Sub-processor in the US
As you can also see in our DPA, we're using a sub-processor in the US for sending email notifications from Smartplan. Below you can read our transfer impact assessment and why it's safe to use this sub-processor.
Transfer Mechanism:
ActiveCampaign, LLC has implemented EUs Standard Contractual Clauses in their DPA.
Our Transfer Impact Assessment (TIA):
We have decided to use ActiveCampaign, LLC for our Transactional Emails, because we couldn't find a EU provider that lived up to the same trustworthy approach for handling emails.
All the EU providers we talked to could not clarify well enough where our data was located.
We know ActiveCampaign, LLC is a US company and in this assessment we want to clarify that we find it necessary and safe to use ActiveCampaign, LLC as a transactional email provider.
ActiveCampaign, LLC is doing our transactional emails: Email notifications from Smartplan.
The emails contain the following data:
- Notifications from Smartplan.
- Messages the users on the Smartplan account send to each other.
Persondata:
The notifications can contain names of employees.
The messages contain the content the employees put in the message.
Why we trust ActiveCampaign, LLC
ActiveCampaign, LLC's business model is based on transactional emails. Not marketing emails. We believe it's in their interest to protect our emails in order to stay in business. An email marketing company would instead have an interest in harvesting the data to sell it. We don't have to worry about this with ActiveCampaign, LLC. We don't have to try to figure out where the data is and how it it's used. They are very clear about where the data is hosted and that it is automatically deleted after 45 days.
ActiveCampaign, LLC is only using two sub-processors, which makes it easier for us to trust that we know how the data is processed. We have also put the following as reasons we believe the use of ActiveCampaign, LLC is fully compliant:
- The data center ActiveCampaign, LLC is using has very high security demands and has the following certifications: ISO 27017, ISO 27018, SOC 1, SOC 2, and SOC 3, PCI DSS Level 1.
- Their employees are under confidentiality.
- Employees with access to data is screened and security vetted.
- They encrypt all data during transport.
- Their deletion policy looks like ours. They keep data for 45 days for debugging after that it is automatically deleted.
- They have addressed local laws and obligations in their DPA.
- They have implemented the EU SCC's in their DPA.
- We tried other providers and no one were as transparent as ActiveCampaign, LLC.
- They deliver emails fast and reliable, which is a need for Smartplan to work well for our customers.
- The type of data processed is of very low risk for the individual.
- The users can decide to turn off email notifications and no data is sent.
You can read a lot more about ActiveCampaign, LLC data security here: https://postmarkapp.com/eu-privacy#security-and-privacy