GDPR and Centercode

The EU General Data Protection Regulation (the “GDPR”) is the European data privacy regulation that governs information relating to an identified or identifiable natural person (“Personal Data”).

Under the GDPR, organizations must demonstrate the security of the Personal Data they’re processing and their compliance with the GDPR on a continual basis by implementing and regularly reviewing robust technical and organizational measures and policy compliance.

At Centercode, we are able to offer our customers GDPR-compliant solutions, and we are ready to work with our customers to take the steps needed to ensure compliance.

Our customers always own the data they collect within their Centercode Platform implementations (the “Customer Data”).

Based on this context, our customers are considered the “controllers” of this Customer Data under EU data protection law. We process the Customer Data on behalf of our customers and are considered the “processor” of the Customer Data under EU data protection law.

As our customers’ processor, one important feature of compliance with applicable data protection law is our Data Processing Addendum (DPA). This contract addendum governs the relationship between our customer (as data controller of the Customer Data) and Centercode (acting as data processor) unless otherwise provided in the customer’s agreement with Centercode.

Our DPA contains privacy and security commitments. GDPR requires that customers subject to the GDPR enter into GDPR-compliant contract terms with processors who process Personal Data on their behalf.

In addition, because Centercode and its production systems are primarily located in the United States, Customer Data is located in the United States and the jurisdictions of our sub-processors unless the customer specifically arranges for an alternative location. EU data protection law provides that EU Personal Data may be transferred outside of the EU and European Economic Area when an adequate level of protection for that data is guaranteed. To achieve this level of protection, we enter into controller-to-processor Standard Contractual Clauses with customers.

Centercode’s current DPA includes the new Standard Contractual Clauses that the European Commission adopted in June 2021 to ensure that all customers subject to the GDPR have entered into an appropriate mechanism to lawfully transfer Personal Data from the EU and European Economic Area to Centercode, which is located in the United States.

If your master agreement does not already incorporate our DPA and Standard Contractual Clauses please follow the instructions in our Data Processing Addendum (DPA) to enter into a DPA with Centercode.

For customers that have executed a form of data processing agreement or addendum that uses the Standard Contractual Clause template that pre-dates the June 2021 version, it is important that you update your Standard Contractual Clauses to continue to have an appropriate mechanism to lawfully transfer Personal Data from the EU and the UK to Centercode’s systems. We have made an Amendment to Data Processing Addendum/Agreement available for customers in this situation to execute and return to Centercode at privacy@centercode.com.

The Centercode Platform, upon which all of our services operate, has been designed to provide our customers with a secure platform for their product and service testing programs.

The following features and enhancements assist our customers with a GDPR-compliant use of the Centercode Platform:

• Personal Data Fields
  The Centercode Form Engine allows Administrators to flag specific form fields that are intended to contain personally identifiable or other Personal Data (“Personal Data Fields”). The platform uses this flag to clearly instruct users of the intended use of both personal and non-personal fields, as well as to appropriately remove this data on opt-out or user delete. This functionality is available in all form types, including User Profiles, Test Platforms, Surveys, and Feedback.

• Agreement Center
  This centralized system allows Administrators to search for and export digital agreements associated with any user across the entire platform. This includes archived projects and users who have previously opted-out. This system also allows end-users (active or opted out) to review the entirety of their own community and/or project agreements at any time.

• Opt-Out System
  The platform’s opt-out system removes all flagged Personal Data Fields (see above), in addition to identity (account) information. The system provides an enhanced end-user experience, allowing users to opt out via an email verification, as opposed to requiring login credentials. This system also offers an opportunity for the user to indicate why they’re opting out via both a selection and anonymous open text field. This information is available in the Opt-Out Dashboard, which is intended to allow Administrators to obtain anonymous feedback which can be used to enhance their community user experience.

• Project Opt-Out
  It can be expedient and convenient to allow participants to self-administer an opt out and deletion request. However, in some situations, such as when the participant is in an active test and in possession of proprietary, pre-production equipment, this can be problematic. To address this, the platform includes a project role which allows the Administrator to determine which users may actively leave their project. The opt-out system will reference this role before allowing a user to opt out and delete data in Personal Data Fields. In the event that the user cannot opt out due to lacking this role in one or more projects, appropriate Administrator contact information will be shared in order to facilitate the process.

• Automatic Report Expiration
  All cached reports throughout the platform expire (and are deleted) automatically after 30 days. This ensures that any Personal Data relative to users that have opted out will not be retained unnecessarily.

• Project Delete
  Projects deleted from the platform interface are deleted 7 days after they are deleted from the interface. This is intended to ensure data is fully erased, and this action cannot be undone.

• Customer Data Request Form
  Our general community contact form offers community members options specific to request types, including Personal Data and related requests. These requests are all logged within the platform. Contact and request choices may be easily customized to fit the needs of the Administrator.

• Privacy Policy Links
  The platform contains a location for the customer to link its privacy policy. In addition, the customer’s implementation links to the Centercode Platform Terms of Use for End Users (the “Centercode User Terms”). The Centercode User Terms describe and link to our Centercode Customer Data Handling Practices document, which is our privacy policy for Customer Data explaining how we process Personal Data that is Customer Data. It includes a description of the Centercode Platform mandatory session cookies and system logging features, providing this specific information to supplement your own privacy policy disclosures. Because customers determine the information they collect and how they use and share this information, it is important that they comply with applicable law governing the posting of privacy policies.

Based on our existing features, infrastructure, policies, and processes, we make the following commitments to Centercode Platform subscribers relative to the GDPR:

• Ownership of and Access to Customer Data
  Our customers own their Customer Data. We do not access or use Customer Data except in order to perform services for the customer and as directed by the customer. Our employees and contractors are provided access to Customer Data on a limited, as-needed basis.

• Platform Access
  Password complexity standards default to an eight-character minimum with alpha and numeric requirements and prohibitions on using other identity fields (username, first and last name, or email) within the password. These settings can be easily modified by the platform Administrators to add additional characters and complexity requirements.
  
  Subject to the customer’s edition, customers can also optionally integrate their Centercode Platform implementation with their own single sign-on systems (such as SAML and OAuth). Where the customer’s single sign-on system supports 2-factor authentication, the customer can then extend this feature to its Centercode Platform implementation.

• Limiting Access to Personal Data or Sensitive Information
  Customer Administrators govern access to the Customer Data and to our services through the use of groups (“Teams“) and permissions (“Roles“). Leveraging these and other features, the platform includes capabilities which allow Administrators to determine which specific fields of information are shared or exposed both internally and externally. Customers are responsible for approving access and reviewing user accounts regularly.

• Responses to Legal Requests for Customer Data
  In certain situations, we may be required by law to disclose Personal Data in response to lawful requests by public authorities. We may also disclose Personal Data to respond to subpoenas, court orders, or legal process, or to establish or exercise our rights or defend against legal claims. We may also share such information with law enforcement agencies or public authorities if we believe it is necessary in order to investigate, prevent, or take action regarding illegal activities, suspected fraud, situations involving potential threats to the safety of any person, violations of our customer agreements or user agreements, or as otherwise required by law.

• Secure Storage
  The Centercode Platform infrastructure, including Customer Data and regular back-ups of Customer Data, is located in a secure cloud-computing environment in an audited, United States-based (or as otherwise specified in the order) data center with 24 x 7 on-site security and monitoring. We will not remove Customer Data from these systems except as directed by the customer, as needed to perform Managed Testing Services (see below), or as described below in Centercode’s Sub-Processors.

• Network Security
  The Centercode Platform production systems are behind a stateful inspection firewall. We conduct a third-party network penetration test annually and internally perform regular vulnerability scans using industry-standard scanning tools. We also employ an intrusion detection system.

• Centercode’s Security Program
  We maintain a written security program designed for the security, integrity, and protection of Customer Data against unauthorized disclosure or loss. Our security program includes administrative, technical, and physical safeguards appropriate for our size and resources and the types of information that we process.

• Platform Availability
  Appropriate measures are taken against accidental destruction or loss of production data, including backup of all production data on a regular basis. We make a service-level agreement available to our customers which includes response and resolution times. In addition, the infrastructure at the data center, including uninterruptible power supply (UPS) systems, diesel generators for backup power, fire detection and prevention systems, and redundant HVAC equipment, is designed to minimize the impact of external environmental risks. Centercode maintains a business continuity/disaster recovery plan that identifies and addresses risk factors associated with the Services.

• Confidentiality
  We hold Customer Data in strict confidence. Our employees, contractors, and sub-processors are under obligations of confidentiality and are trained in the importance of maintaining the confidentiality and privacy of Customer Data.

• Background Checks
  We conduct appropriate background checks on all Centercode personnel.

• Encryption
  Data in transit is encrypted using the most current version of HTTPS/TLS. In addition, we encrypt all Customer Data at rest and all backups of Customer Data using AES-256.

• Request Tracking, Monitoring and Logging
  When a request is made to Centercode Support from a customer, a ticket is created in our internal request tracking system and progress is tracked until final resolution. Centercode monitors and logs access to the production systems and logs are maintained for at least ninety days.

Centercode uses an audited and secure cloud hosting provider with servers located in the United States (unless otherwise specified in an order) to provide the infrastructure behind the Centercode Platform. Centercode’s current sub-processor for cloud hosting is Amazon Web Services, Inc. We use additional third-party sub-processors as described in our list of sub-processors here.

Prior to the onboarding of any sub-processor, we conduct a review of the security practices of the sub-processor to ensure an appropriate level of security. We require our sub-processors to enter into appropriate security, confidentiality, and privacy contract terms and we have GDPR-compliant data processing addenda in place with our sub-processors.

Finally, the platform includes features which can allow the customer to integrate its other systems, including the systems of its third-party providers. Where the customer uses these features to integrate a third-party system, the third-party system that the customer integrates is the customer’s sub-processor and not Centercode’s. Customers should review integrations and any tracking or tagging technologies they include in their platform implementation to ensure they are compliant.

• Data Removal at Subscription Termination
  If a Centercode customer chooses to terminate its subscription, its Customer Data (including all Personal Data) will be deleted within 90 days. Optionally, the customer may request its Customer Data be deleted sooner, in which case Centercode will expedite the deletion process to remove all Customer Data within 7 days of the request. In all cases, backups of deleted Customer Data are purged within 30 days of deletion of the underlying data.

• Personal Data
  Personal Data in the Centercode Platform is intended to be restricted to core user account fields (including username, full name, email address, birth date, and password), and all fields marked by the customer’s Administrator as Personal Data Fields, typically including “User Profiles.” The Platform clearly indicates fields intended for Personal Data Fields to the customer’s community members during submission and update.

• Updating Data
  The customer’s community members may access and update their own User Accounts and User Profile information at any time, unless deliberately restricted by an Administrator. Fields flagged as Personal Data in surveys and feedback are typically non-updatable due to their nature, but are erased on opt-out. If necessary, the Administrator can modify these fields.

• Right to Erasure (i.e. Opting-Out)
  The Centercode Platform offers users the ability to easily remove their own accounts. If a user chooses to opt out, or their account is deleted by an Administrator, their identity, including all User Account and Personal Data Fields, will be deleted in accordance with the deletion preferences set by the Administrator. Additional data initially associated with the user that is not marked as Personal Data (such as perhaps Bug Reports and Survey results) remains in the platform and is re-associated with an anonymized User Account containing no Personal Data. This allows users to actively protect their privacy while retaining data integrity within the platform.

• Maintaining Digital Agreements
  The Centercode Platform offers a facility to assign and manage digital contractual agreements (such as Non-Disclosure or Participant Agreements). Agreements, including Personal Data in agreements, are maintained in the system after a user has been removed (via delete or opt-out) in order to give our customers the flexibility they will need to maintain important contractual records in circumstances where a user has made a Right to Erasure request.

The GDPR contains requirements to report data breaches in accordance with set timeframes. Controllers of Personal Data should ensure they have clear processes in place for responding to data breach notifications quickly. Centercode has processes in place for responding to and tracking security incidents involving its customers’ Personal Data.

We will notify our customers without undue delay and within no more than forty-eight (48) hours upon first becoming aware of a security incident involving their Personal Data. We will notify our customers using the method(s) agreed to in our customer agreements, or if not provided there, we will provide email notification to the customers’ Administrators.

Any security incident will be tracked in our internal tracking system and we will provide our customers with the information they need in order to fulfill any data breach reporting obligations under the GDPR.

As always, we’re happy to work with you to enhance your use of the Centercode Platform, including sharing our best practices to ensure that personally identifiable and other sensitive information is collected, stored, and used in a way that minimizes exposure risks and assists in your ability to respond to user requests.

Centercode’s customers include companies that, in addition to obtaining an annual software subscription to the Centercode Platform, engage Centercode to perform Managed Testing services, from managing one or more test projects to managing the customer’s entire product and service testing program.

In these situations, some of the commitments in “The GDPR and Centercode Platform Subscribers” vary as follows:

• Secure Storage of Data Removed from the Platform
  In order to perform Managed Testing Services for the customer (e.g., services involving shipping test products to testers, managing tester participation, or customer requests for reports), in some circumstances we need to remove Customer Data (including Personal Data) from the production systems.
  
  In this event, we remove the data only to the extent necessary to perform the services, and we abide by strict internal policies governing the handling of Personal Data removed from the production systems. These policies ensure that (1) the data is still only accessible by Centercode employees, contractors, and sub-processors as necessary to perform the managed testing services; and (2) that we maintain a record of the location(s) of the Personal Data.

• Data Deletion
  Where we manage all or a portion of customer’s product or service testing program, while we can assist with project or other deletion requests, we require our customer to provide a written request to delete any project or the Customer Data as a whole during the term of the Centercode Platform subscription (see Data Removal at Subscription Termination above for our post-term Customer Data deletion practices). In other words, we do not manage your Customer Data retention policies and procedures. Where we are managing your product or service testing program and where we receive a Personal Data deletion request from your users, we will direct the user to any available opt out functionality in your platform implementation. Beyond that, the customer will manage any request.
  
  In addition, when performing Managed Testing Services, the Centercode services team adopts best practices to ensure that Personal Data is only collected in fields marked as Personal Data. This allows for effective Personal Data deletion where the user opts out.

• Platform Access and Administration
  Because Managed Testing Services are conducted by Centercode using the customer’s platform implementation, Centercode’s staff members are appointed as platform Administrators along with the customer’s own appointed Administrators. As with all platform customers, a Managed Testing Services customer still ultimately manages access to its Customer Data and to our services by appointing its own Administrators who govern its team’s access to the Customer Data and to our services. The Administrator can do this through the use of Teams and Roles, as described above. Even where we manage the product and service testing program of a customer, the customer is responsible for managing its users and reviewing its user accounts regularly.

• Managed Services Sub-Processors
  In addition to our sub-processors for Subscription Services, in order to perform Managed Testing Services (e.g., preparing reports, distributing incentives, shipping products, etc.), we use additional sub-processors. Please review these additional Managed Testing Services sub-processors in our list of sub-processors here.

We encourage our customers to review GDPR compliance and privacy law compliance in general by investigating how they use the Centercode Platform and by reviewing their privacy and security processes and policies, including their privacy policy posted on their Centercode Platform implementation. Because our customers are the data controllers, Centercode customers bear the primary responsibility of ensuring that their processing of Personal Data is compliant with applicable privacy laws, including the GDPR.

Because we don’t monitor or govern how our customers leverage the Centercode Platform and the specific countries of residence of their test participants and users, our customers must determine whether and how various privacy and data protection laws, including the GDPR, apply to them.

Below are some critical items to consider for your GDPR compliance:

• Extra-Territorial Reach of GDPR
  The GDPR applies to organizations that are established outside of the EU but that process the Personal Data of EU residents. Therefore, even our customers located entirely outside of the EU should be determining whether the GDPR applies to their activities.

• End-User Rights
  The GDPR provides certain rights to “data subjects” (the customer’s end-users) whose Personal Data they may be processing. Organizations need to ensure they are able to accommodate these rights.

• Data Processing Addendum (“DPA”) and Standard Contractual Clauses (“SCCs”)
  If you have determined that the GDPR applies to your organization’s activities relating to Centercode’s services, in addition to preparing your own internal GDPR-compliance program, if your master agreement with Centercode does not already include a GDPR-compliant data processing addendum, please execute our Data Processing Addendum (DPA) immediately
• Standard Contractual Clause (“SCC”) Update
  If you have signed a data processing agreement or addendum with Centercode that includes Standard Contractual Clauses that pre-date the June 2021 version, please execute our Amendment to Data Processing Addendum/Agreement to update your Standard Contractual Clauses and Sub-Processor approvals..

• Data Protection Impact Assessment (“DPIA”)
  Under the GDPR, some data collection practices require customers to conduct, and sometimes file with authorities, a DPIA. You should review your collection practices and consider this requirement.