GDPR addresses the following three categories of users as it relates to personal data:
- Data Subjects are individuals within the European Union (EU) and the European Economic Area (EEA) whose personal data is covered by GDPR. Data Subjects own the data on themselves.
- Data Controllers control the procedures and purpose of personal data usage.
- Data Processors process any data at the direction of the Data Controller.
When Celigo customers use our integration solutions, including integrator.io, Integration Apps, and CloudExtend products, Celigo is the Data Processor while the customers are the Data Controllers. This means that Celigo does not own nor control the data that is being transferred between the different endpoints that are being integrated via Celigo products. Celigo also cannot change the purpose nor the means in which the data is being used. Furthermore, Celigo is bound by the instructions given by the Data Controllers, meaning Celigo’s customers.
When Celigo uses our customers’ personal data for the purpose of conducting business, such as sales, marketing, and support, Celigo is the Data Controller. As such, Celigo has measures in place for adhering to GDPR requirements as Data Controller and manages personal data according to these six lawful processing conditions of GDPR:
- Compliance with a legal obligation
- Performance of a contract
- Legitimate interest
- Public interest
- Vital interest
Categories of Personal Data
Personal data of Celigo customers that may be used by us to manage the sales, consulting, support, payment, and billing processes may include:
- Email address
- Unique customer identifier
- Order ID
- Bank account details
- Payment or payment card details
- Card expiration date
- CVC code
- Date/time/amount of transaction
- Merchant name/ID
Celigo does not knowingly process special categories of data as defined by the GDPR in the context of processing our internal business activities.
Governance Structure and Celigo’s Data Protection Officer
Data privacy is discussed throughout Celigo with regular presentations to all of our Employees, the Executive Team, and members of our Board of Directors.
Data privacy and GDPR is a company priority at Celigo among our Employees, the Executive Team, and members of the Board of Directors.
Celigo’s designated Data Protection Officer is Wayne Sisk, Celigo’s Sr. Manager of Security and Compliance. He leads Celigo’s security, privacy and compliance initiatives with all Celigo departments by making sure data privacy principles are part of all our ongoing operations while monitoring related activities on an ongoing basis.
Celigo has completed its Article 30r Data Mapping exercise. This means that we have identified data that we have, where it is held, and how the data is being accessed. Furthermore, we understand the classification of data, records for transfer, and have flowcharts to illustrate how it moves between systems, processes, and countries.
Led by Celigo’s Sr. Manager of Security and Compliance, Wayne Sisk, and Chief Technology Officer, Scott Henderson, Executive Management, and the Engineering Team, Celigo maintains a rigid information security program that includes:
- Technical security measures; (e.g. intrusion detection, firewalls, monitoring),
- Restricted access to personal data,
- Protection of our physical premises and hard assets,
- Maintaining security measures for our team members (e.g. background pre-screening),
- A data-loss prevention strategy, and
- Regular testing of our security posture across our product family at www.celigo.com, integrator.io, and cloudextend.io.
For additional Security measures at Celigo, and for integrator.io specifically, please visit our Security page.
Privacy Impact Assessments
Where appropriate, a Privacy Impact Assessment has been completed.
Responding to Subject Access Requests / Rectification / Deletion
As a Data Processor, processes are in place for Celigo to respond within 30 days to any requests from a Data Subject for access, corrections, or deletion of personal data as mandated by GDPR.
Data Breach Reporting
As the Data Processor, Celigo has processes in place to notify Data Controllers of any data breaches that occur without undue delay as required by GDPR. However, we recognize that for our Customer, the Data Controller, the clock will only start ticking when they become aware there has been an incident. In situations where Celigo is the Data Controller, Celigo has processes in place to ensure the required notification is sent to the appropriate authority within 72 hours.
Cookies & Privacy Policies
A Subprocessor is a third-party Data Processor engaged by Celigo who has, or potentially will have access to, or will process Customer Content which may contain personal data. Celigo engages different types of subprocessors to perform various functions as explained here.
Other Points to Consider
Update your staff and affected clients with privacy notices
Manage your Data:
Transfer personal data out of the EU
Notify the data protection authorities within 72 hours
Document and demonstrate compliance with GDPR
Who to Contact:
Contacts for all GDPR, security, or compliance questions can be found on our Contacts page here:
Updated: April 1, 2019 | v2