Who does Dotdigital transfer data to and why?
Dotdigital’s global entities include:
Dotdigital EMEA Limited
Dotdigital APAC Pty Limited
dotmailer SA Pty Ltd
Dotdigital Poland Sp. Z.O.O.
Dotdigital’s external sub-processors are engaged for the purposes of platform hosting, network management, internet and network services, data back-ups and storage. This includes:
Microsoft Azure – platform hosting and data storage
Google Cloud Platform – platform hosting and data storage
Cloudflare - CDN and web-proxy services
Amazon Web Services - network services and storage
MagneticOne - optional API integration for e-commerce solution connectivity
Phoenix47 Ltd - out-of-hours client support
Partner Hero - Multi-lingual support by live chat, email and telephone
Elasticsearch - Used in the processing and storing of system logs
Raygun - Used in the processing and storing of system logs
Blendr.io / Qlik - Suppliers of integration services to third-party systems
Tray.io - Suppliers of integration services to third-party systems
CrescoData - Suppliers of integration platforms for clients wanting to link their dotdigital account to supported third-party e-commerce systems
Will data be transferred outside of the EEA?
Yes, but only in limited circumstances and all such transfers are protected by safeguards in place. You may specify which location you wish your data to be physically hosted. If requested to be physically held at a specific location, data will not be physically transferred to the other locations, although it may be accessed from another location in some circumstances (for example, Dotdigital support staff in the US who enable 24/5 support). As standard, UK and EU client data will be stored in the EU. US account data will be stored within the US, and APAC account data is stored within Australian data centres.
What measures does Dotdigital have in place to protect data transferred to third-party processors?
Dotdigital will always ensure the safeguarding of personal data, including entering into Data Processing Agreements reflecting the obligations under the GDPR, passing down the measures of the EU Model Contract Clauses when working with parties outside of the EU.
All of our data centre providers hold a broad set of industry standard accreditations such as ISO27001 and ISO9001.
All Dotdigital employees are subject to confidentiality obligations as per Dotdigital’s internal Employee Conduct, Confidentiality, Data Protection and Information Security Policies.
Are Dotdigital’s sub-processors GDPR compliant?
All of our sub-processors have been thoroughly assessed from a GDPR and overall security compliance perspective.
Do your contract terms with sub-processors provide similar or the same level of protection as the client Data Processing Agreement?
Yes, Dotdigital ensures that all third party sub-processors are subject to at least the same security and data protection obligations as Dotdigital. In addition, we will remain fully liable for any of our sub-processors actions during the course of their processing and we will only ever use reputable industry suppliers.
Does Dotdigital inform clients where a new third-party sub-processor is being engaged and can we object?
Yes, we would always notify clients at least 30 days in advance when we are planning on engaging a new sub-processor. This is usually by way of an email to the email address provided by you on the Service Agreement. As a client, you will always be given 14 days to object to Dotdigital engaging a new sub-processor where you have any data protection concerns.