Data and infrastructure security, tools adapted to the new regulations, granular and controlled data management: here are all the details of our commitment in preparation for the new GDPR.
The GDPR introduces a real revolution in how personal data is processed. MailUp is at companies’ side to address this challenge, with its commitment split along two guidelines:
Like any other company, MailUp is also going through the process of adapting to the GDPR: we are preparing to be fully compliant by May 25, 2018.
The regulation requires our customers reevaluate their data infrastructure and processes that involve the processing of personal data. Being compliant will not be easy, and we certainly don’t want to to make it any more complicated: this is why we have carried out careful analyses aimed at exploiting the flexibility we are distinguished for and allowing our customers to focus only on what is really needed.
We know that the MailUp platform is a fundamental tool for our customers: this is why we are carrying out various assessments, reviewing the specifications of the processing and, in the meantime, we want to let you know how to best use the platform while preparing for the regulation’s entry into force.
Every MailUp customer can log in with their main administrator credentials and create additional users with exclusive or shared access to one or more lists. All the data customers upload to the platform is saved in our systems, giving customers full control
of the management, search and access modes.
The MailUp architecture is, like most modern “software as a service” type applications, multi-tenant. However, since our customers’ privacy and security has always been a priority for us, we wanted to maintain customer-specific databases (database-per-tenant).
This solution offers us several advantages: in addition to the physical separation of data for each customer (which ensures strong data isolation), it allows us to have a very high level of flexibility both in terms of encryption and data recovery.
Considering how we manage a large amount of different types of data, we at MailUp are quite aware of the problems related to the access and processing of personal data. This is why we wanted to maintain a high degree of flexibility in this case as well.
It will be possible to define which fields can be viewed/modified by each user of the platform.
In the absence of permission, personal data (including email addresses and phone numbers) will be hidden, without this preventing the use of the platform’s main features. This choice is based on the principle of “minimum privilege” which, in addition to being a good practice in terms of security, can help customers maintain the same level of security defined for their organization, allowing each user to only access the minimum amount of data actually needed to properly carry out their task.
In this context, access rights to key functionalities (contact visibility, statistics, import, export, creation and sending of campaigns) are configurable in a specific way for each user.
Furthermore, the platform lets you create different lists that can operate as independent environments and assign access to these lists to specific users. This makes it possible to define independent processing registers according to need (e.g. geography of origin/acquisition).
The platform lets you define certain basic rules that are considered appropriate measures in the field of data security and processing:
Security is not limited to platform use, but is also required in the communications sent by each customer. MailUp uses the DKIM standard (DomainKeys Identified Mail) to send messages via the platform. This authentication system lets you “certify” that
the message’s content reached the recipient in the same form as that originally sent by the sender.
In doing so, the entire email is encrypted through TLS protocol, making any unauthorized modifications or reading of the email impossible during its sending, until it reaches its destination.
In addition, all the links contained in the emails, including any re-routing, are automatically checked by our systems to prevent spam, malicious use of the platform and data theft (even personal).
All data uploaded to the platform is maintained and saved via backup for the entire contract period, then automatically deleted within 20 days of the end of the contract.
MailUp has its own team dedicated to privacy and compliance which is coordinated by a Data Protection Officer, who oversees the organization’s security and compliance with applicable laws. All those who work for the organization, and in particular those who have access to customer data, have received adequate training in terms of security and privacy and must follow clear rules in order to safeguard the confidentiality, integrity and availability of data.
All access is limited by a permissions system per role and reasons for use, allowing us to ensure that only authorized persons have access to data or servers, and to access the latter there is a also a biometric control.
Roles and accesses are checked regularly.
The data that customers upload to the platform can present varying degrees of confidentiality.
Even though the platform provides a high level of security and granularity for the handling of different types of data, the customer is responsible for defining and implementing the most appropriate approach for processing and accessing sensitive data.
On request we can evaluate the specific needs and configure the services to process the data in an appropriate manner.
The Regulation establishes that the data controller must be able to demonstrate that the data subject has given his consent to the processing of his personal data.
This has always been one of our priorities, even before the final drafting of the Regulation, and for this reason our customers can find all the necessary tools, always updated, to better manage consent:
The GDPR establishes that the data controller and its managers are responsible for defining data retention times and ensuring that this period is limited to the minimum necessary.
Those who have already defined a precise duration of data processing can take advantage of the inactive management feature to:
Workflows will also be updated to let you easily implement the same consent expiration process.
MailUp provides various tools and integrations to be able to profile recipients based on their activities or their choices.
However, we would like to underline that the decision-making process, although automated, is totally and exclusively controlled by our customers. Despite the fact that, as indicated in the previous paragraph, an individual subject may request to not be profiled, it is possible to configure the platform in order to completely exclude tracking on one or more lists or for one or more campaigns.