Everything you need to know about Advdoctor’s GDPR compliance
Advdoctor is committed to meeting our General Data Protection Regulation (GDPR) obligations and helping our customers meet theirs. Here are the steps we have taken to reach this goal.
General Data Protection Regulation (GDPR)
What is GDPR?
The General Data Protection Regulation was created to harmonize privacy laws across Europe, to empower EU citizens with respect to their personal data, and to reshape the way organizations approach data privacy. EU residents will now have greater say over what, how, why, where, and when their personal data is used, processed. The reach of the GDPR extends even beyond the borders of the EU. Any organization that markets products and services to individuals in the EU is obligated to comply with the GDPR, regardless of where the company is located.
The GDPR divides responsibility for data protection between data controllers and data processors. Data controllers determine what data they collect, the purpose and the means. Data processors assist them to complete these tasks. In affiliate marketing, advertisers and affiliates decide when to run or participate in affiliate programs and the operational framework, meaning that they act as data controllers. Advdoctor provides services that help customers manage their affiliate programs, this means that we act as a data processor, as we store and process data relating to individual affiliates and end users on behalf of our customers.
Our obligations as data processor:
- Only process or transfer personal data on instructions from our customers, the data controllers
- Assist our customers with requests from end users, affiliates, and authorities on privacy-related matters
- Take reasonable and appropriate measures to secure personal data, and submit to regular auditing and testing
- Formally document our privacy and security practices and procedures
- Enter into contracts which reflect these obligations with our customers and sub-processors
Obligations for data controllers
The GDPR expands the responsibilities of data controllers. Among other obligations, data controllers must:
- Understand what personal data they collect, where it is stored, and with whom it is shared
- Identify a legal basis for processing personal data, such as end user consent or a legitimate interest
- Provide end users with relevant information regarding the use of their personal data and give them meaningful options over how it is used
- Respect the rights of data subjects to access, edit and delete their personal data.
- Adopt reasonable and appropriate steps to ensure the security of personal data
There can be more than one data controller for the same information, in which case they are jointly responsible for complying with the GDPR. Customers sponsoring an affiliate program should assess, together with their affiliates, whether the GDPR is applicable to their marketing activities. As joint data controllers, they should divide responsibility for GDPR compliance, such as preparing privacy policies to inform end users of their rights and obtaining consent to process their personal data, if necessary.
Our security measures
Advdoctor has developed many features to compliance with GDPR and to assist customers fulfill their GDRP obligations.
Secure by design
Advdoctor has been developed to be secure and protect against attacks like cross-site scripting, cross-site request forgery, SQL injection, session hijacking, and more.
Each one of our servers run its own firewall. A firewall is a network security system that monitors and filters incoming and outgoing traffic.
All Advdoctor websites run over a secure Hyper Text Transfer Protocol Secure (HTTPS) connection, which is the secure version of the HTTP protocol. It means all communications between your browser and Advdoctor are encrypted, including email communications.
Both customers and affiliates passwords are stored encrypted. We use multiple secure and irreversible algorithms to add an extra protection layer for our users.
Advdoctor API is restricted to accredited users based on unique API access tokens.
Fetaures to help our customers with GDPR
We offer the following solutions to some of the most common GDPR challenges.
Advdoctor give customers the option to delete Service Data that may contain personal data, such as profiles, commissions, IP addresses, logs, and other data.
Delete Affiliate data
One of the rights affiliates have is to request cancellation of their personal data. Advdoctor allows customers to delete an affiliate and all his/her related data (including trackings). This can be done in the Advdoctor admin panel at: Users > Affiliates.
Delete IP/tracking data
One of the rights end-users have is to request cancellation of their personal data. Advdoctor allows customers to delete IP addresses and invalidate cookies from visitor logs in response to such requests. This can be done in the Advdoctor admin panel at: Statistics > Detailed.
Advdoctor allows customers to set the tracking cookies’ lifetime or to use a Cookieless tracking. Our cookieless tracking Solution preserves tracking even when a CJ tracking cookie isn’t present on a consumer’s browser. This tracking enhancement is fully compatible with GDPR legal requirements.
Data processing agreement
We have prepared a Data Processing Agreement template for our customers who process the personal data of EU residents.
Advdoctor uses certain subprocessors to assist it in providing the Advdoctor service
What is a Subprocessor:
A subprocessor is a third party data processor engaged by Advdoctor, who has or potentially will have access to process Service Data (which may contain Personal Data). Advdoctor uses various types of sub-processors to perform different functions as explained below.
Advdoctor undertakes to use a commercially reasonable selection process by which it evaluates the security, privacy and confidentiality practices of proposed subprocessors that will or may have access to process Service Data.
This policy does not give customers any additional rights and should not be construed as a binding agreement. The information herein is only provided to illustrate Advdoctor's engagement process for subprocessors as well as to provide the actual list of third party subprocessors as of the date of this policy.
Advdoctor owns or controls access to the infrastructure that Advdoctor uses to host Service Data submitted to the Services. Currently, the Advdoctor production systems for the Services are located in co-location facilities in the United States and Europe.
Customer accounts are established in one of these regions; the Customer's Service Data subsequently remains in that region unless agreed between Customer and Advdoctor, but may be shifted among data centers within a region to ensure performance and availability of the Services. Below are described the countries and legal entities engaged in the storage of Service Data by Advdoctor.
Future Hosting, LLC. (EU & US location)
Advdoctor servers are hosted at Tier III+ or IV SSAE-16 compliant facilities. Data center facilities are powered by redundant power, each with UPS and backup generators.
To ensure 24/7 customer service availability, Advdoctor may works with multiple subcontractors, who may access Service Data. All subcontractors have contracts in place and must follow security guidelines one of which is accessing such data only with prior consent of the Customer.
If you have any question or concerns about GDPR please feel free to contact us via email here.
This policy was last modified on 2018-05-21