Under GDPR, there are two different entities - data controllers and data processors. Data controllers own and control what information is being collected, and why the data is being processed. Processors are responsible for exercising control of the data they process and the security of that data.

In the case of Sigstr’s email signature marketing platform and its customers, Sigstr acts as the data processor and customers act as the data controllers.

How does Sigstr handle GDPR?

To meet GDPR and specific customer needs, Sigstr offers a variety of data management features, including tools to view and delete user information on demand from within the application.

To find these features, login as an admin and navigate to your Sigstr Settings. Locate the tab labeled Privacy & Data.

The Privacy & Data tab has 3 key features to help with GDPR compliance:

  1. Export Recipient Data
  2. Delete Recipient Data
  3. Company Data Retention

Export Data Archive & Delete Individual Recipient Data

If you have a user that has requested all information you have about them, Sigstr can provide any data that we have about that user.  Add his or her email address to the “Export Data Archive” section, select which data you would like to have exported (contact record and/or engagement data), and click Export Data.

Similarly, if a user requests to have their information deleted, enter his or her email address into the Delete Individual Recipient Data section. Please note that these requests take 1-2 business days to process, and will be sent to the Sigstr admin upon completion. 

Data Retention

Along with exporting and deleting user data, GDPR stipulates that you can only keep user data for as long as it is necessary.  Because of this, Sigstr admins can set how long engagement data will be stored in Sigstr.  Just select a timeframe from the drop-down menu and click Save!  Data that is older than the stated timeframe will be deleted from the application automatically.

Data Protection Officer

Sigstr also appointed a Data Protection Office (DPO), which is a requirement for both controllers and processors. The DPO is responsible for being the main point of contact for data privacy needs, and for ensuring that his/her  company is following best practices.

Data Protection Agreements

A large part of GDPR is documenting what data is being processed and why. Data Processing Agreements (DPAs) outline and set expectations between Sigstr and its customers when it comes to processing data. This allows for transparency and, as a data processor under the new GDPR, Sigstr is willing to sign DPAs with our customers. Every industry has a different set of regulations and Sigstr will ensure that we align to those requirements.

Not sure what a DPA should look like? Reach out to us at security@sigstr.com and we can help provide examples of what one should look like.

Why is this important to you?

One of the biggest changes under GDPR is joint responsibility for data processing and privacy. Companies are now responsible for the data they send to their third party vendors, and what the vendors do with that information. Sigstr’s GDPR features and transparency make us one less thing to worry about with the sweeping privacy changes outlined by GDPR. As the new regulations continue to evolve, Sigstr will be ready for them!

Have more GDPR related questions?  Email us at security@sigstr.com.

Did this answer your question?