Summary of April 2018 Policy Launches and Changes
In anticipation of the May 25, 2018 enforcement date of the European Union’s General Data Protection Regulation (GDPR), Signifyd is rolling out updates to its comprehensive compliance program for our customers doing business in Europe. To facilitate our customers’ compliance with requirements for contracts between entities involved in processing personal data, Signifyd is launching a new GDPR Policy to incorporate into our standard terms of service. Signifyd also continues to subscribe to the EU-U.S. Privacy Shield Framework as set forth by the U.S. Department of Commerce regarding the processing of personal information that is transferred from the European Economic Area to the United States. Signifyd has certified to the Department of Commerce that it adheres to the Privacy Shield Principles.
Separately from our GDPR compliance efforts, we have also updated a few of the provisions in our standard terms of service. These changes will take effect 30 days from their posting here, or May 20, 2018. Please see below for a FAQ for both the terms of service changes and GDPR Policy, and reach out to Signifyd support if you have further questions.
- Read Signifyd’s updated Terms of Service here.
- Streamlined and simplified the language of our license to process user data, and added references to Signifyd’s new GDPR Policy to comply with the pending effectiveness of the General Data Protection Regulation for our customers that pass us data from Europe.
- Added language outlining the terms we use to assist our customers with professional services, including custom integrations and reporting and chargeback management.
- Clarified the terms of our cancellation policy to refer to a separate Guarantee Cancellation Policy available at www.signifyd.com/cancellations.
- Clarified that Chargeback Payments will not include any amounts that you are also able to recover from any third party.
- Clarified that your Order controls the terms of how you can terminate your subscription with us, and updates the default cancellation period to be 30 days’ prior written notice.
- Updated the descriptions of how we collect, use, disclose and otherwise process data from our console and that you pass to us, and separated the two new policies described below regarding data from Europe for ease of reference for our customers that do business in Europe.
Privacy Shield Policy:
- Read Signifyd’s new Privacy Shield Policy here.
- Read Signifyd’s new GDPR Policy here.
- This new policy describes how we will comply as a controller under the GDPR for personally identifiable information that you pass to us for individuals from Europe. The GDPR, and thus our GDPR Policy, will take effect on May 25, 2018.
Signifyd and Subscriber each as a Controller
Upon advice of our local European counsel, Wilson Sonsini Goodrich & Rosati, Signifyd has opted to be a controller under the GDPR for the data our customers pass to us. Signifyd is responsible for performing the services to our customers as set forth in the terms of service, in particular fraud identification, prevention, dispute and monitoring, and to analyze data for the purpose of building, maintaining and improving Signifyd’s predictive models and fraud-related services. The GDPR, specifically in Recitals 47 and 71, recognizes these purposes as legitimate interests that provide a legal basis for a controller to process personal data. Our customers remain responsible for their own processing activities, including customer relationship management with data subjects.
Do I need to execute a new agreement with Signifyd to comply with GDPR?
For any question involving the interpretation or applicability of the GDPR, you should consult with your legal counsel.
In general, Signifyd’s GDPR Policy already applies for the European ecommerce transactions from our customers if they:
- Have an establishment in the European Union, European Economic Area, or Switzerland, regardless of whether the processing takes place in the European Union/European Economic Area/Switzerland or not;
- Offer goods or services, irrespective of whether payment is required, to data subjects in the EU/EEA/Switzerland;
- Monitor the behavior of data subjects that takes place within the EU/EEA/Switzerland.
The GDPR Policy will not apply for a Signifyd customer if it does not pass any personal data from data subjects in in Europe to us; however, we request you still review the GDPR Policy so that you are aware of the terms should you start to offer goods or services to Europeans.
Cross-Border Data Transfers
Because Signifyd relies on large data sets to build and execute its machine-learning fraud prevention algorithms, Signifyd takes privacy very seriously. We treat the data that our customers collect and use on our platform with the utmost sensitivity and employ strict policies and protections to help ensure the privacy of that information.
Signifyd complies with European regulations for the transfer of personal data from the European Union through its Privacy Shield certification.
Privacy Shield - The EU-US Privacy Shield Framework is a data protection principles safe-harbor mechanism agreed upon by the US Department of Commerce with the European Commission to facilitate data transfers between the European Economic Area and the US. Signifyd has certified to the EU-US Privacy Shield Framework.
My company has executed a separate master subscription agreement with Signifyd; does the GDPR Policy apply to us?
If your company has a written agreement with Signifyd, you should sign the GDPR Addendum instead of relying on Signifyd’s GDPR Policy. Please reach out to firstname.lastname@example.org to ensure we direct you to the correct documentation, as we have already separately reached out to our customers who have agreements other than our standard terms.
The GDPR Addendum should be signed and executed by an authorized signatory for your company. If you are not sure whether you are an authorized signatory, consult your legal counsel before signing.
The DocuSign version of the GDPR Addendum is made available for customers in jurisdictions that accept esignatures and can be completed and signed electronically. If you have multiple entities with master subscription agreements with Signifyd, please enter each such entity on the “Subscriber” line or execute multiple versions of the GDPR Addendum if there are different authorized signatories. If necessary, you can download a PDF version of the GDPR Addendum and manually execute it, and submit it as an email attachment to email@example.com.
What if I have additional questions?
If you have questions that are not answered here, please contact us via the support portal, and they will put you in contact with Signifyd’s compliance and legal departments.