FAQs about what OpenMoves is doing as data processor to help our customers comply with GDPR

This document is downloadable as a PDF here.

General 

1. Is OpenMoves GDPR compliant?

Like you and many other businesses, we have an ongoing GDPR program and we are planning to be fully compliant before 25 May 2018. 

We understand that the OpenMoves platform is an integral tool for our clients to manage and manipulate data and we have undergone a full program to improve the OpenMoves platform to help facilitate our clients’ compliance under the GDPR. More details on the changes we have made and the changes that are upcoming are detailed below.

2. Is OpenMoves a controller or a processor?

For the data provided by our direct clients within the OpenMoves platform, OpenMoves is a data processor (as defined by the GDPR). For the data we hold on clients and prospects, we are a data controller. 

3. Is OpenMoves a Joint Controller?

No, as the name suggests joint controllers determine the purposes and means of processing data together or jointly. As the data processor, OpenMoves does not determine the purposes and means of processing the data that clients supply to the platform. 

4. Can we search for personal data on your systems?

OpenMoves holds the data that our users have uploaded with the platform in a database. Our users have full control and access to their data, including the ability to search, import, export, delete and modify the data as needed.

5. Are you maintaining data processing records?

All data uploaded with the platform is kept within the OpenMoves platform and clients have full control of the data within the platform, as outlined above. 

6. Access

Clients must maintain their own procedures as to who can access the OpenMoves platform and the data held there. 

If you have users that you manage, then you'll probably want to restrict their access within your account. In the Users section, you can do this by setting and editing their permissions. This is documented in our support pages here.

OpenMoves staff have access to your account to provide support and assist in the provision of the services. 

Deletion of data

7. How long does OpenMoves keep data?

OpenMoves holds data for as long as clients use the platform and keep data within their account, or when deleted from the platform (see below). 

8. Can we delete personal data from your systems?

Yes, you can delete data on your account at any time (including when responding to a request for a data subject to be “forgotten”).

In 2017 OpenMoves made changes to how contacts are exported and deleted within the platform, making it easier for clients to comply with Subject Access Requests and requests from data subjects to be forgotten. 

9. Can you confirm our right to have personal data deleted upon termination of contract at no extra cost?

At the end of a contract, all client accounts are terminated and associated data is deleted after 90 days. The platform enables clients to delete data during the term of the contract through the platform and in response to a request to be forgotten at no extra cost.

10. How is data deleted?

When deleting a contact, the contact will be placed in the account's recycle bin for 30 days (unless manually removed from the recycle bin or in relation to a supressed contact, which is immediate), after which time they're deleted permanently. 

Subject Access Requests

11. What will OpenMoves do if it receives a Subject Access Request from one of our clients?

If we receive a Subject Access Request from one of your clients (a data subject), we will pass on any request for data for which you are the data controller so that you can manage the request. We may identify you as the controller of their data.

In 2017 OpenMoves made changes to how contacts are exported and deleted within the platform, making it easier for clients to comply with Subject Access Requests and requests from data subjects to be forgotten if they request it.

Data Processing Agreement

12. Do your standard contract terms include the new GDPR mandatory provisions?

We are in the process of updating our terms and conditions in advance of 25 May 2018, but for existing clients we have a specific Data Processing Agreement that we are providing in addition to your current contract with us. For the moment, this document can be requested from your Account Manager / Key Account Manager.

13. Does OpenMoves have a Data Processing Agreement?

Yes, OpenMoves has a Data Processing Agreement that can be added to your contract. For the moment, this document can be requested from your Account Manager / Key Account Manager.

14. I have a Data Processing Agreement – can OpenMoves agree to that?

We understand that our clients have undergone due diligence and may have prepared their own Data Processing Agreements for their suppliers to sign.  

However, given the nature of the services OpenMoves provides our clients and the need for processing activities to be documented, we require clients to use OpenMoves’ Data Processing Agreement, as this has been prepared to cover the specific services OpenMoves provides.

Data breach

15. Do you have a documented breach notification process?

Our process for reporting breaches concerning the data of individuals is addressed in our Data Processing Agreement and more specifically addressed in our Incident Reporting Policy. This can be provided to you on request from your Account Manager / Key Account Manager.

16. What will OpenMoves do in the event of a data breach?

In relation to the data our clients store with us (where we are a data processor), we will notify any affected client (data controller) of a personal data breach as soon as practically possible, and in any event, within 24 hours of discovering the breach.

In the event of data breach of data relating to our direct clients (where we are a data controller), we will report any data breach within 72 hours to the Information

Commissioner’s Office if a breach is likely to result in a high risk to the rights and freedoms of individuals.

If the breach is likely to result in a high risk of adversely affecting individuals’ rights and freedoms, OpenMoves will also inform those individuals without undue delay.

Sub-processors 

17. Do any other organizations (including sub-contractors, contractors or consultants) process any of the data provided by our clients on our behalf?

Yes, OpenMoves works with third party providers / sub-processors for providing the services we offer or storing your data (personal data). OpenMoves uses subprocessors to perform various functions.

A subprocessor is a third party data processor engaged by OpenMoves, who has or may have access to or process client data. Third parties that do not have access to or process client data but who are used to provide the services as “subcontractors” and not subprocessors.

18. What steps do you take to safeguard the processing of our data by third party organizations?

Further to the above, OpenMoves carries out a selection process where we evaluate the data processing practices of any proposed subprocessor that might have access to client data – this includes reviewing their security and privacy practices.

Data protection laws permit subprocessors to be engaged, provided that the equivalent safeguards from client agreements are reflected with these subprocessors. 

OpenMoves has entered into contracts with the organizations listed on our Trust Center to ensure the safeguarding of personal data, including entering into Data Processing

Agreements reflecting the obligations under the GDPR, passing down the measures of the EU Model Contract Clauses or ensuring the organizations maintain U.S. Privacy Shield certification to ensure that all client data is protected.

19. How does OpenMoves replace or designate a new sub-processor?

The procedure to replace or appoint a new sub-processor is covered within our Data Processing Agreement with our clients. 

We will provide you with advance notice of any changes or additions and give you the right to object (provided these are reasonable). OpenMoves will always ensure the safeguarding of personal data, including entering into Data Processing Agreements reflecting the obligations under the GDPR, passing down the measures of the EU Model Contract Clauses or ensuring the organizations maintain U.S. Privacy Shield certification (where appropriate) when working with parties outside of the EU.

The Data Processing Agreement can be requested from your Account Manager / Key Account Manager.

Storage of data / international data transfer

21. Where is our data stored?

To safeguard the confidentiality, integrity and availability of data, the core OpenMoves platform is hosted on high security Microsoft Azure data centres. Data for our European clients is held in the West Europe region, with data being backed up to the North Europe region. All Azure facilities meet a broad set of compliance standards, details of which can be found here. A map showing the Azure data center locations can be found here.

In addition to our virtualized infrastructure hosted on Azure, OpenMoves has a physical data center located in London. This connects to Azure via a Virtual Private Network, and is used to send your email campaigns out to the internet. This too holds various accreditations including ISO 27001 & 22301.

Data may be accessed for support purposes by contacting support@openmoves.com.

22. OpenMoves development and testing platforms

OpenMoves is frequently updating our platform with feature enhancements and additions. We do this in development, testing and staging environments separate to the main platform No client data is stored in our testing or development environments.

23. Is OpenMoves compliant with the EU-U.S Privacy Shield and the Swiss-U.S. Privacy Shield?

OpenMoves complies with the EU-U.S. Privacy Shield Framework and the Swiss – U.S. Privacy Shield Framework as set forth by the U.S. Department of Commerce regarding the collection, use, and retention of personal information transferred from the European Union and Switzerland to the United States, respectively. 

Right to audit OpenMoves 

24. To what extent can clients audit OpenMoves’ systems?

OpenMoves will facilitate client requests for audits and inspections. The terms of such audits can be found in the Data Processing Agreement in addition to our Terms and Conditions. This Agreement can be requested from your Account Manager / Key Account Manager.

Technical and organizational security measures

25. What security certification do you hold?

OpenMoves’s platform maintains Cyber Essential Plus certification.

26. What technical and organizational security measures does OpenMoves have in place?

Security Management

The OpenMoves platform is overseen by a dedicated privacy & compliance team (to oversee the security, privacy and compliance programs.

Personnel Security (Human Resources Security)

OpenMoves maintains starter/leaver policies and procedures which will include the conducting of background checks (where available) on employees joining the organization, and revocation of access rights on termination of employment.

Physical & Environmental Security

OpenMoves restrict access to workspaces, and secure data center facilities were information systems that process personal data are located to identified authorized individuals.

Workstation Security & Server Security

Within OpenMoves, we:

• Employ a maintenance schedule that facilitates the timely installation of security patches.
• Install and regularly update anti-virus software.
• Commission annual independent build reviews of workstations and servers.
• Use role based permissions to restrict access to resources.

Network Security

Within OpenMoves, we:

• Deploy firewalls at network perimeters; running management authorized rule sets.
• Maintain a vulnerability management program to regularly asses the security of network perimeters.
• Shall maintain at a minimum the Cyber Essentials Plus Certification.

Business continuity and disaster recovery

27. What business continuity and disaster recovery policies and systems does OpenMoves maintain?

The OpenMoves platform is built using redundancy and load balancing at every level; meaning a single component failure should not result in a service disruption.  

Data is backed up to a secondary location, hundreds of miles away, yet still in the same region complying with data protection obligations.  In the event of a catastrophic event at the primary facility, the service will be restored in the secondary location.  

How does the OpenMoves platform help with GDPR compliance?

Options added: the right to be forgotten, SAR, preference centre, etc.

28. What are the changes within the platform?

We want to make sure that our clients have the tools that they need to be compliant with the GDPR. We are working on the platform to make the necessary changes.

In 2017 OpenMoves made changes to how contacts are exported and deleted within the platform, making it easier for clients to comply with Subject Access Requests and requests from data subjects to be forgotten if they request it.

In addition, 2018 will the see us adding a feature for clients’ storing the consent text each contact agreed to when subscribing (for example, from your sign up form), alongside the IP address of the computer they used and the date they did it. This means you’ll be able to see exactly what a contact is happy to receive, and cross reference it with the permissions you hold on them. 

29. What features will assist in responding to Subject Access Requests?

In 2017 OpenMoves made changes to how contacts are exported and deleted within the platform, making it easier for clients to comply with Subject Access Requests and requests from data subjects to be forgotten.

30. How are we catering for multiconsent and preference centers?

At a product level, we are reviewing how our current preference centers serve our customers – and changes may come as a result. Multiconsent preference centers are currently supported by the platform, either self-serve by utilizing data fields or address books, or through custom work using address books, data fields or Insight data. We are continually developing in this area and welcome any ideas you may have so keep an eye on the roadmap for changes in this area.

Legal basis and using OpenMoves to help

31. Can we document the legal basis we are processing the data uploaded to the OpenMoves platform?

If you are using consent as your legal basis, OpenMoves will include enhanced functionality around consent storage to allow a client to store additional information.

2018 will see us adding the functionality for users to store the permission text each contact saw when getting consent (for example, from your signup form), alongside the IP address of the computer they used and the date they did it. This means you’ll be able to see exactly what a contact is happy to receive, and cross reference it with the permissions you hold on them. 

32. Will we need to keep a log of the opt-in text at the time of consent?

We recommend capturing and storing what disclosures were provided to the data subject when consent was initially given to demonstrate that consent was informed and freely given.  This will be possible through platform enhancements for consent capture and management.

33. Do we have to know every subscribe and unsubscribe date if they have opted in and out?

As a data controller, you should know where, when and how you obtained the personal data of a data subject. The dates associated with subscribe and unsubscribe will be available within our platform if using the consent insight feature.

34. Can we determine which campaign led to an individual unsubscribing?

No, we have no plans to change this functionality as on balance, more customers are concerned with when the person unsubscribed than the specific message itself.

35. What should we do with a contact's data other than their status and email address when someone unsubscribes?

When a contact unsubscribes, their data is no longer viewable in-app. The data however is still stored by us, and will be viewable again if the contact resubscribes. Right now, we’re working on the assumption this process won’t change. The process for deleting (rather than unsubscribing) a contact however, will be updated to physically remove all of the contact’s data.

36. Should we also remove their behavioral data if they unsubscribe?

The action of an individual unsubscribing or removing a contact from a mailing list will not remove their contact data from the platform. However, this data can be removed and deleted by clients within the platform using the delete functionality. 

37. Are we going to be able to add the date of opt-in in OpenMoves?

Yes, 2018 will see us adding the functionality for users to store the permission text each contact saw when getting consent (for example, from your signup form), alongside the IP address of the computer they used and the date they did it. This means you’ll be able to see exactly what a contact is happy to receive, and cross reference it with the permissions you hold on them. 

38. Is the "last subscribed date" actually when the recipient opted in or when they were last added into the account?

The ‘last subscribed’ date is just that: the last date they subscribed. If a contact resubscribes, this date gets updated. If an already subscribed contact is uploaded again, if won’t update. This date can also be manually added by a user. 

Decision making / Profiling

39. Is the data provided by clients used to make automated decisions about data subjects?

Not within the platform; any ability to make automated decisions is entirely controlled by clients. 

40. Is the right to opt-out of web behavioral tracking incorporated into OpenMoves platform?

OpenMoves allows you to use the data you hold on your contacts to profile them (such as what email they should receive and when). If you have a contact who is exercising a right under the GDPR to not have their information processed for profiling purposes, the easiest and safest action is to unsubscribe them. This means you guarantee that OpenMoves won’t use their data for any profiling. However, it also means they won’t be able to receive any standard, nonautomated campaigns.

If you have large numbers of contacts exercising their individual rights, you can create a new account and request us to turn off the segmentation, program and Web Behaviour Tracking tools. Note however that the send time optimization tool may be considered as automated processing, and this cannot be turned off.

Finally, if you’d rather not use profiling for any of your contacts, you may request we turn off the automated tools for your main account.