We have a host of technical and operational processes that we implement to ensure GDPR and CCPA compatibility. We do not use the data processed for any other reason than data quality management – for example, we don’t use it for retargeting or marketing. From a technical standpoint, our infrastructure is capable of deleting all necessary records within a 30 day period, if requested, both from the transaction servers and archived servers. Additionally, if needed, we can also provide confirmation of any deletion request within a 48 hour time period. We store all relevant PII (e.g. emails) only in hashed format.
When we enter into contractual agreements with client companies, we would typically be a Data Controller and ensure we are contractually liable for data protection. We always execute the Master Services Agreement (MSA) along with a Data Processing Agreement (DPA) which stipulates the data we collect, why we collect it, what we do with it, and the associated details. We are flexible and can use our version of a DPA or the clients’.