The General Data Protection Regulation (“GDPR”) replaces the 1995 EU Data Protection Directive effective May 25, 2018. It strengthens the rights that individuals have regarding their personal data and seeks to unify data protection laws across Europe, regardless of where that data is processed. The GDPR applies to all companies selling to and storing personal information about citizens in Europe and provides such citizens with greater control over their personal data and assurances that their information is being securely protected.
Recognizing the sensitivity of the customer data to which Everbridge may have access, data privacy has long been an area of focus for us. Everbridge customers can upload contact information for the individuals that they choose to communicate with using Everbridge’s products. These individuals include employees, residents, contractors, visitors, etc. Any data processing performed by Everbridge is done at the initiative of our customers when they are utilizing our system for critical event management. Everbridge does not process customer data in any other way or for any other reason. Customers have complete control over the data which is uploaded into Everbridge’s contact stores, and the customer chooses the location where its data will be stored. Everbridge does not access that data except as specifically requested by a customer, and all such data can be deleted or modified by a customer directly at any time. Upon expiration of a customer relationship, all customer data is deleted within 30 days. This control over the data enables customers to directly upload, modify, and delete individual contact information as appropriate based on customer requirements.
As a company that is required to comply with GDPR, Everbridge has taken a number of steps to become GDPR ready.
Everbridge has entered into an updated Data Processing Agreement with all affected customers and vendors which reflects GDPR requirements. Any personal data that a customer and its users upload into Everbridge systems will only be processed in accordance with the customer’s instructions.
Everbridge has expanded its focus on its Security by Design processes to Data Protection & Privacy by Design. For every new product and enhancement, Everbridge proactively applies the Data Protection & Privacy by Design principles.
Everbridge has taken steps to not only ensure its own platform GDPR readiness, but also has re-evaluated its vendors to validate that they are GDPR ready.
Privacy training has been integrated into new hire training, annual training, and ongoing communications. These trainings will ensure that the entire organization understands GDPR requirements, and will be used to develop deeper, targeted trainings that cover specific obligations under the law which apply to individual groups such as marketing, customer support or engineering.
Everbridge has updated and modified its Privacy Notice to both comply with GDPR requirements and make it easier for customers, individuals, and website visitors to understand how Everbridge handles personal data. Everbridge also has updated and incorporated Data Protection & Privacy into its Information Security Management System (ISMS), as well as expanded its impact assessments to include a Data Protection Impact Assessment (DPIA) and better define and document the way the company performs data mapping.
Everbridge is continuing to enhance its privacy program to meet the needs of the GDPR as well as future privacy laws and regulations. The Company’s E.U.-U.S. Privacy Shield and Swiss-U.S. Privacy Shield certifications provide legally recognized ways to transfer data across European borders. Everbridge complies with the 7 Privacy Shield principles: Notice; Choice; Accountability for Onward Transfer; Security; Data Integrity and Purpose Limitation; Access; and Recourse, Enforcement and Liability.
Under the GDPR, a data processor must implement appropriate technical and organizational measures to protect personal data. Everbridge’s security framework is governed by ISO/IEC 27001:2013 Information Security Standard and utilizes the comprehensive set of security requirements and controls within US National Institute of Standards and Technology (NIST) Special Publication 800-53 – Security and Privacy Controls for Information Systems. Our security and data privacy controls and procedures are certified by an accredited third-party audit firm under the internationally recognized ISO/IEC 27001:2013 standard.