“Security, governance, and privacy are core to the Everbridge platform and have always been key components in all aspects of our service and business.”
- Jaime Ellertson, CEO
What Is GDPR?
The General Data Protection Regulation (“GDPR”) replaces the 1995 EU Data Protection Directive effective May 25, 2018. It strengthens the rights that individuals have regarding their personal data and seeks to unify data protection laws across Europe, regardless of where that data is processed. The GDPR applies to all companies selling to and storing personal information about citizens in Europe and provides such citizens with greater control over their personal data and assurances that their information is being securely protected.
What EU Citizen Data Does Everbridge Process?
Recognizing the sensitivity of the customer data to which Everbridge may have access, data privacy has long been an area of focus for us. Everbridge customers can upload contact information for the individuals that they choose to communicate with using Everbridge’s products. These individuals include employees, residents, contractors, visitors, etc. Any data processing performed by Everbridge is done at the initiative of our customers when they are utilizing our system for critical event management. Everbridge does not process customer data in any other way or for any other reason. Customers have complete control over the data which is uploaded into Everbridge’s contact stores, and the customer chooses the location where its data will be stored. Everbridge does not access that data except as specifically requested by a customer, and all such data can be deleted or modified by a customer directly at any time. Upon expiration of a customer relationship, all customer data is deleted within 30 days. This control over the data enables customers to directly upload, modify, and delete individual contact information as appropriate based on customer requirements.
What Has Everbridge Done to Comply with GDPR?
As a company that is required to comply with GDPR, Everbridge has taken a number of steps to become GDPR ready.
Data Protection Agreements
Everbridge has entered into an updated Data Processing Agreement with all affected customers and vendors which reflects GDPR requirements. Any personal data that a customer and its users upload into Everbridge systems will only be processed in accordance with the customer’s instructions.
Privacy by Design
Everbridge has expanded its focus on its Security by Design processes to Data Protection & Privacy by Design. For every new product and enhancement, Everbridge proactively applies the Data Protection & Privacy by Design principles.
Vendor Due Diligence
Everbridge has taken steps to not only ensure its own platform GDPR readiness, but also has re-evaluated its vendors to validate that they are GDPR ready.
Privacy training has been integrated into new hire training, annual training, and ongoing communications. These trainings will ensure that the entire organization understands GDPR requirements, and will be used to develop deeper, targeted trainings that cover specific obligations under the law which apply to individual groups such as marketing, customer support or engineering.
Policies & Processes
Everbridge has updated and modified its Privacy Notice to both comply with GDPR requirements and make it easier for customers, individuals, and website visitors to understand how Everbridge handles personal data. Everbridge also has updated and incorporated Data Protection & Privacy into its Information Security Management System (ISMS), as well as expanded its impact assessments to include a Data Protection Impact Assessment (DPIA) and better define and document the way the company performs data mapping.
Global Privacy Program
Everbridge is continuing to enhance its privacy program to meet the needs of the GDPR as well as future privacy laws and regulations. The Company’s E.U.-U.S. Privacy Shield and Swiss-U.S. Privacy Shield certifications provide legally recognized ways to transfer data across European borders. Everbridge complies with the 7 Privacy Shield principles: Notice; Choice; Accountability for Onward Transfer; Security; Data Integrity and Purpose Limitation; Access; and Recourse, Enforcement and Liability.
What Security Measures Does Everbridge Take to Protect Customer Data?
Under the GDPR, a data processor must implement appropriate technical and organizational measures to protect personal data. Everbridge’s security framework is based on National Institute of Standards and Technology (NIST) Special Publication 800-53 – Security and Privacy Controls for Information, which has direct mapping to ISO 27001. Our security and data privacy controls and procedures are assessed annually by an accredited third-party audit firm under Statement on Standards for Attestation Engagements No. 18 (SSAE 18).