Understand Totango's GDPR compliance

By using Totango, you may be sharing personal information about your users. In these scenarios, Totango acts as a data processor for your company (the data controller), and both Totango and your company may be required to comply with the GDPR regulation.

The following is an informational brief outlining key principles and recommendations for guiding you on complying with the GDPR using Totango.

This brief does not provide legal advice and should not be used as such. We recommend you consult with the appropriate legal counsel for that purpose. 

Totango data shield

A core part of GDPR compliance is ensuring that your data processors implement security best practices for safeguarding personal information (also known as Privacy by design).

For this purpose, Totango uses Totango data shield, an umbrella set of platform capabilities designed to keep your users data (and your data in general) safe. Key highlights of data shield include:

  • Product features to control access to data, including sensitive data protection, teams, and SSO
  • Compliance with key industry standards: ISO27001 and Privacy Shield
  • Built in support for encryption (in-flight and at-rest), access control, ongoing penetration testing and other security practices  

What is GDPR and how you can prepare?

The GDPR  (General Data Protection Regulation) is a regulation aimed at strengthening and unifying the data protection rights for all individuals within the EU. It applies to all EU individuals, and applies to all organizations, regardless of the location of the business or where the personal data is being processed.

When your company provides a service to end-users, it acts as the controller for their data and is therefore responsible to ensure that all subcontractors (such as Totango)  abide to a set of core principles regarding the handling of their users’ data, as outlined in the next sections of this document.

Data sharing and minimization

By nature of Totango’s integration architecture, you determine what data is sent over for processing. As part of the GDPR, you should avoid sharing unnecessary personal data with Totango. Typically, the only class of personal data you should share with Totango is contact information (name, business email/phone). You should not share other classes of data (e.g. age, sexual orientation, financials, health records) that are not relevant to managing the customer’s success with your service.

Recommendation: Review the user information shared with Totango and ensure you are not sharing any unneeded personal data.

Disclosure  and consent

GDPR states that data controllers provide users with specific information on how their personal data is being collected, used, stored and shared. As such, you may need to update your privacy policy to reflect your use of Totango as a data processor for the purpose of improving and managing customer success.

If your legal counsel determines you need to obtain user consent before using Totango, make sure you update your integration with Totango to only send data from those who provided consent.

Recommendation: Determine with your legal counsel what additional information should be added to your privacy policy. Determine if you need consent and, if so, update your consent collection and implement API changes accordingly.

Data Processing Agreement

GDPR states that a formal binding agreement should be executed between the controller and processor of personal data (called a Data Processing Agreement, or DPA). The DPA should describe the data processing activities being carried out.

Recommendation: Determine with your legal counsel if a DPA with Totango is required and, if so contact us in case it is needed. We will provide you with our standard DPA.


Question: Since Totango has undergone GDPR compliance, does this in any way grant me a pass on the consent?

Answer: No. Totango customers need to comply with applicable privacy laws. Totango's compliance with GDPR (including Cookies) does not release the customer from their legal obligations (including GDPR compliance if applicable).

Question: If we (Totango customer) host the javascript snippet on our website, does it still qualify as a first-party cookie (i.e. cookie placed on user device directly by our website)?

Answer: Yes

Question: Are the cookies session or persistent?

Answer : Session

Further information about GDPR is available here. If you have any additional questions on how to prepare, please reach out to our privacy team at privacy@totango.com.

Was this article helpful?

1 out of 2 found this helpful

Have more questions? Submit a request