Claritum GDPR Statement

What is GDPR?

The new EU General Data Protection Regulation (GDPR) came into force on 25 May 2018 (including in the UK regardless of its decision to leave the EU) and will impact every organisation which holds or processes personal data. It will introduce new responsibilities, including the need to demonstrate compliance, more stringent enforcement and substantially increased penalties than the current Data Protection Act (DPA) which it will supersede.

Claritum’s GDPR Approach

Claritum is committed to high standards of information security, privacy and transparency. We place a high priority on protecting and managing data in accordance with accepted standards and comply with applicable GDPR regulations, as a data processor, while also working closely with our customers and partners to meet contractual obligations for our procedures, products and services.

The company has two main areas of focus overseen by an internal cross-functional team:

  1. Building on existing security and business continuity management systems and certifications (including ISO 9001) to ensure our own compliance.
  2. Product programmes to support compliance for users of our software applications including solutions to streamline the process and drive greater efficiency.

It is important to recognise that compliance is a shared responsibility and all organisations need to adapt business processes and data management practices.

Compliance

Claritum has robust information security policies and procedures but policies such as Incident Response Plans and Backup Data Retention are reviewed and updated on a regular basis.

Claritum ensures compliance by the data controllers, the use of sub-contractors and any data export arrangements by having relevant arrangements in place.

Contract

The contract between Claritum and our clients covers the rights and responsibilities on both sides, as you, the ‘data controller’ and Claritum, the ‘data processor’ under the terms of the GDPR.

ISO 9001

As with all compliance programmes, clear documentation of and consistent adherence to the policies is key and so Claritum is working towards ISO 9001 compliance.

Data Protection Officer

Even though (technically) Claritum are not required to do so under the terms of the GDPR, Claritum have appointed a Data Protection Officer (‘DPO’) whose task is to inform, advise and monitor compliance. The company will implement tools as appropriate that support the process, providing necessary security and ongoing delivery of objectives.

Queries regarding GDPR specifically can be sent to gdpr@claritum.com.

Claritum Application Development

Claritum’s software development methodologies ensure that the security and integrity of the software and platform is maintained at all times. Within our GDPR programme, Claritum continue to review and update these procedures as necessary.

Claritum Platform

Claritum are committed to continually develop and maintain the application, adding value and providing efficiencies to help your business grow. Along that journey and as we identify them, we will also be including improvements to the platform to assist you (the data controller) in fulfilling potential GDPR compliance requests from you customers.

These efficiency improvements will be announced along with other release notices in the usual way.

Personal Data Mapping – data Subjects and Elements

As a Data Processor we manage the following personal data in Claritum on behalf of our Customers

Data Subject Personal Data Element
Supplier User
  • Name and Surname
  • Email
  • Phone Details
  • External ID
  • Place of Work
Customer User
  • Name and Surname
  • Email Address
  • Phone Details
  • Fax
  • Cost Centre
  • Physical Address
  • External ID
  • Gender
  • Place of Work
Service Manager
  • Name and Surname
  • Email Address
  • Phone Details
  • Place of Work
  • External ID
Additionally, we have prepared a ‘map’ of all the places in the system that potentially ‘personally-identifiable’ information may come into the Claritum system. This map also details which types of users may access the data and to what extent (viewing/reading, updating, both).

This data ‘map’ can be found here

Where is Claritum Data stored?

The Claritum system runs on Rackspace Public Cloud. UK and European customers are hosted in their London (UK) region.

The data centers meet the following standards:

  • ISO 27001
  • PCI-DSS (PAYMENT CARD INDUSTRY DATA SECURITY STANDARD)
  • SOC 1 (SSAE 18)
  • SOC 2
  • SOC 3
  • PRIVACY SHIELD
  • CONTENT PROTECTION AND SECURITY STANDARD (CPS)

For full information on Rackspace’s data centers, please see their Global Infrastructure and Uptime. For information on the security, please see their Certification and Security Standards guide.

Systems and Personal Data we share to support our Customers

As a Data Controller we securely store your information in other applications allowing us to support you and your organisation on a daily basis.

Data Processor Data Subject Category Personal Data Elements Purpose

Atlassian

https://www.atlassian.com/trust/security

https://www.atlassian.com/gdpr

Claritum Customers ( Key Contacts, Super Users) Support Portal
  • Name and Surname

  • Email Address

To support Claritum customers with issues, questions about the Claritum system.

The tool is used for managing tickets / communication between Claritum and their Customers ( key contacts, also known as Super Users )

HubSpot

https://www.hubspot.com/data-privacy/gdpr

Marketing Contacts Sales Contacts

Claritum Customers ( Key Contacts, Super Users)

CRM and Marketing

Emailing

  • Name and Surname

  • Email Address

  • Company Address Information

  • Phone Number

  • Title

Marketing and customer relationship management tool.

Aligns inbound and outbound marketing campaigns across the customer lifecycle

Data is stored for commercial communications and to enable users to use the Claritum system and for Claritum to be able to contact Administrators of the system