July 2022

CONTENTSQUARE AND INTERNATIONAL DATA TRANSFERS: 

Our Commitment 

Privacy and Security remain steadfast priorities at Contentsquare. We at Contentsquare are committed to protecting our Customer’s Personal Data whether within or outside the EU/UK. Specific information about Contentsquare’s position on the Google Analytics decisions and resulting guidelines can be found here.

Capitalized terms used in this document shall have the meaning assigned to them in the DPA (here) and MSA (here).

  1. European Data storage in the EU. By default, our European Customers’ Personal Data are stored in our hosting providers’ data centers located in Ireland (primary) and Sweden/Netherlands (backup). 
  2. Contentsquare’s Affiliated companies  located outside the EEA/UK may have access to Personal Data only to perform its Services to Customers. Such access is essential for providing a follow-the-sun 24/7 support to our Customers. See our list of Sub-Processors and their location here
  3. We sign the Standard Contractual Clauses with each of our Sub-Processors. Contentsquare relies on the transfer mechanism approved by the European Commission in June 2021, the Standard Contractual Clauses for Processor to Processor. 
  4. Contentsquare carried out Data Transfer Impact Assessments (‘DTIA’) in order to ensure an essentially equivalent level of protection to GDPR when transferring personal data to the US. Here are the key supplementary measures that Contentsquare implements to protect Customer’s Data:
    1. Our Customers’ Personal Data are encrypted at all stages. Personal data is encrypted via TLS 1.2 during transfer, and AES 256 while at rest, and we maintain strict access restrictions.
    2. We maintain up-to-date security and privacy certifications. Contentsquare is certified under ISO 27001 for our security program, and ISO 27701 for our privacy program. We are also able to provide customers with our latest SOC 2 Type 2 report upon request.
    3. Third-Party Access to Customers’ Personal Data. We contractually commit to notify our customers in writing when we receive a request or order to disclose our Customers’ Personal Data to third-parties (unless we are prohibited by applicable law). Any request or order not legally-binding is rejected. We also maintain a Transparency Report to disclose any requests we do receive and its scope. To date, we have not received a third-party disclosure request of any kind. 
    4. We consider the data we have in our system as pseudonymized data. Although Contentsquare collects online identifiers (IP address and online unique ID), we consider our data as pseudonymised because Individual data subjects cannot be identified without the use of additional information.
    5. Keeping data collection to a minimum. Contentsquare’s solution collects only the minimum amount of personal data required to provide our customers with the ordered services. We provide our customers with tools to identify and block unnecessary personal data from being collected and transferred to Contentsquare.
    6. Privacy features offering. We offer our customers with product options that can operate without collecting IP addresses or without the use of cookie technology, instead relying on SessionStorage technology which expires at the end of the session

In addition, there is a very low risk that Contentsquare would be subject to US Surveillance laws (e.g. Section 702 FISA (50 U.S.C. § 1881a), Executive Order 12333) that permit access by the US government to personal data because (i) we are not considered as a telecommunications service provider, nor as a remote computing service under the Section 702 FISA and (ii) we maintain, and are continuously improving, robust supplementary measures as described above.  

Our DTIAs are available upon Customer’s request.