Data protection according to EU GDPR

As a data processor, we have a strong interest in handling confidential information and personal data in compliance with data protection regulations. This includes safeguarding the rights of data subjects, in particular processing and fulfilling their requests. Due to legal obligations, all requests from data subjects must be answered and fulfilled by the data controller within four weeks. Requests are forwarded to our data protection team and reviewed according to established procedures. Before you receive a request we have received, it undergoes a pre-qualification process.

Our customers' high standards of integrity extend to the handling of data protection and security incidents. Due to the legal obligation to report all data protection incidents to the relevant supervisory authority within 72 hours, provided the incident is likely to pose a risk to the rights and freedoms of natural persons, a swift and structured review of security incidents is crucial, and you will be informed immediately. Potential breaches can be detected through our information security structures or reported to the information security and data protection team via the designated internal processes for detailed investigation. This allows us to investigate even seemingly minor incidents and regularly train our employees on data protection and IT security compliance.

Contentbird provides comprehensive data protection information for its Content Marketing Suite. This information is modular, tailored to the specific product package booked, and regularly updated by Contentbird. According to the GDPR, the data protection information obligations fall under the responsibility of the customer company (controller within the meaning of Art. 4 No. 7 GDPR). Our customers use their own privacy policy. Please contact our Customer Service at support@contentbird.io

Contentbird has established comprehensive security measures. Specific technical and organizational precautions have been taken for home and mobile office use to ensure data protection and security. Work devices are additionally equipped with a Virtual Private Network (VPN) and encrypted. Customer data is stored exclusively in data centers, software access is via HTTPS, and system-level access by administrators is restricted to selected administrators via VPN. Specific work guidelines exist for home and mobile office use.

The scope of personal data processing is primarily determined by the description of the processed data categories (Data Processing Agreement for Operations and Trusted Content Software), (Data Processing Agreement for Convert Software). The annex to our Data Processing Agreement also covers special categories of personal data. The data categories described in the Data Processing Agreement are therefore "broadly defined".

A description of the technical and organizational measures (TOMs) can be found in Appendix A to our data processing agreement (Data Processing Agreement for Operations and Trusted Content Software), (Data Processing Agreement for Convert Software). To demonstrate compliance with and further develop these measures, contentbird conducts regular internal audits and reviews in addition to a data protection and information security management system (DSMS/ISMS).

Contentbird provides all services related to the Content Marketing Suite as a data processor, unless personal data is explicitly processed for its own business purposes and may be legitimately processed. According to Article 4 No. 7 GDPR, the customer company is the data controller within the context of using the Contentbird Content Marketing Suite. Furthermore, data processors (contentbird) are also data controllers within the meaning of the GDPR, for example, with regard to their own subcontractors or processing for their own business purposes.

It is important to us that our subcontractors meet adequate security standards. Therefore, we pay particular attention to compliance with the GDPR as part of our order processing, as well as to common security standards such as ISO 27001 certification. Our data centers provide us with housing services, meaning they supply us with power, rack space, and internet access, including firewalls, load balancers, and secure SSL certificates. Maintenance and installation of hardware and software are handled by contentbird. The data centers used are regularly inspected and audited by contentbird. The data centers are an essential contractual component of the service and order processing; without them, we cannot provide our products. Currently, we use data centers from the following providers: Amazon Frankfurt, EMC HostCo GmbH, and Hetzner Online GmbH. The documentation and certifications of our subcontractors can be found here: Amazon ISO certificate and documentation, EMC HostCo ISO certificate and documentation, and Hetzner Online GmbH ISO certificate.

‍

Contentbird uses Intercom as a tool to process support requests. We consider ourselves the data controller for Intercom within the meaning of data protection laws. Therefore, Intercom is not a subcontractor for the purposes of commissioned data processing. The use of Intercom for support purposes, and thus the transfer of our customers' data (specifically the business email address of the user submitting the request), is based on our legitimate interest pursuant to Art. 6 para. 1 lit. f GDPR. Alternatively, you can contact the direct support team with your request, e.g., by email. Intercom stores data in the USA.

Training and committing employees to the confidentiality of personal data and customer information is an integral part of both onboarding and offboarding, as well as data protection and information security management at contentbird. To this end, we regularly conduct internal data protection and awareness training sessions focusing on data protection and information security. Our experts in this area are available to all colleagues as points of contact.

In the event of a failure, a restore can usually be performed immediately or on the same day. Files, databases, and entire hard drives are backed up. Redundant mirroring of the production environment ensures that even if one data center fails, production operations can be restarted in another. Backups are stored geo-redundantly on encrypted storage media. Restore tests are performed on a random basis. Backups are monitored and verified.

‍

To comply with legal requirements for data deletion, a global deletion concept has been established at both the process and product levels. A key focus is on contentbird products, which, to meet the requirements of "privacy by design," include data deletion implementations. A crucial component is the deletion of participant data, which can be deleted by the data controller according to operational requirements. contentbird recommends setting a retention period of six months for participant data.

We are happy to provide our customers with the information required for the legally mandated record of processing activities upon request. However, contentbird's description of the processing activity with regard to commissioned data processing does not replace the controller's obligation to include the processing in their own record.

Within the interactive formats of the Convert module, it is possible to activate so-called "social share buttons" (XING, LinkedIn, Facebook, etc.). These buttons are not plugins from the social networks. Unless explicitly stated otherwise, only external links are used. This means that data is only transmitted to the social networks when the website user clicks on the link.

For the prediction game, a login token named `contilla-webapp-sportsbet-<campaignID>-token` is stored in local storage for automatic login. The interactive graphics use local storage for previously visited hotspots.

The interactive content formats are integrated into the client's website by the client and are the client's responsibility.

Contentbird Convert tracks the usage of the delivered formats through automated and/or interaction-based messages to the delivering server (usually delivery.contentbird-convert.com; however, this can be configured to a different subdomain on contentbird-convert.com or other domains owned by contentbird GmbH at the customer's request). The collected information allows conclusions to be drawn about the time of execution in the client browser, the use of offered content (e.g., opening hotspots, displaying and clicking on embedded advertising spaces ("banners"), etc.), the progress within the timeline, and the total duration of the format. No personal information is collected. Thus, no conclusions can be drawn about the user or the browser/computer used. The raw data collected in this way is aggregated and processed for use by the customer, categorized by time and event groups. Therefore, the customer cannot perform individual analyses of specific end-user interactions. Customers do not have access to the collected raw data.

The system history logs access attempts to the Content Operations Suite as well as modifying operations on data records.

At contentbird, all hosting is “Made in Germany.” Our certified AWS data centers in Frankfurt, as well as those of EMC HostCo GmbH and Hetzner Online GmbH, offer the highest security standards for the storage and availability of your data. Compliance with the requirements of ISO 27001 is confirmed by EY CertifyPoint.

‍

For contentbird, the protection and confidentiality of your data is of utmost importance. Click here for the privacy policy of contentbird products.

The Content Marketing Suite from contentbird offers you the opportunity to work in compliance with GDPR.

Read the terms of use of contentbird GmbH for the contentbird Content Marketing Suite here. You can download our data processing agreements (Data Processing Agreement for Operations and Trusted Content Software) and (Data Processing Agreement for Convert Software) directly here for completion. Please send the signed agreement to: support@contentbird.io

‍