Safe, secure, and ready for GDPR

Nothing matters more to us than the security of your data. We have you covered for the EU’s new General Data Protection Regulation (GDPR).

Securing your data

Protecting customer data is a top priority at Delighted. We understand you are trusting us with your data and we take the responsibility of securing it extremely seriously. Our Security page outlines all of our practices. Additionally, Delighted has a Data Protection Impact Assessment (DPIA) that documents our handing of all your data, including personal data.

Data correction

Account admins can modify collected personal data to meet the correction requirement of the GDPR with a simple request to our Concierge team.

Right to be forgotten

As an account admin, you can permanently delete individual people, responses, and respondent personal data should an individual request it.

Built for security

Delighted protects all of our customers with an array of security features.

  • Authenticated email (DKIM, SPF, DMARC)
  • Data encryption in transit
  • Data encryption at rest
  • Data centers routinely audited with industry-standard SSAE-16 methods
  • Data redundancy for resilience during disasters
  • Two-factor authentication
  • Continuous network monitoring
  • EU-US Privacy Shield Certified
  • Swiss-US Privacy Shield Certified
  • Users can opt-out of re-contact for a survey
  • Industry-standard security evaluations
  • Independent third-party security reviews and penetration tests
  • Role-based authentication
  • IP address whitelisting

What is GDPR?

Effective May 25th 2018, GDPR tightens the rules for businesses on how they collect, store and process EU citizens’ personal data. The new regulations impact organizations worldwide who collect and process personal data of EU citizens. Some of the key changes likely to impact your customer feedback programs are listed below.

See all GDPR changes

Data correction

EU citizens will have the right to request that their personal data are rectified, and they can request restrictions on how their data are used. In addition, they may asked to “be forgotten,” requiring that all their personal data be permanently erased. Generally speaking, the GDPR explicitly states it must be as easy to withdraw your data as it was to consent to it in the first place.

Consent

A business must seek an individual’s unambiguous consent prior to collecting any personal data. How the personal data will be used must be clearly stated, and business contact details provided if more information is requested. Organizations may need to consider conditions for processing other than consent, such as in relation to a contract, or because of another legal obligation (such as employer-employee).

Privacy assessment

Data processors will need to implement a high level of security to safeguard the controller’s data, and to conduct a Data Protection Impact Assessment (DPIA) that documents how personal data will be safeguarded. Our Security page describes our key privacy-related processes and procedures.

Enabling you to be GDPR compliant

Delighted enables customers to be GDPR compliant. Briefly stated, that means Delighted:

  • Provides sufficient guarantees to the controller to implement appropriate technical and organizational measures designed to safeguard Customer data
  • Processes data (that could include personal data) only to fulfil its obligations as related to the Services
  • Enables users to modify and delete their account
  • Enables users to modify and delete complete survey responses, as well as remove all requested customer data
  • Provides security documentation that describes the processes and procedures for safeguarding the data at our Security page
  • Can sign a contract that governs the processing of EU personal data

GDPR contract – Data Processor Agreement (DPA)

GDPR Article 28, Section 3, requires that a contract be in place between a data controller and a data processor. For years, the Delighted Terms of Service and Privacy Policy have provided the fundamental legal requirements and obligations regarding data ownership, processing behavior, safeguarding data, and more.

However, if as a Delighted customer you desire to have a GDPR-specific contract, we have provided an e-signature link below for our Data Processor Agreement, and our legal team will review and send you a countersigned version.

Sign GDPR Data Processor Agreement

Frequently asked questions

Disclaimer: This FAQ contains helpful compliance information when using Delighted products. Customers should always consult their internal compliance team and/or their privacy attorney regarding legal matters. The information herein is provided as-is, and should not be considered legal advice. Delighted desires to enable its customers to comply with applicable laws, but does not warrant that a customer’s particular use of its products will be compliant.

Should I get consent from a customer to collect their personal data?

Can I modify a customer’s personal data that resides in an existing survey/response?

Yes, you can modify all response data to correct personal data as required by GDPR when you receive a Subject Access Request, or for other reasons. Simply contact us and we will work with you to swiftly make the adjustments.

Can I delete personal data that resides in an existing survey?

Yes, you can delete any response, including a response that contains personal data, as required by GDPR. You can also remove all other requested customer data.

Is personal data permanently deleted when I remove it?

A deleted response or person is initially flagged for deletion, and may be recovered by our Concierge team upon request. After 90 days, the deletion becomes permanent and unrecoverable.

How long is personal data retained in Delighted if I don’t delete it?

Delighted’s philosophy is that customers own and control all the data they collect. Any retention period required by law or your company policy is controlled by you.

You should ensure that all people and personal data are deleted prior to stopping your usage of Delighted, especially if required by policy, law, or regulation.

Does my data get included in backups, and if so, for how long?

Yes. Delighted backs up all customer data, and retains the backups for 90 days. After 90 days, the backup is deleted.

Can I delete customer’s personal data from Delighted backups?

No. The backup dataset contains all customer data, and is used for disaster recovery purposes only. This is required for legal and compliance reasons related to availability obligations. Any personal data in these backups will be permanently deleted after 90 days.

If my data centre is located in the EU, does Delighted transfer my personal data outside the EU at any point?

Our data centers are with Amazon Web Services in the United States. However, data transfer is covered by the EU-US Privacy Shield framework, of which we are a member, and allowed by GDPR as providing adequate safeguards.

Does Delighted ensure that my data is accessed only by employees with reasonable justification for doing so?

As required by GDPR, only qualified Delighted employees with a specific need are permitted to access your account. The typical reason for accessing your account would be upon your specific request for support.

Does Delighted use sub-processors that process my data?

Delighted does not presently use sub-processors to provide the service. As required by GDPR, Delighted will notify the account owner if it uses a sub-processor, and maintain a list of those sub-processors on its Privacy page.

If a data breach occurs with the Delighted platform that affects my data, how and when will I be notified?

If a confirmed data breach occurs that is caused by Delighted’s actions or inactions, we will, without undue delay, notify the account owner. Information about the breach will be released as it becomes available, as allowed by GDPR. The account owner will be the main point of contact for all notifications, and will be kept aware of the investigation and remediation efforts as they progress.

How can I comply with a Subject Access Request and portability as required by GDPR?

As you know about the data you are collecting, you are responsible for handling any Subject Access Request (SAR). Delighted only provides the platform and wouldn’t know the details about your survey customizations, properties, or your customers.

A SAR means that a customer is asking about information being collected about him or her in a survey that he or she completed. If you collected personal data of an EU citizen or a person residing in the EU, you may have a legal obligation to respond to a SAR.

Response data may be downloaded in industry-standard formats for data portability to comply with GDPR.

If Delighted receives a SAR, it will do its best to contact the survey owner. It may not always be possible to know what survey the customer took, and who the rightful owner is.

How do I comply with a Subject Access Request to “be forgotten?”

Similar to the above, you know your survey and what data you have. If you collected personal data of an EU citizen or a person residing in the EU, you may have a legal obligation to respond and comply with a request to delete all identifiable data.

As previously stated, you have the ability to delete a customers’ data.

How does Delighted comply with its GDPR obligations to return or destroy all EU personal data?

Delighted provide easy ways to download all your survey data in industry-standard formats. And, as previously described, you may easily delete responses, all survey responses, and entire histories for a customer.

How does Delighted comply with its GDPR obligations to encrypt personal data?

All response data stored in our primary databases and backups are encrypted using an industry standard strong cipher. All data transmitted to the Delighted platform are encrypted using the industry standard TLS protocol.

How can I ensure my customers that Delighted security meets applicable law and the GDPR (Article 32)?

Delighted is committed to safeguarding your data. We use sophisticated controls during processing to maintain the confidentiality, integrity, availability, and resilience of your data. Our Security page outlines the details of our application security, network security, policies, and more.

As related to Article 28 in the GDPR, Delighted will only process personal data according to your instructions. In other words, the commands you use in the product are the “instructions,” and Delighted does not use personal data for any other means. In addition, it does not transfer personal data to a third party without your consent. If personal data is transferred from the EU to a third country, then adequate safeguards will apply to the transfer (such as the EU-US Privacy Shield Framework).

Delighted has developed recovery procedures to minimize downtime related to a disaster, with the ability to restore access to personal data in a timely manner in the event of a physical or technical incident.

We regularly test, assess and evaluate the effectiveness of our technical and organizational measures to ensure the security of the processing.

Any questions?

Don’t hesitate to contact us to find out more about our changes and how we’re helping you to comply.

Contact us