability, and resilience of processing systems and services | To ensure that the entire company and its employees are aware of GDPR, Insider One has taken continuous training and process measures. Insider One has quarterly training programs to ensure employees are enabled to comply with GDPR. In addition, Insider One has a new employee onboarding process that includes GDPR awareness and policy coverage. Among several policy documents, the Employee Security Rules is one such document to enforce our commitment to data processing regulations. |
Data Breach (Article 33 – 34) | Responding to Data breaches and incidents | Insider One fully commits to continuing to notify its partners and partners of any data incidents in line with our current terms of service and privacy agreements. Insider One will continue investing in threat detection and avoidance technologies, as well as its round-the-clock incident management program, to help you respond to security or privacy events. Insider One prepared a detailed Incident Response Plan and built a Security Team to comply with Articles 33-34. |
Data Protection Officer (Article 37-39) | Appointment of DPO | Any questions regarding data processing and how Insider One complies with core tenets of the GDPR, such as “consent” and “product compliance,” can be directed to the Data Privacy Team (privacy@useinsider.com) and the Legal Team (legal@useinsider.com). Upon request and as necessary, DPO contact information may also be shared after the relevant Insider One entity is identified. |
Codes of Conduct and Certifications (Article 40 – 43) | Certifications | Insider One is an ISO/IEC 27001 and ISO 22301 certified, and SOC 2 Type II attested company, demonstrating adherence to recognized information security and business continuity standards in line with Articles 40 to 43 of the GDPR regarding approved codes of conduct and certification mechanisms. |
Cross-border data transfer (Article 44-50) | Data storage | Insider One stores data locally on regional servers wherever possible. All data collected from the EU is stored in an EU-based data center — Amazon Web Services (AWS) in Dublin, Ireland. This data center is available not only to its EU-based partners but also to any partner who wishes their data stored within the territorial scope of the GDPR. |
Data Processing and Transfer | Insider One’s technical systems and products are GDPR-compliant, and Insider One’s cloud-based AWS servers are located in the EU. When transferring data outside the EU, Insider One signs data processing agreements and standard contractual clauses and applies the appropriate GDPR-required safeguards for international data transfers. |