GDPR Compliance

We believe that customers should be able to control their data and trust that information is protected when stored on its servers. To support this, TrenDemon holds itself to strict data security and privacy standards, including compliance with the General Data Protection Regulation (GDPR).

The following serves as an overview of the key information about the GDPR and the services that TrenDemon provides that align with the regulation.

What is the GDPR?

The General Data Protection Regulation (“GDPR”) is a new comprehensive data protection law in the European Union (“EU”) that updates existing laws to strengthen the protection of personal data in light of rapid technological developments, increased globalization, and more complex international flows of personal data. It replaces the patchwork of national data protection laws currently in place with a single set of rules, directly enforceable in each EU member state. The GDPR goes into effect on May 25, 2018.

How does GDPR impact TrenDemon and its customers?

The GDPR regulates the “processing” of personal data of any EU resident (who is referred to as a “data subject”). “Processing” includes the collection, storage, transfer, or use, of personal data. This means that any company that processes the personal data of any data subject, regardless of where the company is based, is subject to the rules of the GDPR. Additionally, the GDPR defines personal data very broadly and includes name, email, demographic information, real-time location, online activity, and health information, to name a few. As the leading user analytics platform, TrenDemon receives billions of data points from all over the globe, including data points that are or contain personal data from data subjects. This means that both TrenDemon and our customers, who send us data will need to comply with the requirements of the GDPR.  

Is TrenDemon collecting data?

As defined between TrenDemon and our customers, TrenDemon is the “data processor” and the customer is the “data controller”, as such terms are defined under the GDPR. The data controller collects data from our data subjects (i.e. a customer’s end users) and says how and why personal data is processed. The data processor receives the data from the data controller and acts upon instruction from the data controller.

Will TrenDemon be compliant with GDPR?

Yes.  TrenDemon is committed to complying with GDPR and enabling our customers to comply with GDPR. TrenDemon has an ongoing commitment to providing leading data protection to our customers. We maintain a robust privacy and security program that we continually assess and improve to meet the needs of our customers and to maintain industry leadership in data protection among product analytics companies.

Will TrenDemon enter into a Data Processing Agreement (“DPA”) with me?

Yes. We understand the GDPR has robust requirements and obligations for both data collectors and data processors and we are committed to helping our customers use TrenDemon in a compliant manner. We have made our DPA available online so that our customers can be confident that their data is processed in a lawful manner.

Supporting Data Subject Rights

As controllers of personal data, TrenDemon and its customers must uphold certain rights as stated by the GDPR, including:

Right to Access and Data Portability

TrenDemon will support individuals’ right to access and the right to portability of their personal data through individual export requests. Any TrenDemon account holder will be able to request an export of one’s own personal data, as well as the personal data of their own end-users. The process for submitting individual personal data export requests will be made available upon request.

Right to Deletion

We plan to support individuals’ right to erasure through a permanent deletion of personal data upon request. Requests for deletion of one’s own personal data or the personal data of end-users will be accepted by request.

Right to Object

Our customers control what data is sent to TrenDemon, and may decide to halt the sending of personal data at any time. To assist with supporting individuals’ right to object to the collection of one’s personal data, TrenDemon also has built dedicated methods for our client-side SDKs that can be used to opt end users out of tracking.

TrenDemon collects information about how customers use the product and use this data to identify product gaps and improve existing products. While this information is useful, TrenDemon recognizes the importance of an individual’s right to object.  TrenDemon has therefore streamlined opt-out systems for its customers, and starting May 25th they will be able to opt out of tracking by request.

Privacy by Design

TrenDemon builds products with privacy and security as central parts of its design. See the information below for more details about the safeguards that TrenDemon puts in place to protect customer data.

Incident Response

  • TrenDemon takes the safeguarding of personal data seriously.
  • Any data breach may impact TrenDemon’s customers as well as their customers and prospects.
  • The responses listed within TrenDemon’s response plan are in accordance with the timeframes of the GDPR regulations.
  • In case of a suspected data breach, TrenDemon shall notify the affected customers (as defined below) and the appropriate Supervisory Authority.
  • All suspected data breaches shall be recorded on a TrenDemon log with the time of the discovery of the suspected data breach.
  • Suspected data breaches shall trigger by an employee an email alarm to Trendemon security managers.
  • The email subject is **Suspected Data Breach ** and shall detail the reason for the suspicion.
  • The employee will immediately follow up with a phone call to verify that Trendemon security managers have received the alert.
  • The security manager or in his absence, any employee selected him/her shall:
    • Try to ascertain the breach. If unclear, the security manager shall have the final say as to whether there is a reason to believe that a data breach has occurred.
    • The security manager shall document in the log his decision and the reasoning behind it.  
  • If the security manager decides that a breach has likely occurred the following steps shall be taken immediately:
    • Determine what data was compromised.
    • Whether  that data was encrypted
    • The potential TrenDemon customers that may have been affected by the data breach
  • Trendemon customers relations person shall notify immediately the TrenDemon customers that were impacted by the suspected data breach with the following information:
    • Time of discovering of a suspected data breach
    • The customers of the TrenDemon Customers whose personal data information may have been compromised
    • The nature of the data that has been compromised.
    • What remediation actions TrenDemon is doing to prevent the recurrence of similar data breaches

Sub-processors

  1. All agreements with Controllers shall mention explicitly the use of Amazon Web Services as a TrenDemon Sub-processor in the Processor contract with Controller. This is mentioned explicitly in the standard TrenDemon contract in Annex 1
  2. If TrenDemon is connected to a customer’s Marketing Automation Platform (Marketo, Pardot, HubSpot, Act-On or IBM), TrenDemon shall mention explicitly the integration with the Marketing Automation Platform in Processor Contract with Controller.
  3. All new 3rd party software used by TrenDemon shall require a written approval by Trendemon’s security manager as not being a TrenDemon Sub-Processor for GDPR purposes.
  4. As of May 1st, 2018, the only TrenDemon subprocessor is Amazon Web Services. Accordingly, all TrenDemon data processing agreements with Controllers shall be checked that they comply with AWS.
  5. In addition, TrenDemon shall explicitly notify Controller on the use of AWS.

Data Retention Policy

As processors of its customers’ data and to protect the privacy of information it stores, TrenDemon holds data no longer than is needed to provide its services. To further support this, TrenDemon is implementing a data retention policy starting May 25th:

Events with timestamps that are older than 5 years are automatically deleted on an ongoing basis from all projects.

People data is retained indefinitely.

Additional Information and Resources

Data Processing Addendum

TrenDemon has updated its DPA to ensure compliance with all GDPR-specific requirements. This supplements TrenDemon’s Terms of Use and provides contractual safeguards to its customers for the processing of personal data sent through TrenDemon. The DPA enables TrenDemon’s customers to comply with the GDPR.

Data Protection Officer

TrenDemon has a dedicated Data Protection Officer (DPO), along with a team of privacy and security professionals dedicated to our compliance and to helping you maintain your compliance when using TrenDemon.

If you would like to reach our DPO or have or have follow-up questions please reach out to us at compliance@trendemon.com.