GDPR compliance & EU data protection

Alvo is a strong advocate for privacy. We care about our users’ rights. Leading up to the implementation of the GDPR (the EU privacy law in force since 25 May 2018), we have built numerous features that give customers more control of the data that is stored on our platform. We have designed and enabled these features for all our customers, regardless of whether the GDPR specifically impacts them.

We built this document to present to you how the GDPR applies to your use of Alvo and what we have done to ensure we are compliant with the rules.

We recommend that you review this document carefully and present it to your privacy team.

Note: EU data protection laws, including the GDPR, are complex. This guide should not be considered legal advice. Please consult a legal professional for details on how the GDPR impacts your business.

The GDPR is a regulation designed to harmonize data privacy laws throughout the European Union (EU). This regulation offers individuals in the EU greater transparency and control over how their personal data is used and makes companies handling personal data accountable for their choices. Even businesses that are not based in the EU must comply with the GDPR if they are collecting and processing personal data of individuals located in the EU.

If your data processing activities fall under the scope of the GDPR, one of the first questions you should ask yourself is “Am I a data controller or a data processor?” The answer to this question will help you determine what your compliance obligations under the GDPR are. The controller is the organization that determines the purposes and means of processing. As a customer of Alvo, you operate as the controller when using our products and services. You have the responsibility for ensuring that the personal data you are collecting is being processed lawfully and that you are using processors, such as Alvo, that provide sufficient guarantees to meet key requirements of the GDPR.

Alvo is considered a processor. We act on the instructions of the controller (you), which come in the form of API requests, campaign configurations, and platform actions. Similar to controllers, processors are expected to comply with the GDPR.

As a processor, we rely on our customers to ensure that personal data is collected on the basis of one of the GDPR lawful grounds for processing. You, as a controller, can collect personal data based on one of the following legal bases: (i) consent; (ii) processing is necessary for the performance of a contract you have with the data subject; (iii) processing is necessary for compliance with a legal obligation; (iv) you need to protect the vital interest of the data subject or of another person; or (v) you (or another third party) have a legitimate interest to process personal data and this is not overridden by the interests, rights and freedoms of the data subject.

We are committed to being transparent in how we handle and process personal data. As one of our customers, you should be aware of how we handle personal data on your behalf.

We keep data only as long as it is necessary to provide our services. Where possible, we employ mechanisms that allow us to automatically remove data after it is no longer needed to offer our services.

Message bodies

Alvo stores the bodies of messages for up to seven days for both incoming and outgoing campaign messages. For outgoing messages, temporary storage allows our systems to attempt to re-deliver messages that could not be delivered on the first attempt. Customers relying on our parsing features use this to be able to retrieve messages that have been received as inbound messages.

For some customers, the message retention period may be selectively adjusted based on written instructions between the customer and Alvo. Additionally, we offer features that prevent the retrieval of messages programmatically or allow the messages to be securely deleted after delivery.

Finally, our staff may access message bodies to assist customers in troubleshooting delivery issues or in response to a potential Acceptable Use Policy violation. Employee access is routinely audited and all employees or staff in contact with personal data are subject to our confidentiality provisions.

Message metadata

The metadata of a message, which includes the sender, recipient(s), subject line, originating IP address and other routing data, is indexed and maintained for 30 days.

As campaigns are processed by Alvo, we generate discrete events from each service that handles message processing. This data is useful in troubleshooting processing and delivery issues that periodically occur when messaging users through Alvo. This data is available in its entirety via our logs and Events API.

Finally, our staff may use this event data to assist in customer support requests or in response to a potential Acceptable Use Policy violation.

Suppressions

Suppressions are permanently stored email addresses that are created as a result of a hard bounce, complaint, or unsubscribe. We store suppressions until you remove them or your account has been deleted.

When suppressions are removed, they are permanently deleted from the system. Suppressions may be stored in a backup system for disaster recovery purposes for up to 30 days after removal.

Recipient data

Alvo stores recipient email address activity information in a hashed (pseudonymized) format. This data allows us to more accurately pre-validate email addresses, detect potentially risky senders who may damage IP reputation, and help customers optimize their delivery processes.

This recipient data is only used as part of the delivery of Alvo services.

As a processor, we have specific obligations under the GDPR. In this section, we highlight how we handle personal data and what efforts we are making to ensure you, as one of our customers, can trust us.

In our efforts to comply with the GDPR, we have conducted a detailed risk analysis of all applications that may process personal data of individuals located in the EU. Based on the result of such analysis, we have put in place appropriate measures that allow us to comply with the requirements.

First of all, we have gathered a dedicated team of data protection and security specialists who review Alvo’s processing of personal data and ensure we always have privacy in mind.

Thanks to our team, we have taken many proactive steps towards compliance with the GDPR:

• We have implemented policies and procedures to detect personal data breaches and notify our customers without undue delay, so they meet the breach notification requirements of the GDPR.
• We have developed procedures to deal with requests we receive from data subjects and inform you of such requests.
• We have reviewed and updated the security policies and controls we have in place. These are continually tested and evolve in line with changing regulations and governance requirements.
• We have appointed a Data Protection Officer, who is in charge of compliance with the GDPR across our business.
• We carry out regular data protection training for our employees and staff.
• We created and maintain a record of our data processing activities.

The above are only some of the steps we have taken in our path towards GDPR compliance, which is an ongoing exercise that we are engaged in.

Processors may leverage other third parties in the processing of personal data. These entities are commonly referred to as “sub-processors”. Alvo uses cloud infrastructure providers to host its services. As required under the GDPR, we have put in place appropriate measures with our sub-processors that allow us to secure the personal data we process on your behalf. If you are one of our customers, we will provide you with an exhaustive list of the sub-processors we use upon request.

As part of the GDPR, EU data subjects can access their personal data, correct, remove or export it. They also have the right to restrict the processing of their personal data.

We have designed our platform with several self-service features that our customers can leverage to assist in reviewing the personal data stored on our platform to respond to data requests.

In particular, these features are designed to support the right to data portability, right to access, and right to be forgotten.

When we, as a processor, receive a request directly from a data subject, we will engage the respective customer within seven days to respond to the data subject request (unless otherwise required by law).

If you are a data controller, the GDPR requires that you enter into an agreement with your data processors. This agreement is referred to as a “Data Processing Agreement” (DPA) and sets out how a controller and a processor meet the requirements of the GDPR.

To make your life easier, we have drafted a DPA that our customers can sign. Our DPA is designed to address the requirements of Article 28 of the GDPR. It includes the respective obligations of Alvo, as a processor, and our customers, as controllers. Contact us at contactus@alvo.marketing to request a copy.

The GDPR does not require that data processing activities are limited to the EU, but it regulates the transfer of personal data outside of the European Economic Area (EEA). In order to do that, the GDPR provides for different transfer mechanisms.

Alvo ensures the protection of our customers’ data from end to end through the implementation of strong technical and organizational measures including data retention periods, data storage and transfers, and encryption protocols. These are made available under the principles of accountability and transparency we prioritize at Alvo. We also have in place EU Model Standard Contractual Clauses in our Data Processing Addendum, and with all our vendors, to ensure that any data transfers are done properly and securely.