GDPR compliance

How we protect your data

On May 25, 2018, the European Union’s General Data Protection Regulation (GDPR) will go into effect. We believe this presents a new opportunity for marketers to strengthen their brand loyalty by focusing on consumer privacy while delivering amazing experiences. Think of it as experiential privacy — having privacy be a key part of the customer experience, through relevant privacy notices presented in context and choices that are on brand.

Selzy already meets our obligations as a data processor and data controller. We have a strong foundation of certified security and privacy controls by design and will continue to make product enhancements.

We’ve implemented a set of security processes and controls to help protect the data entrusted to us through the Selzy Privacy Policy. This helps us comply with several security and privacy standards, and regulations.

We use hosting platforms in Western Europe, the US and Canada and provide 4 security levels:

Physical

• Check the contents of the email and the addresses to which it is sent. If you have no problems with the subscriber base and the email, you will not notice the check;

Access security

• Data transfer via the SSL secure protocol (HTTPS secure protocol).
• Certificated by Comodo, one of the leading certification centers.
• All transmitted data is encrypted with a 128-bit key like in major banks or payment systems.

Network security

• Switches and firewalls at each level to provide additional security.
• Data transmission between hosts via SSL connections.
• Permanent monitoring of network security.

Personal Account security

• Flexible setup of access rights by roles.
• Setup of access to various functions: view contacts, download contacts, create messages, send email and sms.
• Sending via API without uploading the client email database into Selzy.

Our mission is to help you responsibly unlock the power of data. Selzy has a long-standing practice of incorporating a proactive product development effort, also known as “privacy by design.”

Selzy has updated our agreements with customers and vendors to account for GDPR requirements.

We have a GDPR group which includes representatives from all departments within the company. We have raised awareness on the matter with all employees.

Selzy is constantly listening to its customers and looking for ways to simplify and further automate our product and service offerings to better support their GDPR needs. We have created the office of Data Protection Officer to focus on providing the mandated requirements of the GDPR, and to allow the product to maintain the utmost standards to security and privacy of consumers.

We have procedures in place to detect, report and investigate a personal data breach. Everyone in the company knows what they need to do if they become aware of a data breach.

The GDPR restricts data transfers to countries outside the EEA in order to ensure that the level of data protection afforded to individuals by the GDPR is not undermined. Organisations transfer Personal Data originating in one country across borders when they transmit, send, view or access that data in or to a different country
We will only transfer Personal Data outside the EEA if one of the following conditions applies:

• the European Commission has issued a decision confirming that the country to which we transfer the Personal Data ensures an adequate level of protection for the Data Subjects’ rights and freedoms;
• appropriate safeguards are in place such as binding corporate rules (BCR), standard contractual clauses approved by the European Commission, an approved code of conduct or a certification mechanism, a copy of which can be obtained from the DPO;
• the Data Subject has provided Explicit Consent to the proposed transfer after being informed of any potential risks; or
• the transfer is necessary for one of the other reasons set out in the GDPR including the performance of a contract between us and the Data Subject, reasons of public interest, to establish, exercise or defend legal claims or to protect the vital interests of the Data Subject where the Data Subject is physically or legally incapable of giving Consent and, in some limited cases, for our legitimate interest.