GDPR Compliance @ Changepoint
updated on April 30, 2019
General Data Protection Regulation (GDPR) is a data privacy regulation that went into enforcement on May 25, 2018. GDPR is the updated version of Directive 95/46/EC, which was enacted in 1995, and will more effectively address the protection of sensitive information in the current technical landscape. GDPR covers the protection of Personal Identifiable Information (PII) of EU citizens that is processed, stored, and managed by organizations.
All of our Changepoint products (Daptiv PPM, Changepoint, barometerIT) are classified as “Processors” under the GDPR guidelines. Since we do not determine the purpose and means of the data that is inputted and processed by our products, we cannot be considered a “Controller.” We have validated that Changepoint is meeting all of the GDPR criteria for classification as, and associated responsibilities for, the Processor designation. If you have any questions or require evidence of our compliance, please reach out to us. We will provide you with the information necessary to demonstrate our full compliance with GDPR across all of our lines of products.
ISO27001: 2013 Certification for all of our products (Daptiv PPM, Changepoint PSA, and barometerIT). This is an internationally recognized standard that covers the protection and management of sensitive information and all the various components.
Cloud Security Alliance (CSA) STAR certification for our Daptiv PPM product. This is the most respected Cloud-focused security standard in the industry. While ISO27001: 2013 is a rigorous security standard, STAR certification is even more so. Not only does it have more controls than ISO27001: 2013, but you must be certified for ISO27001: 2013 before you can even be audited for STAR certification.
Please let us know if you have any questions by emailing our team at firstname.lastname@example.org.
Frequently Asked Questions
Q: What is a DPO?
A: DPO stands for Data Protection Officer and is a requirement for some organizations.
Q: How do I contact Changepoint’s DPO?
A: Changepoint does not meet the requirements for a DPO. All related responsibilities are being carried out by Changepoint’s information security team.
You can contact our information security team by email at email@example.com
Or by mail at
1111 3rd Avenue, Suite 700, 98101
Seattle, Washington, United States of America
Q: Will there be any downtime for the products?
A: No, any updates that are deemed necessary during the evaluation will occur during normal maintenance or update schedules.
Q: Do you have a roadmap for upcoming changes?
A: We have completed the changes to our policies and procedures and evaluated our products. We are still looking for any questions or feedback on our GDPR preparedness.
Q: Where is Personally Identifiable Information (PII) currently stored?
A: We require a very limited amount of PII for our customers to use our applications (name and email). Depending on the application being used and the customers country of preference, data is stored within the applications, which are housed:
- Within Amazon Web Services (AWS) (customer’s choice of Northern Virginia or Dublin, Ireland)
- One of our data centers (Toronto, Canada or Seattle, Washington, USA)
- On premise at the customer locations
Q: What about deleting a person’s PII in your applications?
Q: What PII data do Changepoint products require?
A: Changepoint has three unique products: Daptiv PPM, Changepoint PSA, and barometerIT. Each of these products requires a very minimal amount of PII in order to be used, typically an email address for registration and password changes. While our requirements of PII are minimal we are working towards lessening the need for that data as well as obfuscating the data whenever possible.
Q: Can I remove my PII from your products?
A: Yes, unless there is an overriding exception as outlined in the GDPR, such as medical record requirements and other legal data record requirements. We have policies in place to verify the storage requirements with the Controller of the data and will work with them to anonymize or delete the data without undue delay.
Q: Are Changepoint vendors and sub vendors required to be compliant?
A: Yes. However, we do not process customer or user data so we don’t outsource those services. We may use some data, such as email, for marketing purposes but we have a well-established process for users and customers to opt out of that process from the start. To be extra cautious, we are working with our vendors to add addendums to our contracts that requires them to be GDPR complaint in addition to the confidentially agreements that are already in place.
Q: We as a company store PII in one or more of your products, how can we comply?
A: If you have data that qualifies as being regulated by GDPR (for example, you uploaded a document with PII for a GDPR-covered person or persons) it is up to the customer to remove that data. Since we do not process or access customer data, we do not inherently know if your data is GDPR regulated. Our most significant undertaking to be GDPR compliant concerns data that is uploaded or input by customers. We are working on solutions that will allow customers to anonymize or remove GDPR regulated data using automated solutions but as of today the process would be manual.