Insider and General Data Protection Regulation (GDPR)

Lawfulness, Fairness and Transparency

As a data processor, Insider commits to follow transparent processing activities. To show our processing activities, we published our product privacy policy for general applications. We are also providing all the necessary information about processing activities to our partners when requested.

Purpose limitation

We have the Data Processing Agreement with our Partners to define the purpose of processing activities. With the DPA, the duties and responsibilities of the parties are defined. We make sure that as a data controller, our partners collect the specified, explicit and legitimate consent from their end users. If the purpose of the data collection is changed, our clients need to inform us about the change and we also change the DPA according to new purpose of processing.  

Data minimization

Unless the partners define other purposes, Insider products only collect users’ behavioral data to provide best personalized user experience. Based on our clients' need, we process the data which is defined and collected by the partner. Our product by default collects only behavioral data in an anonymous way.

Accuracy

Any data pushed by our partners that relates to user data can be easily rectified using our API endpoints to either merge or override data.  

Storage limitations

Our platform does not store any user data unnecessarily, unless indicated by our partners. All our data retention and storage policies are clearly defined and available to our partners.

Integrity and confidentiality

Our platform employs all required technical and organizational measures including pseudonymization of data to ensure its security and confidentiality.

Consent (Article 7)

Conditions for consent:
1. Unbundled
2. Active opt-in
3. Granular
4. Named
5.Easy to withdraw
6. Documented
7. No imbalance in the relationship

According to the Article 7 of GDPR, freely given, clear consent will be collected by the data controller. In the relationship between Insider and our partners, Insider is the data processor and our partners are the data controller according to the roles defined under GDPR. Based on these roles, Insider is not responsible for collecting the consent from end users to process the data. To help our partners to be compliant,, we are committed to enabling our partners to collect data responsibly as a controller. For our product features where the controller can collect user’s personal data, we have provided the ability to add consent checkboxes that are active and explicit.

Data Subject Rights (Article 15 – 23)

1. Right of access
2. Right to data portability
3. Right to rectification
4. Right to erasure
5. Right to restrict processing
6. Right to object

Insider will cooperate with any requests from controllers to access, erase or rectify data of end users through trained personnel servicing these requests. Additionally, our platform also provides multiple API endpoints to delete data or update data to keep user data accurate.

Security of Processing (Article 32)

Confidentiality, integrity, availability, resilience of processing systems and services

To ensure that the entire company and its employees are aware about GDPR, we have taken continuous training and process measures. We have quarterly training programs to ensure employees are enabled to comply with GDPR. In addition to this we also have new employee onboarding to include GDPR awareness and policy coverage. Among several policy documents, Employee Security Rules is one such document to enforce our commitment towards data processing regulations

Data Breach (Article 33 – 34)

Responding to Data breaches and incidents

We fully commit to continuing to notify our customers and partners of any data incidents in line with our current terms of service and privacy agreements. We will keep investing in threat detection and avoidance technologies, and our round-the-clock incident management program to help you respond to security or privacy events. We prepared a detailed Incident Response Plan and built a Security Team to comply with Article 33-34.

Data Protection Officer (Article 37-39)

Appointment of DPO

Our DPO is available to answer any questions regarding data processing and how we’re compliant with core tenets of GDPR  such as “consent” and “product compliance”. You can reach Haktan Ellez anytime via haktan@useinsider.com or through the number +90 554 763 00 33.

Codes of conduct and Certifications (Article 40 – 43)

Insider constantly identifies and plans to implement relevant certifications. Currently we are pursuing ISO 27001- Information Security Management System.

Cross border data transfer (Article 44-50)

All the data we collect is stored in an EU-based center, the Amazon Web Services (AWS), in Dublin, Ireland. This data storage center is available to all customers who wish to have their data stored within the territorial scope of the GDPR, and not only our EU customer base.

Our technical systems are 100% compliant with the GDPR and cloud base AWS servers of Insider is in the EU.  To regulate cloud server system, Standard contractual clauses of EU Commission is added to our example Data Processing Addendum.