GDPR / CCPA
Learn about Extole's responsibility under the General Data Protection Regulation (GDPR) and California Consumer Protection Act (CCPA).
Overview
Under the General Data Protection Regulation (GDPR), Extole acts as data processor that processes data in accordance with services agreements and data processing agreements of the Extole Client that acts as the data controller. Under the California Consumer Protection Act (CCPA), Extole acts as a service provider that processes data in accordance with a business purpose defined in services agreements with the Extole Client that acts as the business.
Product Offerings
Advocate Processing Consent
If your security team requires advocates to give consent for processing their data, you have to option to turn on a consent checkbox that would require the advocate to check prior to sharing. If the advocate does not click to consent, they will not be able to share.
Friend Processing Consent
There might also be a security requirement that the friend needs to give data processing consent before being able to participate in the referral program. If this is the case, Extole has an option to turn on a MailTo email send where the advocate sends the referral email using their native mail client. This prevents Extole from being able to capture the friend's email address on share. It also prevents Extole from having visibility into the share message. The share experience is exactly the same, however, the Send Email button pops the mail application rather than sending using Extole.
Cookie Consent
Cookie consent for referrals should be no different from cookie consent for your website. If you have a cookie consent part of your existing consumer experience, you can pass that consent to Extole.
The only time you will want to use Extole for cookie consent is if you have a standalone share page. In this case, you have the option to enable cookie consent on that microsite which will set consent on that person's profile. This will turn on a little floater on the bottom left-hand corner of the page where the user can accept the use of cookies.
Learn more about cookie handling at Extole.
Data Subject Rights
Right to Access
Acting as a data processor, Extole provides APIs that allow you to make realtime requests for information available on any data subject, including profile information, referral events, quality scoring, customer journey information, advocates and relationships, and all other information collected on a data subject. You are responsible for the implementation of any realtime query system.
You may also request for Extole to provide this set of information through reporting based on service requests to the Extole Support team.
Right to Data Portability
Acting as a data processor, Extole provides APIs that allow you to request information available on any or all data subjects, including profile information, referral events, quality scoring, customer journey information, advocate and relationships, and all other information collected on a data subject. You are responsible for the implementation of any full export system.
You may also request for Extole to provide this set of information through reporting based on service requests to the Extole Support team.
Right to Correction
The data controller is able to update most profile information, relationship information, as well as override scoring algorithm through Extole's API.
Correction requests for historical event information, which is not editable through the API, must be made to the Extole Support team.
Right to Erasure
You can make erasure requests to Extole either via email to the Support team or via API.
Once a request is made, Extole will irreversibly psuedoanonymize the profile of the individual so that the profile is no longer connected to the individual through the program. If the individual re-engages with the referral program, a new profile is created, unrelated to the previous profile. Making another erasure request will successfully delete this new profile.
Data Processing
Data Processing Agreement
Extole is a certified under the EU-U.S. Data Privacy Framework Principles. See the Extole Privacy Shield certification at Extole, Inc. Privacy Shield (Active).
As part of Extole's GDPR readiness, Extole customers will have a choice to enter into our standard Data Processing Agreement (DPA) that includes the European Commission-approved Standard Contractual Clauses (Model Clauses). If you are an Extole customer and wish to enter into our DPA, please reach out to your Extole Customer Success Manager.
Extole Sub-Processors
A sub-processor is a third party data processor engaged by Extole who has or potentially will have access to or process Service Data. Extole engages different types of sub-processors to perform various functions as explained below.
Infrastructure Sub-Processors
Extole owns or controls access to the infrastructure that Extole uses to host Service Data. The Extole production systems are located in the United States.
| Entity Name | Entity Type |
|---|---|
| Amazon Web Services Inc. | Cloud Service Provider |
Service Sub-Processors
Extole works with certain third parties to provide specific functionality within the Services. These providers are the sub-processors set forth below. In order to provide the relevant functionality these sub-processors access Service Data. Their use is limited to the indicated Services.
| Entity Name | Purpose | Data Shared |
|---|---|---|
| Twilio | Extole uses Twilio (SendGrid) to send program emails to participants. | |
| Auth0 | Extole may use Auth0 to allow for SSO (single sign-on) authentication of users. | Email Additional identifiers optionally passed by the client's IdP |
| Tango Card | Extole may use Tango Card when delivering electronic gift card rewards through email to program participants. | Client Identifier Recipient Email - person earning gift card Gift Card SKU Gift Card Value |
| Tremendous | Extole may use Tremendous when delivering electronic gift card rewards through email to program participants. | Client Identifier Recipient Email - person earning gift card Gift Card SKU Gift Card Value |
| Blackhawk Network | Extole may use Blackhawk Network when delivering electronic gift card rewards or USPS gift card rewards to program participants. | Client Identifier Recipient Email - person earning gift card Recipient Mailing Address Gift Card SKU Gift Card Value |
| MaxMind | Extole may use MaxMind for the GeoIP database and minFraud services to augment Quality Rule decisions. | IP Address |
| Salesforce | Extole uses Salesforce to manage Tier 1 client requests from client organizations to Extole. | As part of Extole support servicing these requests, limited PII for a program may be shared through these tools. |
| Atlassian | Extole uses Atlassian JIRA to manage Tier 2 client requests from client organizations to Extole. | As part of Extole support servicing these requests, limited PII for a program may be shared through these tools. |
| Slack Technologies | Extole uses Slack to securely communicate internally or externally to a Client organization. | As part of Extole support servicing client requests, limited PII for a program may be shared through these tools. |
| Extole uses Google Workspace for corporate intranet. | Extole intranet resources may contain client contact information. |
Updated 7 months ago