Safe, Secure, and ready for GDPR

Nothing matters more to us than the security of your data. We have you covered for the EU’s new General Data Protection Regulation (GDPR).

Securing your data

Protecting customer data is a top priority at Bonusly. We understand you are trusting us with your data and we take the responsibility of securing it extremely seriously. Our Security page outlines all of our practices.

Data Correction

Account admins can modify collected personal data to meet the correction requirement of the GDPR by using our user management tools or making a request to [email protected].

Right to be forgotten

To opt-out of cookie tracking, click here:

You can request that personal information in your account be permanently removed.

Built for security

Bonusly protects all of our customers with an array of security features.

  • Data encryption in transit
  • Data encryption at rest
  • Data centers routinely audited with industry-standard SSAE-16 methods
  • Data redundancy for resilience during disasters
  • SAML, OAUTH, and OpenID support for secure authentication
  • Continuous network monitoring
  • EU-US Privacy Shield Certified
  • Swiss-US Privacy Shield Certified
  • Industry-standard security evaluations
  • Independent third-party security reviews and penetration tests
  • Role-based authentication
  • IP address passlisting

What is GDPR?

Effective May 25th 2018, GDPR tightens the rules for businesses on how they collect, store and process EU citizens’ personal data. The new regulations impact organizations worldwide who collect and process personal data of EU citizens. Some of the key changes likely to impact your customer feedback programs are listed below. See all GDPR changes

Bonusly, GDPR, and Privacy Shield

We are aware of the July 16, 2020 decision of the European Court of Justice relating to the EU-US Privacy Shield and the September 8, 2020 opinion of the Federal Data Protection and Information Commissioner of Switzerland (FDPIC) relating to the Swiss-US Privacy Shield, in each case causing the applicable Privacy Shield Framework to be unavailable as a valid mechanism for data transfers to the United States. Nevertheless, in accordance with guidance from the United States Department of Commerce, Bonusly continues to be responsible for its obligations under both frameworks. Accordingly, we remain committed to the Privacy Shield Frameworks as set forth below, pending the outcome of negotiations between the Commerce Department and EU and Swiss authorities for an enhanced Privacy Shield program. Meantime, for concerned customers, Bonusly will be happy to enter into an appropriate data processing addendum, including the “standard contractual clauses” approved by the European Commission and recognized by the FDPIC.

Europe is currently leading the way in terms of regulating the protection of personal data of individuals. The new EU General Data Protection Regulation (“GDPR”), which replaces the 1995 EU “Data Protection Directive” (and the laws of the various EU member states implementing the 1995 Directive), has been the focal point of discussion and compliance efforts for many companies around the world, including Bonusly.

Bonusly is committed to respecting the privacy rights of all of its customers and their users, and to taking reasonable and appropriate measures to protect the privacy and security of their personal information, including by implementing measures designed to comply with specific, applicable provisions of GDPR.

One such requirement, which is a carryover from the 1995 Directive, relates to cross-border transfers of data from the EU and Switzerland to the US. Bonusly is certified under both the EU-US and Swiss-US Privacy Shield Frameworks, which were designed by the US Department of Commerce, the European Commission and the Swiss Administration, and which is administered by the US Department of Commerce. The Privacy Shield Frameworks recently replaced the old EU-US and Swiss-US “Safe Harbor” Frameworks. Bonusly complies with the data protection principles outlined in the Frameworks. For more information, see the “Privacy Shield” section of our Privacy Policy and see our certifications at the Commerce Department’s “Privacy Shield” website.

More generally, Bonusly has updated its technology, service offerings, terms and conditions of service and privacy notice to reflect our ongoing commitment to data privacy and security in compliance with our agreements with our customers and with applicable law.

Enabling you to be GDPR compliant

Bonusly enables customers to be GDPR compliant. Briefly stated, that means Bonusly:

  • Provides sufficient guarantees to the controller to implement appropriate technical and organizational measures designed to safeguard customer data
  • Processes data (that could include personal data) only to fulfill its obligations as related to the Services
  • Enables users to modify and delete their personal data
  • Provides security documentation that describes the processes and procedures for safeguarding the data at our Security page
  • Can sign a contract that governs the processing of EU personal data

GDPR contract – Data Processing Addendum (DPA)

GDPR Article 28, Section 3, requires that a contract be in place between a data controller and a data processor. For years, the Bonusly Terms of Service, Privacy Policy, and Customer Agreements have provided the fundamental legal requirements and obligations regarding data ownership, processing behavior, safeguarding data, and more.

However, if as a Bonusly customer you desire to have a GDPR-specific addendum to your agreement, please contact our Customer Success team at [email protected] to put one in place.

Any questions?

Don’t hesitate to contact us to find out more about our changes and how we’re helping you to comply.

Contact us