skip to Main Content

GDPR Compliance

Celigo’s Role in Processing Personal Data and Following GDPR

GDPR addresses the following three categories of users as it relates to personal data:

  • Data Subjects are individuals within the European Union (EU) and the European Economic Area (EEA) whose personal data is covered by GDPR. Data Subjects own the data on themselves.
  • Data Controllers control the procedures and purpose of personal data usage.
  • Data Processors process any data at the direction of the Data Controller.

When Celigo customers use our integration solutions, including, Integration Apps, and CloudExtend products, Celigo is the Data Processor while the customers are the Data Controllers. This means that Celigo does not own nor control the data that is being transferred between the different endpoints that are being integrated via Celigo products. Celigo also cannot change the purpose nor the means in which the data is being used. Furthermore, Celigo is bound by the instructions given by the Data Controllers, meaning Celigo’s customers.

When Celigo uses our customers’ personal data for the purpose of conducting business, such as sales, marketing, and support, Celigo is the Data Controller. As such, Celigo has measures in place for adhering to GDPR requirements as Data Controller and  manages personal data according to these six lawful processing conditions of GDPR:

  • Compliance with a legal obligation
  • Performance of a contract
  • Legitimate interest
  • Public interest
  • Vital interest
  • Consent

Categories of Personal Data

Personal data of Celigo customers that may be used by us to manage the sales, consulting, support, payment, and billing processes may include:

  • Name
  • Email address
  • Unique customer identifier
  • Order ID
  • Bank account details
  • Payment or payment card details
  • Card expiration date
  • CVC code
  • Date/time/amount of transaction
  • Merchant name/ID
  • Location

Celigo does not knowingly process special categories of data as defined by the GDPR in the context of processing our internal business activities.

Governance Structure and Celigo’s Data Protection Officer

Data privacy is discussed throughout Celigo with regular presentations to all of our Employees, the Executive Team, and members of our Board of Directors.

Data privacy and GDPR is a company priority at Celigo among our Employees, the Executive Team, and members of the Board of Directors.

Celigo’s designated Data Protection Officer is Wayne Sisk, Celigo’s Sr. Manager of Security and Compliance. He leads Celigo’s security, privacy and compliance initiatives with all Celigo departments by making sure data privacy principles are part of all our ongoing operations while monitoring related activities on an ongoing basis.

Data Mapping

Celigo has completed its Article 30r Data Mapping exercise. This means that we have identified data that we have, where it is held, and how the data is being accessed. Furthermore, we understand the classification of data, records for transfer, and have flowcharts to illustrate how it moves between systems, processes, and countries.

Information Security

Led by Celigo’s Sr. Manager of Security and Compliance, Wayne Sisk, and Chief Technology Officer, Scott Henderson, Executive Management, and the Engineering Team, Celigo maintains a rigid information security program that includes:

  • Technical security measures; (e.g. intrusion detection, firewalls, monitoring),
  • Restricted access to personal data,
  • Protection of our physical premises and hard assets,
  • Maintaining security measures for our team members (e.g. background pre-screening),
  • A data-loss prevention strategy, and
  • Regular testing of our security posture across our product family at, and

For additional Security measures at Celigo, and for specifically, please visit our Security page.

Privacy Impact Assessments

Where appropriate, a Privacy Impact Assessment has been completed.

Responding to Subject Access Requests / Rectification / Deletion

As a Data Processor, processes are in place for Celigo to respond within 30 days to any requests from a Data Subject for access, corrections, or deletion of personal data as mandated by GDPR.

Data Breach Reporting

As the Data Processor, Celigo has processes in place to notify Data Controllers of any data breaches that occur without undue delay as required by GDPR. However, we recognize that for our Customer, the Data Controller, the clock will only start ticking when they become aware there has been an incident. In situations where Celigo is the Data Controller, Celigo has processes in place to ensure the required notification is sent to the appropriate authority within 72 hours.

Cookies & Privacy Policies

Celigo is committed to ensuring the privacy of all Data Subjects, regardless of their locations. We provide transparency on our usage of such data as stated in our Privacy Policy.


Celigo Subprocessors

A Subprocessor is a third-party Data Processor engaged by Celigo who has, or potentially will have access to, or will process Customer Content which may contain personal data. Celigo engages different types of subprocessors to perform various functions as explained here.

Celigo uses subprocessors to assist us in providing our customers the Services as described in our Terms of Service, Sales Agreements, and/or Amendments (“Customer Agreement”) available at Terms of Service or other locations the Terms of Use may be posted or defined such as sales agreements and amendments (as applicable, the “Agreement”). Defined terms used herein shall have the same meaning as defined in the Agreement. View a full list of Subprocessors here.


Other Points to Consider


Update your staff and affected clients with privacy notices

Manage your Data:

Transfer personal data out of the EU

Notify the data protection authorities within 72 hours

Document and demonstrate compliance with GDPR


Who to Contact:

Contacts for all GDPR, security, or compliance questions can be found on our Contacts page here:


Updated: April 1, 2019 | v2