EU Data Protection

Effective as of Thursday, May 24, 2018 and in line with the General Data Protection Regulation (GDPR).
EU Data Protection last update: Thursday, May 9, 2019.
Click here to learn more about Xeno in regard to the GDPR.

Overview

Xeno prioritizes customer trust. We know that customer data is important to our customers’ values and operations. That is why we keep it private and safe.
Xeno supports many customers in over 100 countries. Our customers entrust us with large amounts of sensitive information, stemming from a wide range of industries including healthcare, financial services, government, and technology.
Xeno helps customers maintain control of their privacy and data security in multiple ways:
Data Security:

  • We provide our customers compliance with high security standards, such as encryption of data in motion over public networks, Distributed Denial of Service (“DDoS”) mitigations, and a Support team that is on call 24/7.

Disclosure of Customer Service Data:

  • Xeno only discloses Service Data to third parties where disclosure is necessary to provide the services or as required to respond to lawful requests from public authorities.

Trust:

  • Xeno has developed security protections and control processes to help our customers ensure a secure environment for their information.

Data Hosting Locality:

  • Our data center location is relative to our customers location (i.e.: United States (The Dalles, Oregon; and; Berkeley County, South Carolina) for US customers, European Union (St. Ghislain, Belgium) for European customers.). In some cases (for Large Enterprise customers with a custom subscription) location of the data-center can be chosen or adapted.

Access Management:
Xeno provides an advanced set of access and encryption features to help customers effectively protect their information. We do not access or use customer content for any purpose other than providing, maintaining and improving the Xeno services and as otherwise required by law.

What is Service Data?

Service Data is any information, including personal data, which is stored in or transmitted via the Xeno services, by, or on behalf of, our customers and their end-users.

Who owns and controls Service Data?

From a privacy perspective, the customer is the controller of Service Data, and Xeno is a processor. This means that throughout the time that a customer subscribes to services with Xeno, the customer retains ownership of and control over Service Data in its account.

Who are Xeno’s sub-processors?

Xeno maintains a list of the names of all sub-processors (including third parties) used for hosting or other processing of Service Data. This list can be obtained at the very end of our Data Processing Agreement.

How does Xeno use Service Data?

We use Service Data to operate and improve our services, help customers access and use the services, respond to customer inquiries, and send communication related to the services.

What steps does Xeno take to secure Service Data?

Xeno prioritizes data security and combines enterprise-class security features with comprehensive audits of our applications, systems, and networks to ensure customer and business data is always protected.
For example, Xeno servers are hosted at Tier IV or III+, SSAE-16, PCI DSS, or ISO 27001 compliant facilities. Additionally, we engage third-party security experts to perform detailed penetration tests, and our Support team is on call 24/7 to respond to security alerts and events.
Xeno keeps at disposal (for leads and customers and especially for large Enterprises) Vulnerabilities Scan Reports produced by Qualys, Inc. (Qualys, Inc. provides cloud security, compliance and related services and is based in Foster City, California. Qualys was the first company to deliver vulnerability management solutions as applications through the web using a “software as a service” (SaaS) model, and as of 2013 Gartner Group for the fifth time gave Qualys a “Strong Positive” rating for these services.)

Where is Service Data stored?

Xeno has data centers in three main regions — United States, Asia Pacific, and the European Union. Service Data may be stored in any region. Customers can select the region in which data centers that host certain of their Service Data are located by purchasing a Custom Add-On.

How does Xeno Respond to Information Requests

Xeno recognizes that privacy and data security issues are top priorities for customers.
Xeno does not disclose Service Data except as necessary to provide its services to its customers and comply with the law as detailed in this Privacy Policy.
Where we need to act publicly to protect customers, we do. Xeno has voiced its support for the USA Liberty Act that seeks to reform the surveillance program under Section 702 of the Foreign Intelligence Surveillance Act (“FISA”).

How does Xeno respond to legal requests for Service Data?

In certain situations, we may be required to disclose personal data in response to lawful requests by public authorities, including to meet national security or law enforcement requirements. We may disclose personal data to respond to subpoenas, court orders, or legal process, or to establish or exercise our legal rights or defend against legal claims. We may also share such information with relevant law enforcement agencies or public authorities if we believe same to be necessary in order to investigate, prevent, or take action regarding illegal activities, suspected fraud, situations involving potential threats to the physical safety of any person, violations of our Subscription Agreement, or as otherwise required by law.

EU Directive

The EU Data Protection Directive (also known as “Directive 95/46/EC“) addresses the processing of personal data and the free movement of such data. Broadly, this Directive sets out a number of data protection principles and requirements which must be adhered to when personal data is processed.
Directive 95/46/EC established the Article 29 Working Party (“WP29”), which is comprised of representatives from the data protection authorities of all the EU Member States as well as from the European Commission. WP29 works to harmonize the application of data protection rules throughout the EU and also advises the EU Commission on the adequacy of data protection standards in non-EU countries.

How does the EU Directive apply to customers?

Xeno customers that collect and store personal data are considered data controllers under Directive 95/46/EC. Data controllers bear the primary responsibility for ensuring that their processing of personal data is compliant with relevant EU data protection law, including Directive 95/46/EC and the GDPR as of May 25, 2018.

What is a Data Processing Agreement (“DPA”)?

Xeno offers customers a robust Data Processing Agreement (“DPA”), governing the relationship between the customer (acting as a data controller) and Xeno (acting as a data processor). The DPA facilitates Xeno’s customers’ compliance with their obligations under EU data protection law. Our DPA contains strong privacy commitments that few software companies can match, and has been updated to confirm our compliance with the GDPR as and from May 25, 2018. Our DPA contains data transfer frameworks to ensure that our customers can lawfully transfer personal data to Xeno outside of the European Union.

What are the “Model Clauses”?

The European Commission has approved a set of standard provisions called the Standard Contractual Clauses (“Model Clauses”) which provide a data controller a compliant mechanism to transfer personal data to a data processor outside the European Economic Area (“EEA”).

Does Xeno replicate the Service Data it stores?

Xeno periodically replicates data for purposes of archival, backup and audit logs. We use Amazon Web Services, Inc. and/or Digital Ocean, Inc. to store some of the information that is backed up, such as database information and attachment files.

Does Service Data hosted in the EU region ever leave that region?

Xeno customers who go for a Custom Plan have the ability to select the region (from a list defined by Xeno) where the data center which hosts their Service Data is located. Otherwise, Xeno may utilize any of its global data centers to host Service Data.

GDPR

Since our inception, Xeno’s approach has been anchored with a strong commitment to privacy, security, compliance and transparency. This approach includes supporting our customers’ compliance with EU data protection requirements, including those set out in the General Data Protection Regulation (“GDPR”).
If a company collects, transmits, hosts or analyzes personal data of EU citizens, GDPR requires the company to use third-party data processors who guarantee their ability to implement the technical and organizational requirements of the GDPR. To further earn our customers’ trust, our DPA has been updated to provide our customers with contractual commitments regarding our compliance with applicable EU data protection law and to implement additional contractual provisions required by the GDPR. Our contractual commitments guarantee that customers can:

  • Respond to requests from data subjects to correct, amend or delete personal data.
  • Be made aware of and report personal data breaches to relevant supervisory authorities and data subjects in accordance with GDPR timeframes.
  • Demonstrate their compliance with the GDPR as pertaining to Xeno’s Services.

Xeno GDPR Product Readiness

The General Data Protection Regulation (GDPR), provides data subjects with an array of privacy rights, which provide individuals with greater transparency into and control over uses of their personal information.
At this point, you may be asking how Xeno’s products align with these privacy rights and where you can learn more about the features and functionality made available in Xeno’s products that support a GDPR compliance program.

GDPR compliant Xeno features

Transparency and Accountability  
Purpose of the GDPR Obligation Ensure transparent communication with data subjects regarding the processing of their personal data.
Ensure data subjects are notified of their rights under the GDPR.
Features to work toward your GDPR Obligations Xeno’s Subscription Agreement, Privacy Policy, and supporting policies provide a transparent notice to inform its customers.
Exceptions to the GDPR Obligation A data controller is exempt from these obligations if it cannot identify which personal data in its possession relates to the relevant data subject (i.e., if personal data is anonymized and cannot be re-identified).
Access and Rectification  
Purpose of the GDPR Obligation Allow data subjects to require a data controller to rectify any errors in their personal data.
Features to work toward your GDPR Obligations Agents have access to their profiles to amend inaccuracies. Also, Agents may update End-User profile information within individual chats.
Exceptions to the GDPR Obligation Provision of this right to a data subject should not adversely affect an organization’s intellectual property (i.e., giving access to a data subject should not require disclosure of trade secrets).
Right to be Forgotten  
Purpose of the GDPR Obligation Provide data subjects with the right to delete their personal data if the continued processing is not justified.
For example, you may need to delete your customer’s personal data to comply with your GDPR obligations.
Features to work toward your GDPR Obligations Xeno customers can delete profile information for Chat Agents. By deleting the Chat Agent profile information in Xeno, the Chat Agent’s name, email, display name, and display image (avatar) will also be deleted. Chat Agent names will continue to display in Xeno transcripts, which can be independently deleted as well.
Exceptions to the GDPR Obligation A company is not required to delete data, except when one of the following reasons is present:
The personal data is no longer needed in relation to the purposes for which it was collected or otherwise processed.
The data subject withdraws consent, and there are no other legal grounds for processing.
The data subject objects to processing, and there are no overriding legitimate grounds for processing.
The personal data has been unlawfully processed.
The personal data has to be erased for compliance with a legal obligation.
The personal data has been collected in relation to the offer of information society services to a minor under 16 years old.
Restriction Processing  
Purpose of the GDPR Obligation Provide data subjects the right to limit the purposes for which the data controller can process personal data.
For example, your customer has filed a complaint or lawsuit against you, and it is your policy to stop processing while the complaint or lawsuit is pending.
Features to work toward your GDPR Obligations Xeno has documented and implemented internal mechanisms for limiting the processing of personal data to only certain specified uses relating to Xeno products and services.
Exceptions to the GDPR Obligation The requirement to restrict processing generally applies under the same circumstances as the right to be forgotten and/or when the following circumstances exist:
The accuracy of the personal data is contested (and only for as long as it takes to verify that accuracy).
The processing is unlawful, and the data subject requests restriction (and the data subject is not exercising the right to be forgotten).
The data controller no longer needs the personal data for the original purpose but still requires it to establish, exercise, or defend a legal right.
Verification of overriding ground is pending (in the context of a deletion request).
Data Portability  
Purpose of the GDPR Obligation Provide data subjects with the right to transfer their personal data between data controllers.
For example, your customer requests for you to export and provide them with all associated personal data that you store.
Features to work toward your GDPR Obligations Xeno provides the ability to export chat transcripts as well as all Xeno conversations.
Exceptions to the GDPR Obligation Inferred and derived personal data (e.g., a credit score or health assessment) are not included because they are not “provided by the data subject.”
Data controllers are not obligated to retain personal data simply for the purposes of providing a copy of the personal data pursuant to a potential data subject request.
Objection to Processing  
Purpose of the GDPR Obligation Provide data subjects with the right to transfer their personal data between controllers.
Features to work toward your GDPR Obligations Xeno has documented and implemented internal mechanisms to:
Cease processing personal data based upon specific data subject requests, confirmed instructions by Xeno’s customer in its capacity of data controller, and the particular reasoning for objecting to processing.
Cease processing for direct marketing purposes upon request.
Cease processing of personal data for scientific, historical, or statistical purposes.
Exceptions to the GDPR Obligation Data controller must cease processing upon request unless:
The data controller demonstrates compelling legitimate grounds for processing that override the interests, rights, and freedoms of the data subject.
The data controller requires the data in order to establish, exercise, or defend legal rights.
Processing for scientific, historical, or statistical purposes is carried out for reasons of public interest.

Note: These features and functionalities are currently available. Xeno will be updating and adding features and functionalities to further support customers and to go beyond the GDPR compliance.

What is the GDPR?

The General Data Protection Regulation (“GDPR”) is a new European privacy regulation which will replace the current EU Data Protection Directive (“Directive 95/46/EC”). The GDPR aims to strengthen the security and protection of personal data in the EU and harmonize EU data protection law.

To whom does the GDPR apply?

The GDPR applies to all organizations operating in the EU and processing “personal identifiable data” of EU residents. Personal data is any information relating to an identified or identifiable natural person.

What implications does GDPR have for organizations processing the personal data of EU citizens?

One of the key aspects of the GDPR is that it creates consistency across EU member states on how personal data can be processed, used, and exchanged securely. Organizations will need to demonstrate the security of the data they are processing and their compliance with GDPR on a continual basis, by implementing and regularly reviewing robust technical and organizational measures, as well as compliance policies.

How has Xeno been preparing for the GDPR?

Xeno was compliant with the GDPR several weeks before it became enforceable in May 2018. Our team is working with customers around the world to answer their questions and to help them prepare for using Xeno’s Services in light of the GDPR. Additionally, our team is reviewing Xeno’s current product features and practices on a continuous basis to ensure we support our customers with their GDPR compliance requirements.

How can Xeno customers prepare for GDPR enforcement?

Xeno encourages customers to begin preparing for the GDPR by reviewing their privacy and data security processes and policies to ensure compliance by May 2018. Data controllers bear the primary responsibility for ensuring that their processing of personal data is compliant with EU data protection law. Below are some key points to consider for GDPR compliance:

  • Geographical Application: The GDPR may apply to organizations that are established in the EU as well as certain organizations established outside the EU but which are processing the personal data of EU citizens, depending on their activities.
  • Rights of End-Users: Organizations should be cognizant of End-Users whose personal data they may be processing. The GDPR establishes enhanced rights for End-Users, and organizations should be able to accommodate those rights.
  • Data Breach Notifications: Organizations that are controllers of personal data should have clear processes in place in order to comply with the GDPR requirement to report data breaches in accordance with the time frames set out within the GDPR. Xeno will notify affected customers without undue delay if we become aware of a data breach of our services.
  • Appointment of Data Protection Officer (“DPO”): Customers may need to appoint DPOs to manage issues relating to the processing of personal data.
  • Data Processing Agreement (“DPA”): Where personal data is transferred outside the EEA, a customer may need DPAs in place with its sub-processors to ensure an adequate level of protection for the transferred data. Xeno’s DPA addresses GDPR and can be obtained here.

Does Xeno currently provide any product specific Features/Functionality in its Support product to assist us with our GDPR compliance program?

Xeno provides customers the option to delete Service Data that may contain personal data, such as profiles, tickets, conversations, images, and attachments, in active Xeno accounts. Within the Xeno product, Administrators and Agents (collectively described as “Users”) have profiles with hierarchical privileges.
1. Agent Profile Deletion: Xeno currently supports the deletion of Agent profile information.
Administrators can delete profiles of all Users, including Agents.
Xeno retains Account Owner information in order to continue to provide its products. When an account is terminated, Xeno follows a Data Deletion Policy for remaining profile information.
2. End-User Profile Deletion: Xeno currently supports the deletion of End-User profile information.
Both Administrators and Agents can delete End-User profiles as long as the End-Users are not requesters on open conversations.
Following this deletion action, the End-User profile is removed from the User Interface and the the End-User identity is deleted from the system, along with OAuth Tokens, Sessions and Saved Searches.
3. Conversation Deletion: Conversations can be deleted by requesting the deletion of a conversation by contacting this dedicated email address: privacy (at) xenoapp (dot) com (average response time: 4 business days).
4. Attachment and Image Deletion: Customers can delete attachments and images by deleting the Support conversations to which those attachments and images are attached.
These features and functionalities are currently available. Xeno will be updating and adding features and functionalities to further support customers and to go beyond the GDPR compliance.

Does Xeno have approved BCRs in place?

Xeno is currently completing the EU approval process with the Irish Data Protection Commissioner (“DPC”). This significant regulatory approval will validate Xeno’s implementation of the highest possible standards for protecting personal data globally, covering both the personal data of its customers and its employees.