Dedication to your data privacy

We are wholly invested in our customers' success and the protection of data. One way that we deliver on this promise is by helping SmartWinnr customers and users understand, and where applicable, comply with the General Data Protection Regulation (GDPR). The GDPR is designed to give EU citizens more control over their data and seeks to unify a number of existing privacy and security laws under one comprehensive law. The GDPR not only applies to organizations located within the EU, but it also applies to all companies processing and holding the personal data of data subjects residing in the European Union, regardless of the company’s location. The following sections outline our approach and investment in GDPR compliance in service of our customers and individual data subjects.

Security and certifications

Protecting our customers' information and their user's privacy is extremely important to us. We are entrusted with some of our customer's most valuable data, which is why we have built security into every layer of the SmartWinnr Cloud architecture. We provide replication, backup, and disaster recovery planning, encryption in transit and at rest, advanced threat detection, common controls, and more. Visit the SmartWinnr Security Practices page to learn more about our approach to security.

Additionally, we have devoted significant resources towards ensuring our cloud products are built and designed in accordance with widely accepted standards and certifications. These standards mirror many of the security and privacy requirements of the GDPR and give our customers a transparent framework by which to measure our software development and data management practices. Our data centers, co-location, and managed service providers undergo a thorough security assessment as a part of the evaluation process and then undergo regular SOC 1, SOC 2, and/or ISO/IEC 27001 audits thereafter.

International data transfers

As a company with a global customer base and operations, SmartWinnr must be able to transfer and access data around the world. We understand and respect the rules for onward transfers of personal data outside of the European Economic Area (EEA), and offer customers a robust international data transfer framework as a part our Data Processing Addendum. This addendum ensures that our customers can lawfully transfer personal data to SmartWinnr Cloud products outside of the EEA by relying on the Standard Contractual Clauses. This addendum also contains specific provisions to assist customers in their compliance with the GDPR.

Whenever we share your data with SmartWinnr service providers, we remain accountable to you for how it is used by any of these organizations. We require all service providers to undergo a thorough diligence process and enter into contracts which ensure our customers' personal data receives adequate protection and safeguards.

We are aware that the European Data Protection Board recently issued further guidance on supplementary measures to meet the adequacy requirement of GDPR. We will continue to analyze these requirements and any others issued by European data protection authorities as they arise.

For more information on how we transfer and process personal data, see our Privacy Policy.

Data location and portability

Data for all our enterprise customers in the EU is hosted in AWS Ireland data centers.
We’re also ready to facilitate your customers’ requests to export their data, should you host your customer data on SmartWinnr products. SmartWinnr provides robust data portability and data management tools for exporting product and user data.

Individual privacy rights and consent

Data subject rights

Our tools help customers meet obligations under the GDPR right to be forgotten (or right to erasure) clause by making it easy to delete personal data from SmartWinnr Cloud products

• SmartWinnr Organization Admins can facilitate the account deletion of their managed users from controls in their admin portal
• People who have provided their personal data or had their personal data provided to SmartWinnr, but do not have SmartWinnr accounts, may also initiate a request for deletion by writing to privacy@smartwinnr.com.

• SmartWinnr Organization Admins can facilitate access of their managed users' data from SmartWinnr support
• People who have provided their personal data or had their personal data provided to SmartWinnr, but do not have SmartWinnr accounts, may also initiate a request for access by writing to privacy@smartwinnr.com

Choice and consent

We value choice and transparency around how we collect, use, and share information, and provide optionality within different product or account settings. Our Privacy Policy summarizes those choices, how to exercise them, and any relevant limitations.

For our EU end users, we surface consents for cookies and marketing messages to provide clarity and control at points of collection. Our internal processes centralize consents to ensure we’re consistently honoring your choices across our product suite.

Other commitments

Below are several other GDPR initiatives that have been implemented within our Cloud:

• We have ensured SmartWinnr staff that access and process SmartWinnr customer personal data have been trained in handling that data and are bound to maintain the confidentiality and security of that data
• We provide a list of our subprocessors on our Subprocessors page which you can visit anytime to stay up-to-date on any changes
• We have committed to carrying out data impact assessments and consulting with EU regulators where appropriate
• We will assist with notifying regulators of breaches and promptly communicating any breaches to customers and users