Getting Started
Your First Ten Minutes (Admin)
Your First Ten Minutes (Users)
Product Basics
What is Variance?
What is an event?
Milestones
Smart Events
Streams
Accounts
Contacts
Event Types
Following
Properties
Tags
Views
Favorites
Team Management
Billing
Integrations & APIs
Variance.js
Segment
Slack
RudderStack
Freshpaint
PostHog
Zapier
Hubspot
Salesforce
Webflow
Census
Hightouch
Inbound Webhooks
All Data Sources
Troubleshooting
What if I don't have a CDP?
Legal & Privacy
Data Processing Agreement
GDPR
Mutual NDA
Privacy Policy
SLA
Subprocessors
Terms and Conditions
Terms of Use
Vulnerability Disclosure Policy
What's New?
Support
What's New?
Changelog
Back to Docs
On This Page
    Back to Docs

    GDPR

    Effective Date:
    February 15, 2022
    On This Page

      The General Data Protection Regulation (GDPR) provides consistent standards to protect EU citizens’ rights regarding how their data is being used. It went into effect on May 25, 2018, and applies to any company that handles personal data from EU citizens and those living in the EU.

      As a Processor for your user data, we are committed to making it easier for you to comply and equipping you, our customers, with more accessible paths towards your compliance with applicable laws and regulations. 

      GDPR Basics

      Replacing the previous EU privacy directive 95/46/EC, which had been in place for over 20 years, the GDPR strengthens and expands individuals’ privacy rights in an era in which much of life takes place online.

      The GDPR is extensive, affecting not just businesses based in the EU but also any company that processes EU citizens’ data. For instance, if you’re sending data about a person in the EU to Variance, the GDPR likely applies to you.

      The Data Protection Principles outlined in the GDPR include requirements like the following:

      • Personal data collected must be processed in a fair, legal, and transparent way and should only be used in a way that a person reasonably expects.
      • Personal data should only be collected to fulfill a specific purpose, and it should only be used for that purpose. Organizations must specify why they need personal data when they collect it.
      • Personal data should be held no longer than necessary to fulfill its purpose.
      • People covered by the GDPR have the right to access their data. They can also request a copy of their data and be updated, deleted, restricted, or moved to another organization.

      We’d encourage you to read the text in full and consult with your legal counsel for a complete understanding of the GDPR.

      Our commitments as a data controller and processor 

      The GDPR has different requirements depending on how your business interacts with personally identifiable user data.

      Data controllers are companies that supply goods or services to EU residents, or that track or monitor EU residents and decide why and how data is collected and processed. As one of our customers, you are likely a data controller under the GDPR. One of your requirements as a data controller is to only work with compliant data processors.

      Data processors are vendors or businesses that process data on behalf of data controllers. As a platform that ingests customer data, Variance is considered a data processor. 

      Here are initiatives Variance is committed to as one of your data processors:

      • Data Processing Agreement: Our Data Processing Agreement (DPA) reflects the requirements of the GDPR, including our Standard Contractual Clauses.
      • Technical and organizational security measures: Variance takes a holistic, risk-based approach to security. This means the platform secures your data in transit and at rest, restricts and secures data access, and provides continuous incident monitoring.
      • Processing according to controller instructions: As has always been the case, we only process personal data according to instructions from the controller (our customers). 
      • Prompt breach notifications: In line with our current policies, Variance will promptly inform you of any incidents involving your users’ personal data. 

      Helping you achieve compliance

      If you collect data about EU residents, you are likely considered a data controller under the GDPR. One of the biggest challenges you will face as a controller will be managing individuals’ requests to exercise their rights as defined by the Regulation. 

      Upcoming Capabilities

      To help you comply with user requests related to the right to erasure (the right to be forgotten), the right to object (the various rights to halt certain processing), and the right to restrict processing (the right to restriction), we are developing new capabilities that will be available to all Variance customers in mid-2022:

      • Right to be forgotten: we are making it easy to honor requests related to the right to be forgotten by adding delete capabilities for any user profile.
      • Right to restrict processing: in addition, we are adding the ability to suppress any userId. For any userId on the suppression list, we will block all incoming personal data pertaining to that userId from being tracked by Variance.

      In the interim, in order to ensure GDPR compliance, we can handle these requests on your behalf by emailing us at gdpr@variance.com.

      Existing Capabilities

      With regards to the additional rights defined in the GDPR, including the rights to access, data portability, and rectification, Variance already enables you to be compliant: 

      • Data portability: any profile data may be exported from our system via Zapier or a request to gdpr@variance.com.
      • Right to rectify: profile data can be adjusted at any time with an identify call.
      • Accountability: Variance has role-based permissions, supports encryption at rest of all associated account data, and many data management tools.

      We fully support the GDPR and think it’s good to treat customers and their data with care and respect. 

      If you have any questions or concerns regarding GDPR and Variance, please send us a message to gdpr@variance.com.

      Variance

      The System for Growth

      Resources

      2xTuesday
      Blog
      Customer Growth Platform
      Expansion Qualified Lead (EQL) Guide
      Five Forces
      Getting Product Data into Hubspot
      Getting Product Data into Salesforce
      MEDDPICC/MEDDIC Guide
      PLG Content Marketing
      PLG Design Inspiration
      PLG CRM
      PLG FAQ
      Product Led Growth (PLG)
      Product led growth companies
      Product Qualified Lead (PQL) Guide
      Top PLG Companies

      Company

      About & Culture
      Changelog
      Contact
      Customers
      Docs
      Integrations
      Jobs
      Press
      Pricing
      Security & Privacy
      Support

      Integrations

      Slack
      Hubspot
      Salesforce
      Segment
      Zapier
      Clearbit
      RudderStack
      Freshpaint

      Follow Us

      Subscribe to Variance News
      Social