General Data Protection Regulation

Last updated: June 2023

Introduction

We’re committed to helping our customers comply with the General Data Protection Regulation (and UK equivalent) (collectively referred to as the “GDPR”). The GDPR is a series of rules governing organizations that handle EU and UK citizens’ personal data, regardless of where the organizations themselves are located. On this page, we’ll explain our methods to achieve GDPR compliance, both for ourselves and for our customers. 

In order to meet our obligations as a processor under Article 28 of the GDPR, we process your customer data (to the extent that it is handled by our services) only in accordance with our Data Processing Agreement.  

This page includes certain additional information referred to in our Data Processing Agreement.

Our Security Infrastructure

Data Centre and Network Security

Infrastructure. Convertri makes use of geographically distributed data centres. Convertri stores all production data in physically secure data centres. Convertri does not control the physical infrastructure and makes use of Amazon Web Services LLC. as a sub-processor as defined in the DPA.

Server Operating Systems. Convertri servers use a Linux based implementation customized for the application environment. Convertri employs industry-standard processes to increase the security of the code used to provide the Services and enhance the security products in production environments.

Businesses Continuity. Convertri replicates data over multiple systems to help to protect against accidental destruction or loss. Convertri has designed and routinely plans and tests its business continuity planning/disaster recovery programs.

b. Networks and Transmission

Data Transmission. Data centres are typically connected via high-speed private links to provide secure and fast data transfer between data centres. This is designed to prevent data from being read, copied, altered or removed without authorization during electronic transfer or transport or while being recorded onto data storage media. Convertri transfers data via Internet standard protocols.

External Attack Surface. Convertri employs multiple layers of network devices and intrusion detection to protect its external attack surface. Convertri considers potential attack vectors and incorporates appropriate purpose-built technologies into external facing systems.

Intrusion Detection. Intrusion detection is intended to provide insight into ongoing attack activities and provide adequate information to respond to incidents. Convertri intrusion detection involves:

  • tightly controlling the size and make-up of Convertri’s attack surface through preventative measures;
  • employing intelligent detection controls at data entry points; and
  • employing technologies that automatically remedy certain dangerous situations.

Incident Response. Convertri monitors a variety of communication channels for security incidents, and Convertri’s security personnel will react promptly to known incidents.

Encryption Technologies. Convertri makes HTTPS encryption (also referred to as SSL or TLS connection) available. Convertri servers support ephemeral elliptic curve Diffie-Hellman cryptographic key exchange signed with RSA and ECDSA. These perfect forward secrecy (PFS) methods help protect traffic and minimize the impact of a compromised key, or a cryptographic breakthrough.

On-site Data Centre Security Operation. Convertri’s data centres are owned and operated by Amazon Web Services LLC. and they are responsible for controlling physical access to the data centre.

Personal Security

Convertri personnel are required to conduct themselves in a manner consistent with the company’s guidelines regarding confidentiality, business ethics, appropriate usage, and professional standards.

Personnel are required to execute a confidentiality agreement and must acknowledge receipt of, and compliance with, Convertri’s confidentiality and privacy policies. Personnel are provided with security training. Personnel handling customer data are required to complete additional requirements appropriate to their role (e.g. certifications). Convertri’s personnel will not process customer data without authorization.

Subprocessor Security

Before onboarding Subprocessors, Convertri conducts an audit of the security and privacy practices of Subprocessors to ensure Subprocessors provide a level of security and privacy appropriate to their access to data and the scope of the services they are engaged to provide. Once Convertri has assessed the risks presented by the Subprocessor, the Subprocessor is required to enter into appropriate security, confidentiality and privacy contract terms.    

Convertri may update or modify these security standards from time to time provided such updates and modifications will not result in a degradation of the overall security of the Services during the term of the Services Agreement. 

Our Subprocessors

We use the following sub-processors to enable us to provide our services:

Information provided for completion of Data Transfer Impact Assessment 

Customers located in the UK and EU may be required to complete a Data Transfer Impact Assessment before using Convertri’s services. The information available in the linked PDF may assist with the completion of this.

Protecting our Customer’s information and their users’ privacy is extremely important to us. As a cloud-based company entrusted with some of our customers’ most valuable data, we’ve set high standards for security, which include the following:

a. Data Centres

Access and Site Controls

a. Site Controls

b. Access Control

Infrastructure Security Personnel. Convertri has, and maintains, a security policy for its personnel, and requires security training as part of the training package for its personnel. Convertri’s infrastructure security personnel are responsible for the ongoing monitoring of Convertri’s security infrastructure, the review of the Services, and responding to security incidents.

Access Control and Privilege Management. The Customer’s administrators must authenticate themselves via a central authentication system or via a single sign on system in order to administer the Services.

Internal Data Access Processes and Policies – Access Policy. Convertri’s internal data access processes and policies are designed to prevent unauthorized persons and/or systems from gaining access to systems used to process personal data. Convertri designs its systems to:

  • only allow authorized persons to access data they are authorized to access; and
  • ensure that personal data cannot be read, copied, altered or removed without authorization during processing, use and after recording. The systems are designed to detect any inappropriate access. Convertri employs a centralized access management system to control personnel access to production servers, and only provides access to a limited number of authorized personnel. A proprietary system utilizing SSH certificates are designed to provide Convertri with secure and flexible access mechanisms. These mechanisms are designed to grant only approved access rights to site hosts, logs, data and configuration information. Convertri requires the use of unique user IDs, strong passwords, two factor authentication and carefully monitored access lists to minimize the potential for unauthorized account use. The granting or modification of access rights is based on: the authorized personnel’s job responsibilities; job duty requirements necessary to perform authorized tasks; and a need to know basis. The granting or modification of access rights must also be in accordance with Convertri’s internal data access policies and training. Approvals are managed by workflow tools that maintain audit records of all changes. Access to systems is logged to create an audit trail for accountability. Where passwords are employed for authentication (e.g., login to workstations), password policies that follow at least industry standard practices are implemented. These standards include restrictions on password reuse and sufficient password strength.

Amazon Web Services LLC

Address: PO Box 81226, Seattle, WA 98108-1226

Description of Processing: data warehouse and hosting

Google Cloud Platform

Address: 1600 Amphitheatre Parkway, Mountain View, California 94043, USA

Description of Processing: content delivery network

Bunny.net

Address: Cesta komandanta Staneta 4A, 1215 Medvode, Slovenia

Description of Processing: content delivery network

HelpScout

Address: 117 Huntington Avenue, Ste 1703, PMB 78505, Boston, MA, 02115-3153

Description of Processing: support helpdesk

Imgix

Address: 423 Tehama St, Dan Francisco, United States

Description of Processing: image content delivery network

ActiveCampaign

Address: 1 North Dearborn Street, 5 th Floor, Chicago, IL 60602

Description of Processing: e-mail marketing

Mailchimp

Address: 675 Ponce De Leon Ave NE 5000, Atlanta, GA 30308

Description of Processing: e-mail marketing

Sendlane

Address: 10620 Treena St 250, San Diego, California 92131

Description of Processing: e-mail marketing