General Data Protection Regulation (GDPR) is a data privacy regulation that went into enforcement on May 25, 2018. GDPR is the updated version of Directive 95/46/EC, which was enacted in 1995, and will more effectively address the protection of sensitive information in the current technical landscape.  GDPR covers the protection of Personal Identifiable Information (PII) of EU citizens that is processed, stored, and managed by organizations.

All of our Changepoint products (Daptiv PPM, Changepoint, barometerIT) are classified as “Processors” under the GDPR guidelines. Since we do not determine the purpose and means of the data that is inputted and processed by our products, we cannot be considered a “Controller.” We have validated that Changepoint is meeting all of the GDPR criteria for classification as, and associated responsibilities for, the Processor designation. If you have any questions or require evidence of our compliance, please reach out to us. We will provide you with the information necessary to demonstrate our full compliance with GDPR across all of our lines of products.

Changepoint Certifications

ISO27001: 2013 Certification for all of our products (Daptiv PPM, Changepoint PSA, and barometerIT). This is an internationally recognized standard that covers the protection and management of sensitive information and all the various components.

Privacy Shield Certification for all of our products.  This includes the Privacy processes and procedures that support the current regulation, Directive 95/46/EC.  Our Privacy Policy can be found here: http://www.changepoint.com/privacy/

Cloud Security Alliance (CSA) STAR certification for our Daptiv PPM product.  This is the most respected Cloud-focused security standard in the industry.  While ISO27001: 2013 is a rigorous security standard, STAR certification is even more so. Not only does it have more controls than ISO27001: 2013, but you must be certified for ISO27001: 2013 before you can even be audited for STAR certification.

Topic: Request from Individual to remove their data from Changepoint Products
Changepoint's Response: Please reach out to our information security team using the contact information provided on this page. Describe your request (for example, you want PII data removed from an application) and provide your contact information so we can confirm receiving request within 48 hours. Depending on the scope of the request, we may need to contact other resources to complete the process. Once completed, you will be notified that your request is resolved.

Topic: Consent Management: GDPR has requirements for explicit consent to be given for controllers. 
Changepoint's Response: The PII required by Changepoint products must be entered by the Administrator before processing can begin. It is not possible for the product to track when consent was obtained. This information can be managed as a date field in the product but the product cannot be set up as a requestor of consent.

Topic: Right of Erasure / Right to be Forgotten: GDPR has extended rights to have PII removed from online storage, with exceptions noted in Article 17
Changepoint's Response: Changepoint has systems in place for Controllers to request PII to be removed. Due to the exceptions in GDPR for the deletion of such data, Changepoint is handling any removal request and responding without undue delay. For any removal request, part of our process is to confirm with the Controller that there are no exceptions for the request, including Medical data or other legal requirements for data retention.

Topic: Right of Rectification: GDPR has extended rights to have PII be corrected by the person.
Changepoint's Response: PII can be updated in all Changepoint products.

Topic: Data Portability / Right to access data
Changepoint's Response: Changepoint can provide the data upon Controller request.

Topic: Breach Notification
Changepoint's Response: Changepoint follows breach guidelines outlined in GDPR and security requirements for the certifications: ISO27001: 2013, Privacy Shield and Cloud Security Alliance (SCA) STAR.

Topic: Security
Changepoint's Response: Access control is available from the assignment of roles for the customer interface. For the Changepoint side, we have policies in place for control and are certified through ISO27001: 2013, Privacy Shield and Cloud Security Alliance (SCA) STAR.

Please let us know if you have any questions by emailing our team at informationsecurity@changepoint.com.

Frequently Asked Questions 

Q: What is a DPO?
A: DPO stands for Data Protection Officer and is a requirement for some organizations.

Q: How do I contact Changepoint’s DPO?
A: Changepoint does not meet the requirements for a DPO. All related responsibilities are being carried out by Changepoint’s information security team.

You can contact our information security team  by email at informationsecurity@changepoint.com

Or by mail at

Information Security

1111 3rd Avenue, Suite 700, 98101

Seattle, Washington, United States of America

Q: Will there be any downtime for the products? 
A: No, any updates that are deemed necessary during the evaluation will occur during normal maintenance or update schedules.

Q: Do you have a roadmap for upcoming changes?
A: We have completed the changes to our policies and procedures and evaluated our products. We are still looking for any questions or feedback on our GDPR preparedness.

Q: Where is Personally Identifiable Information (PII) currently stored?
A: We require a very limited amount of PII for our customers to use our applications (name and email).  Depending on the application being used and the customers country of preference, data is stored within the applications, which are housed:

  • Within Amazon Web Services (AWS) (customer’s choice of Northern Virginia or Dublin, Ireland)

OR

  • One of our data centers (Toronto, Canada or Seattle, Washington, USA)

OR

  • On premise at the customer locations

Q: What about deleting a person’s PII in your applications?
A: We have Privacy Processes in place as part of our privacy policy, so we have the framework already in place to allow someone to opt out.  Customers employees are also able to anonymize their PII in the products or request from their administrators to do so.

Q: What PII data do Changepoint products require?
A: Changepoint has three unique products: Daptiv PPM, Changepoint PSA, and barometerIT.  Each of these products requires a very minimal amount of PII in order to be used, typically an  email address for registration and password changes.  While our requirements of PII are minimal we are working towards lessening the need for that data as well as obfuscating the data whenever possible.

Q: Can I remove my PII from your products?

A: Yes, unless there is an overriding exception as outlined in the GDPR, such as medical record requirements and other legal data record requirements. We have policies in place to verify the storage requirements with the Controller of the data and will work with them to anonymize or delete the data without undue delay.

Q: Are Changepoint vendors and sub vendors required to be compliant? 
A: Yes.  However, we do not process customer or user data so we don’t outsource those services.  We may use some data, such as email, for marketing purposes but we have a well-established process for users and customers to opt out of that process from the start.  To be extra cautious, we are working with our vendors to add addendums to our contracts that requires them to be GDPR complaint in addition to the confidentially agreements that are already in place.

Q: We as a company store PII in one or more of your products, how can we comply?
A: If you have data that qualifies as being regulated by GDPR (for example, you uploaded a document with PII for a GDPR-covered person or persons) it is up to the customer to remove that data.  Since we do not process or access customer data, we do not inherently know if your data is GDPR regulated.  Our most significant undertaking to be GDPR compliant concerns data that is uploaded or input by customers. We are working on solutions that will allow customers to anonymize or remove GDPR regulated data using automated solutions but as of today the process would be manual.

Q: Where can I find more information on GDPR?
A: You can find more information on the EU GDPR website and the final version of the text.