Last modified: August 25, 2020
Data Protection Agreement
This document references terms as defined in the Data Protection Agreement (the “DPA”) which can be found here.
Information about Platform users, includes:
- End-user login/registration information (business email and password) as well as metadata about user usage and device information to monitor user experience.
- Login information is managed by Elevate Customer Support, users can be created or deleted at any time — within 24 hours of request.
- Customer Data necessary to answer users’ queries.
- Customer Data is stored in an encrypted and dedicated Google Cloud Platform (the “GCP”) project. Customer Data is also stored as cache for up to 30 days within Elevate’s subprocessor encrypted servers as required.
- Data Security Procedures
- Each Customer’s data is stored within an encrypted “closed system”.
- Integration to Customer Data Sources:
- Connection to Customer’s databases are SSL encrypted.
- Read-Only access required.
- Database Credentials or SaaS Tokens are stored securely in key management system.
- Elevate maintains Admin access to the integration platform; no client access necessary but available upon request.
- Dedicated FiveTran instance to manage integration and transformation into GCP project. See FiveTran security documentation.
- Dedicated GCP Project encrypted project per client for storage.
- Elevate maintains Admin access, client has edit and read access.
- Since Elevate relies on GCP, physical and environmental security is handled entirely by Google. Google provides an extensive list of compliance and regulatory assurances, including SOC 1/2/3, PCI-DSS and ISO27001. See GCP compliance, security, and data center security documentation for more detailed information.
- Dedicated Query Application (Looker Data Sciences) Connection per client.
- Dedicated Client folder and LookML project.
- Platform User Accounts are managed by Elevate Customer Success team, user attributes available to enable row or column level security per client’s requirements.
- Customer can request new user or user removal from Elevate at any time, user changes will occur within 24 hours of request.
- Who are Elevate’s Subprocessors?
- Fivetran, Inc. (Data Processing) – Link to Privacy Shield
- Talend, Inc. (Data Processing) – Link to Privacy Shield
- Google LLC (Hosting, Storage) – Link to Privacy Shield
- Looker Data Sciences Inc. (Query & Display) – Link to Privacy Shield
- Snowflake, Inc. (Hosting, Storage) – Link to Privacy Shield
Where will Customer Data be stored?
Elevate runs data connectors on servers in the US and EU regions, and can configure per Customer. If configured in the US or EU, Customer Data will not leave the selected region during integration processing. Customer Data is cached on servers while processing and is expunged within 24 hours after completion. Customer Data is then stored within the dedicated GCP project based on customer requirements (US or EU). Front-end application (Looker) is hosted in the US and is Privacy Shield certified, meaning that the Platform complies with the EU-U.S., Swiss-U.S. Privacy Shield Frameworks as set forth by the U.S. Department of Commerce regarding the collection, use, and retention of Personal Information transferred from the European Union, United Kingdom and Switzerland, as applicable, to the United States. Cached data in Front-end Application will be expunged within 30 days.
Data Retention Policy
Customers can request data content inquiries and data deletion at any time. Elevate stores non-personal operational information for the length of contractual agreement with Customer. At the end of any agreement with Customer and Elevate, ownership of the GCP project containing stored data will be transferred from Elevate to Customer.
The Platform uses a read-only connection or SFTP server to access Customer Data needed to answer questions and only displays the relevant result set based on question/query to the end-user. Row and Column level security available based on user attributes.
Additional Use and Retention
Elevate has legitimate interest to further process your Personal Information collected by the Platform as follows:
- To administer your Platform user accounts.
- To enable your access and use of the Platform, and to enable you to communicate, collaborate, and share information with those you designate.
- To provide product enablement, customer service, and support.
- To monitor your user experience on the Platform.
Customer Personal Information Policy
The Platform will only store Customer Data necessary to deliver operational and analytical insights as defined during product implementation & discovery. No personal information (Name, Address, Email, IP, etc) will be ingested & stored in the Platform unless otherwise stated and amended through a contract addendum.
How does Elevate Respond to Information Requests?
Elevate will respond to requests to access, change, or delete information within 30 days.
How does GDPR apply to Elevate?
Elevate has a strong commitment to privacy, security, compliance, and transparency. This includes supporting our Customers’ compliance with EU data protection requirements and GDPR.
For EU citizens per GDPR, Elevate will:
- Respond to requests from data subjects to correct, amend or delete personal data.
- Report personal data breaches to relevant supervisory authorities and data subjects in accordance with GDPR timeframes.
How does the California Consumer Privacy Act of 2018 (CCPA) apply to Elevate?
Elevate supports data privacy for California residents and will abide by the following rights and procedures in accordance with CCPA:
- Right to know about Personal Information Collected, Disclosed, or Sold.
- RIght to Request Deletion of Personal Information.
- Right to Opt out of Sale of Personal Information.
Elevate does not consume Personal Information of Customer’s Customers, however, will treat all Customer Data with the same level of security and privacy.
Do Not Track Signals
Elevate does not track visitors to the Site across third-party websites and therefore do not respond to Do Not track signals in these circumstances.