The General Data Protection Regulation (“GDPR”) replaces the 1995 EU Data Protection Directive effective May 25, 2018. It strengthens the rights that individuals have regarding their personal data and seeks to unify data protection laws across Europe, regardless of where that data is processed. The GDPR applies to all companies selling to and storing personal information about citizens in Europe and provides such citizens with greater control over their personal data and assurances that their information is being securely protected.
Recognizing the sensitivity of the customer data to which Everbridge may have access, data privacy has long been an area of focus for us. Everbridge customers can upload contact information for the individuals that they choose to communicate with using Everbridge’s products. These individuals include employees, residents, contractors, visitors, etc. Any data processing performed by Everbridge is done at the initiative of our customers when they are utilizing our system for critical event management. Everbridge does not process customer data in any other way or for any other reason. Customers have complete control over the data which is uploaded into Everbridge’s contact stores, and the customer chooses the location where its data will be stored. Everbridge does not access that data except as specifically requested by a customer, and all such data can be deleted or modified by a customer directly at any time. Upon expiration of a customer relationship, all customer data is deleted within 30 days. This control over the data enables customers to directly upload, modify, and delete individual contact information as appropriate based on customer requirements.
As a company that is required to comply with GDPR, Everbridge has taken a number of steps to become GDPR ready.
Under the GDPR, a data processor must implement appropriate technical and organizational measures to protect personal data. Everbridge’s security framework is based on National Institute of Standards and Technology (NIST) Special Publication 800-53 – Security and Privacy Controls for Information, which has direct mapping to ISO 27001. Our security and data privacy controls and procedures are assessed annually by an accredited third-party audit firm under Statement on Standards for Attestation Engagements No. 18 (SSAE 18).