If your company uses Totango as its Customer Success Platform, you may be sharing personal information about your users. In these scenarios, Totango acts as a data processor for your company (the data controller), and both Totango and your company may be required to comply with the GDPR regulation.
The following is an informational brief outlining key principles and recommendations for guiding our customers on complying with the GDPR on Totango. Please note that this brief does not provide legal advice and should not be used as such. We recommend you consult with the appropriate legal counsel for that purpose.
Totango Data Shield
A core part of GDPR compliance is ensuring that your data processors implement security best practices for safeguarding personal information (also known as Privacy by design).
For this purpose, Totango has launched Totango Data Shield, an umbrella set of platform capabilities designed to keep your users data (and your data in general) safe.
Key highlights of Totango Shield include:
- Product features to control access to data on the Totango platform - such as sensitive data protection, SuccessTeams and SSO
- Compliance with key industry standards: ISO27001 and Privacy Shield
- Built in support for encryption (in-flight and at-rest), access control, ongoing penetration testing and other security practices
What is GDPR and how you can prepare?
The GDPR (General Data Protection Regulation) is a regulation aimed at strengthening and unifying the data protection rights for all individuals within the EU. It applies to all EU individuals, and applies to all organizations, regardless of the location of the business or where the personal data is being processed.
When your company provides a service to end-users, it acts as the controller for their data and is therefore responsible to ensure that all subcontractors (such as Totango) abide to a set of core principles regarding the handling of their users’ data, as outlined in the next sections of this document.
Data Sharing and Minimization
By nature of Totango’s integration architecture, you determine what data is sent over for processing. As part of the GDPR, you should avoid sharing unnecessary personal data with Totango. Typically, the only class of personal data you should share with Totango is contact information (name, business email/phone). You should not share other classes of data (e.g. age, sexual orientation, financials, health records) that are not relevant to managing the customer’s success with your service.
Recommendation: Review the user information shared with Totango and ensure you are not sharing any unneeded personal data.
Disclosure & Consent
If your legal counsel determines you need to obtain user consent before using Totango, make sure you update your integration with Totango to only send data from those who provided consent.
Data Processing Agreement
GDPR states that a formal binding agreement should be executed between the controller and processor of personal data (called a Data Processing Agreement, or DPA). The DPA should describe the data processing activities being carried out.
Recommendation: Determine with your legal counsel if a DPA with Totango is required and, if so contact us in case it is needed. We will provide you with our standard DPA.
Further information about the GDPR is available here.
If you have any additional questions on how to prepare, please reach out to our privacy team at firstname.lastname@example.org