The EU General Data Protection Regulation (“GDPR”) goes into effect on May 25, 2018. You may have questions about the impact of GDPR on your business and your use of Adaptive Insights’ products and services. These FAQs are intended to provide a summary of our responses to typical customer questions regarding Adaptive’s GDPR compliance program, including information about how our Data Processing Agreement (“DPA”) and the Adaptive Business Planning Cloud product features support GDPR requirements.
These FAQs are not intended to provide legal advice and we encourage you to consult with your own legal counsel to determine how the GDPR applies to your specific situation.
What is the GDPR?
The GDPR is a new European Union (“EU”) data protection regulation that goes into effect on May 25, 2018. Specifically, it’s an EU regulation intended to protect “personal data.” Personal data is broadly defined by the GDPR to include essentially any information that relates to a person.
The GDPR was put in place by the European Commission (1) to address new technological developments, especially social media and other cloud-based applications; (2) to update outdated EU data protection laws; and (3) to help harmonize data protection laws across the EU’s 28 Member States.
How Does the GDPR impact Adaptive Insights and its Customers?
If you are an Adaptive Insights’ customer located in the EU and you are processing personal data, the GDPR applies to you, regardless of whether you are processing personal data in the EU or not. If your business is not located in the EU, but you offer goods or services in the EU that involve the processing of EU personal data, the GDPR also applies to you. Under the GDPR, “processing” is broadly defined and means any operation performed on personal data, such as collection, storage, transfer, dissemination or erasure.
Organizations processing personal data are divided into “Controllers”, i.e. entities that control personal data, and “Processors”, i.e. entities that process personal data on the Controller’s instructions. As an Adaptive Insights’ customer, you are a Controller, and Adaptive Insights is a Processor under the GDPR. Adaptive is responsible for meeting it obligations as a Processor. You are responsible for meeting your obligations as a Controller.
Does Adaptive Insights Provide a Data Processing Agreement (“DPA”) for Its Customers?
Yes. To fulfill its obligations under the GDPR, Adaptive Insights has prepared a DPA for customers that meets the following Article 28 requirements for Processors:
- Process personal data only on instructions from the Controller.
- Ensure that persons who process personal data are committed to confidentiality.
- Transfer personal data outside the EU via a lawful mechanism.
- Implement appropriate technical and organizational measures to ensure a level of personal data security appropriate to the risk.
- Only use subprocessors with the consent of the Controller and remain liable for subprocessors.
- Assist Controllers in their obligations to respond to data subjects’ requests to exercise their GDPR rights.
- Meet the data breach notification and assistance requirements.
- Assist Controllers with data protection impact assessments.
- Delete or return personal data at the end of provision of services.
- Support the Controller with evidence of compliance with the GDPR.
To receive a copy of our DPA, please contact us here or via your Customer Success Manager (CSM).
How does Adaptive Insights lawfully transfer personal data from the EU to the US?
Adaptive Insights, Inc., based in the US, certifies to the EU-US Privacy Shield and Swiss-US Privacy Shield Frameworks. TrustArc performs our company’s annual certification of our services to these Frameworks. More information can be found here: https://www.privacyshield.gov.
Where does Adaptive Insights Outline Its Data Privacy and Security Commitments?
Our commitments to the privacy and security of personal data as they relate to our activities as a Processor for purposes of the GDPR are set out in our DPA.
To ensure we meet our security obligations under the DPA, we hire an independent third party auditor to conduct an annual American Institute of CPAs’ (AICPA) SOC 2 Type II audit. The SOC 2 Type II audit is based on a set of AICPA security standards with a focus on internal controls for managing physical and logical access to systems and data. More information can be found here. Upon written request, Adaptive makes its annual SOC 2 Type II audit report available to customers and to prospects who are subject to confidentiality obligations. In addition, we regularly conduct third-party-led security penetration tests and agree to complete customer security questionnaires as reasonably requested and subject to applicable fees.
In addition to our commitments under the DPA, Adaptive Insights has privacy obligations to its Customers and website visitors worldwide. These are provided in the Privacy Statement located on our website at https://www.adaptiveinsights.com/online-privacy-policy.
Do Adaptive Insights’ Product Features Support Customer Compliance with the GDPR?
The Adaptive Insights Business Planning Cloud has tools in place to protect personal data and support GDPR compliance, including data deletion, data portability, and data minimization. More information about these features is included below, with links to additional information about these tools.
The Adaptive Insights Business Planning Cloud provides the following tools for customers to delete their data:
- Delete users
- Delete a split in a sheet
- Erase actuals
- Delete Levels
- Delete Dimensions
- Delete data on a sheet
- Delete a row on a sheet
Customers who terminate a subscription for the Adaptive Insights Business Planning Cloud have up to 30 days to retrieve their data. After such 30-day period, a customer’s data and their instance of the software is deleted. Back-up tapes of customer data are deleted in accordance with the DPA.
Data Minimization and Access Restrictions
The Adaptive Insights Business Planning Cloud offers customers the following tools for data minimization and access controls:
Customers can retrieve their data from the Adaptive Insights Business Planning Cloud in a structured, machine-readable format. Upon request, Adaptive Insights provides additional assistance to facilitate the transfer of customers’ data from the Adaptive Insights Business Cloud to customer’s systems or to another provider.
The Adaptive Insights Business Planning Cloud provides the following tools for customers to export data from the system:
Has Adaptive Insights appointed a Data Protection Officer?
Yes. You can reach our Data Protection Officer here.
Do Adaptive Insights’ Employees Go Through Privacy & Security Training?
Yes. All Adaptive Insights’ employees must go through privacy and security trainings on an annual basis.
Does Adaptive Insights carry out Data Protection Impact Assessments?
Yes. Data Protection Impact Assessments are carried out on all Adaptive Insights’ products.
Does Adaptive Insights Have an Incident Response Plan in Place?
Yes. Adaptive Insights has developed an Incident Response Policy and Plan to ensure our cross-functional teams are prepared to address any potential security incidents.
Does Adaptive Insights use third-party subprocessors?
Our subprocessor list is available here and more information about our compliance with the GDPR requirements in our use of subprocessors is set out in our DPA.
If you have further questions about the Adaptive Insights’ GDPR compliance program, please feel free to contact us at firstname.lastname@example.org.