Celigo’s Role in Processing Personal Data
GDPR addresses the following three categories of users as it relates to personal data:
- Data Subjects are individuals within the European Union (EU) and the European Economic Area (EEA) whose personal data is covered by GDPR. Data Subjects own the data on themselves.
- Data Controllers control the procedures and purpose of personal data usage.
- Data Processors process any data at the direction of the Data Controller.
When Celigo customers use our integration solutions, including integrator.io, SmartConnectors, and CloudExtend products, Celigo is the Data Processor while the customers are the Data Controllers. This means that Celigo does not own nor control the data that is being transferred between the different endpoints that are being integrated via Celigo products. Celigo also cannot change the purpose nor the means in which the data is being used. Furthermore, Celigo is bound by the instructions given by the Data Controllers, meaning Celigo’s customers.
When Celigo uses our customers’ personal data for the purpose of conducting business, such as sales, marketing, and support, Celigo is the Data Controller. As such, Celigo has measures in place for adhering to GDPR requirements as Data Controller and manages personal data according to these six lawful processing conditions of GDPR:
- Compliance with a legal obligation
- Performance of a contract
- Legitimate interest
- Public interest
- Vital interest
Categories of Personal Data
Personal data of Celigo customers that may be used by us to manage the sales, consulting, support, payment, and billing processes may include:
- Email address
- Unique customer identifier
- Order ID
- Bank account details
- Payment or payment card details
- Card expiration date
- CVC code
- Date/time/amount of transaction
- Merchant name/ID
Celigo does not knowingly process special categories of data as defined by the GDPR in the context of processing our internal business activities.
Governance Structure and Celigo’s Data Protection Officer
Data privacy is discussed throughout Celigo with regular presentations to all of our Employees, the Executive Team, and members of our Board of Directors.
Data privacy and GDPR is a company priority at Celigo among our Employees, the Executive Team, and members of the Board of Directors.
Celigo’s designated Data Protection Officer is Wayne Sisk, Celigo’s Sr. Manager of Security and Compliance. He leads Celigo’s security, privacy and compliance initiatives with all Celigo departments by making sure data privacy principles are part of all our ongoing operations while monitoring related activities on an ongoing basis.
Celigo has completed its Article 30r Data Mapping exercise. This means that we have identified data that we have, where it is held, and how the data is being accessed. Furthermore, we understand the classification of data, records for transfer, and have flowcharts to illustrate how it moves between systems, processes, and countries.
Led by Celigo’s Sr. Manager of Security and Compliance, Wayne Sisk, and Chief Technology Officer, Scott Henderson, Executive Management, and the Engineering Team, Celigo maintains a rigid information security program that includes:
- Technical security measures; (e.g. intrusion detection, firewalls, monitoring),
- Restricted access to personal data,
- Protection of our physical premises and hard assets,
- Maintaining security measures for our team members (e.g. background pre-screening),
- A data-loss prevention strategy, and
- Regular testing of our security posture across our product family at www.celigo.com, integrator.io, and cloudextend.io.
For additional Security measures at Celigo, and for integrator.io specifically, please visit our Security page.
Privacy Impact Assessments
Where appropriate, a Privacy Impact Assessment has been completed.
Responding to Subject Access Requests / Rectification / Deletion
As a Data Processor, processes are in place for Celigo to respond within 30 days to any requests from a Data Subject for access, corrections, or deletion of personal data as mandated by GDPR.
Data Breach Reporting
As the Data Processor, Celigo has processes in place to notify Data Controllers of any data breaches that occur without undue delay as required by GDPR. However, we recognize that for our Customer, the Data Controller, the clock will only start ticking when they become aware there has been an incident. In situations where Celigo is the Data Controller, Celigo has processes in place to ensure the required notification is sent to the appropriate authority within 72 hours.
Cookies & Privacy Policies
A Subprocessor is a third-party Data Processor engaged by Celigo who has, or potentially will have access to, or will process Customer Content which may contain personal data. Celigo engages different types of subprocessors to perform various functions as explained here.
Other Points to Consider
Under GDPR, you as a data controller will have to update your staff and affected clients with privacy notices that specify what is the purpose of the processing and what is the legal basis for such processing, and whether you will be transferring their data out of the EU.
As a data controller, you are in control of all data you entrust to Celigo’s products - Manage all personal data appropriately to meet your privacy requirements. Only submit data to the Celigo tools that is appropriate for the use case. Further:
- Only use secure https endpoints with Celigo connectors (No http)
- Celigo does not persistently store data from connector flows
- For the transfer period, if https endpoints are used, all data is encrypted in transit
- Data stored temporarily for processing is encrypted in AWS S3 buckets and time stamped for deletion in thirty days. This data is deleted on completion of the activity. If an activity fails the data is available for retry for a maximum of thirty days.
You as a Celigo Client and data controller will have to implement a lawful mechanism to transfer personal data out of the EU (Celigo implements Model Clauses into our Data Protection agreement (DPA) using Standard Contractual Model Clauses.)
You as a data controller, meaning persons or companies making the decision to launch data processing and overseeing the means by which personal data is processed, must notify the Data Protection Authorities within 72 hours of being made aware of a personal data breach unless there is no risk to the rights and freedoms of individuals. Failure to report within this timeframe may result in fines.
You as a data controller will be expected to document and demonstrate compliance with GDPR, such as being able to provide a registry of applications, processes, and categories of data being processed by your organization.
Who to Contact:
Contacts for all GDPR, security, or compliance questions can be found on our Contacts page here:
Updated: April 1, 2019 | v2