Leadspace does not process sensitive personal data. Leadspace's services do not include any processing of data related to consumer-activities, data covered by specific US legislation such as social security numbers, health-related data, education-related data, personal information related to children, credit reports, other financial data and government-issued IDs. Furthermore, Leadspace's services do not process any "special categories of data", as this term is defined by Regulation (EU) 2016/679 ("GDPR").
Leadspace employs adequate privacy and information security controls to meet US laws and general practice standards. Leadspace is also making its final preparations to meet applicable requirements under the GDPR and is planning to complete this process by May 25, 2018, when the GDPR takes effect.
Leadspace's controls and measures include the following elements:
- Leadspace employs adequate information security measures, procedures and policies, backed by certifications and annual audits to the ISO 27001 and 22301 Information Security and Business Continuity Management standards.
- At customers' request and subject to appropriate confidentiality arrangements, Leadspace is able to provide summary reports of third party information security audits and penetration tests.
- Leadspace employs GDPR-related procedures and policies, including breach management and notification, data retention, impact assessments, assistance to controllers and records of processing.
- Leadspace is certified with the EU-US Privacy Shield Framework and received the necessary statements and certifications to verify that Leadspace's agents (as this term is referred to under the principles of the Privacy Shield Framework) provide the same level of protection. The statement of certification is available at: https://www.privacyshield.gov/participant?id=a2zt0000000PBV4AAO&status=Active
- Leadspace offers its customers a standard data processing agreement (DPA), alongside the Software Service Agreement, to support the processing of GDPR-covered personal data. The current DPA is available at: https://resources.leadspace.com/dpa/dpa.
- Leadspace keeps the data on secured servers of known hosting services (Amazon, Google and IBM Cloud), with adequate attestations of compliance and certifications. Additional information about their practices, including their compliance with international standards can be found at: https://www.ibm.com/cloud/compliance; http://aws.amazon.com/compliance/
- Leadspace maintains transparent privacy practices and publishes its privacy notice at: https://www.leadspace.com/privacy-notice/;
- Leadspace receives appropriate representations and warranties of compliance with laws from service providers (sub-processors) and data sources.
- Leadspace provides individuals with opt-out options from mailing lists and from sharing data with third parties (the Choice principle).
- Leadspace maintains on-boarding and annual security and privacy training to its personnel.
- Leadspace has formed a team to manage on-going privacy-related issues (DPT – data privacy team).
- Leadspace receives on-going legal and compliance guidance from Leadspace's counsel, who is a Certified Information Privacy Professional (CIPP/US and CIPP/E)