Transfer Impact Assessment & GDPR Compliance Statement 

Customer.io acts as a Processor (as defined in the GDPR) with respect to the information our customers upload to our services. Customer.io acts as a Controller (as defined in the GDPR) with respect to certain information that we collect about the use of our services.

GDPR Basics

Replacing the previous EU privacy directive 95/46/EC, which had been in place for over 20 years, the GDPR strengthens and expands individuals’ privacy rights in an era in which much of life takes place online.

The Data Protection Principles outlined in the GDPR include requirements like the following:

• Personal data collected must be processed in a fair, legal, and transparent way and should only be used in a way that a person reasonably expects.
• Personal data should only be collected to fulfill a specific purpose, and it should only be used for that purpose. Organizations must specify why they need personal data when they collect it.
• Personal data should be held no longer than necessary to fulfill its purpose.
• Individuals covered by the GDPR have the right to access their data. They can also request a copy of their data and be updated, deleted, restricted, or moved to another organization.

How Does Customer.io Comply With GDPR?

As described in more detail in our Data Processing Addendum, we act as a data processor with respect to the information that our customers upload to our products. That means that our customers direct and control what information is provided to us. In some cases, we act as a data controller when supplying services to you (as our customer), and for this reason, we have the right to make decisions about your data on your behalf. We describe how we act as a data controller in more detail in our Data Processing Addendum.

Data Residency in the EU

Transfer Impact Assessment

Overview

A Transfer Impact Assessment is an assessment of the privacy protections of the laws and regulations of a recipient country outside of the EU or EEA. Transfer Impact Assessments were introduced in the decision of the Court of Justice of the European Union (“CJEU”)in the case C-311/18, Data Protection Commissioner v. Facebook Ireland Ltd and Maximillian Schrems (“Schrems II”). In the decision, the CJEU made clear that data exporters must evaluate whether adequate levels of privacy protection that are provided on a case-by-case basis, focusing on the laws of the jurisdictions to which they export data. A data exporter should assess the laws, regulations and rules of the third country to which it exports data.

Data Protection Framework

Customer.io is listed as an active member of under DPF. That said, we continue to believe that being transparent about our data-transfer practices is important to our customers, so we will continue to maintain this Transfer Impact Assessment Statement available so that our customers are confident in their ability to use our services no matter where they are located.

Relevant U.S. Collection Authorities

The Schrems II court primarily focused on two US legal frameworks related to the collection of personal data: Section 702 of the Foreign Intelligence Surveillance Act (FISA 702) and Executive Order (EO) 12333. Here, we briefly summarize those two frameworks and their impact on Customer.io.

FISA 702 permits a specialized US court to authorize the federal government to issue orders to US companies to disclose data about specific non-US persons reasonably believed to be outside the US under FISA 702, these orders may only be issued to “electronic communication service providers.” We have analyzed the scope of FISA 702 and do not believe that we are subject to government orders for communications under the statue.

EO 12333 outlines how US intelligence agencies can collect the communications of non-US persons reasonably believed to be outside of the US. Importantly, EO 12333 does not include any authorization to compel private companies to disclose personal data to the US government. We do not believe that EO 12333 introduces a substantial risk to our customers with respect to our products and services because (1) kinds of data that our customers send to us through the services would not constitute the types of communications that are relevant for the US government during intelligence operations, and (2) we encrypt all customer data in transit across public networks. As a result, we believe we are at little risk of having any Customer Personal Data in the clear intercepted under EO 12333 operations.

It is important to note that certain communications channels may not support encrypted messages, such as SMS. If you use our service to send text messages MMS messages may be converted to SMS messages by Twilio in some cases. Also, if your recipients do not use an encrypted email messaging service, messages will only be sent in an unencrypted format. It’s also important to note that our customers are required to set up an account directly with Twilio in order to use Twilio services. Therefore, Twilio’s data processing agreement applies to our customer’s use of that service and is entered into directly between Twilio and our customer. We encourage customers to refer to Twilio’s Transparency Reports for more information.

Government Access Requests in General

Taken together, we believe that there is little risk that the US government would collect the personal data of our customers.

That said, if we ever were to receive any kind of request from a governmental body requesting the personal data submitted to our services, to the extent permitted by applicable laws, we would (1) attempt to fight or quash the request by raising nonfrivolous objections; (2) provide our customer with reasonable notice of the request so that our customer would have the opportunity to seek a protective order or other appropriate remedy; (3) attempt to redirect the governmental body to request the information directly from our customer; and (4) if ultimately required to disclose personal data to the government, limit the disclosure to the minimum amount of data legally necessary to comply with the request.

Onward Transfers

Information about our subprocessors is available on our Subprocessor List. There, we identify each of our subprocessors along with the specific services that they provide to us and their locations.

Before we engage a new subprocessor, we subject the processor to an information security review to ensure that the subprocessor meets our information security requirements for receiving customer data. This includes reviewing each vendor’s security and privacy practices to ensure that they meet our legal requirements, as well as requiring them to sign a data processing addendum with us that (1) provides protections for personal data, as required by applicable law, and (2) includes GDPR GDPR-compliant transfer mechanisms for any onward transfers of customer personal data.

We do want to note, that when our customers use Twilio with respect to our services, they engage with Twilio independently and that Twilio does not act as a subprocessor on our behalf with respect to our services. Please refer to Twilio’s “Security Overview” page and its “Binding Corporate Rules” page for more information.

Contractual Agreements

Security and Data Management

• We ensure prompt notifications to customers and GDPR authorities as required in the unlikely event of a data breach.
• We have formalized and documented internal policies related to data security.
• We use safeguards to ensure secure and proper handling of data stored outside of the EU as required.
• We only process personal data according to our customer’s instructions.

For more information on our security practices, please refer to our “Security” page.

Expanding Product Capabilities

To help you comply with Article 24 (responsibility of the controller) and your end-users’ requests related to the right to access, data portability, right to erasure, right to object and the right to restrict processing — our platform easily allows for:

• Easy profile export: Export all data about a single profile in a simple, standardized format to help you with requests from your end-users regarding access and data portability.
• Automatic suppression: API endpoint that allows us to block any associated incoming personal data to help you comply with requests regarding the right to object or restrict.

Existing Product Capabilities

• Right to be forgotten: We make it easy for you to honor deletion requests from your end-users by calling the DELETE API or using the UI to delete a profile. We ensure that any associated user data and historical data are quickly and permanently deleted from our data stores.