Our commitment to privacy and data protection
Nutshell’s stance has always been that you own your data. Security has (and always will) come first as we build, develop, and support your CRM. We are committed to our customers’ data protection and data privacy, and we welcome the General Data Protection Regulation (GDPR) as it strengthens and standardizes user data privacy across the EU.
The GDPR takes effect on May 25, 2018, and expands the obligations of organizations that handle the personal data of EU citizens. If you are located in the EU or do business in the EU, you are subject to the regulations. Below, we’ll share Nutshell’s preparations for GDPR compliance and information about how you can maintain your own compliance using Nutshell.
- How Nutshell is prepared for GDPR
- International data transfers
- Data portability and how you can comply with GDPR using Nutshell
How Nutshell is prepared for GDPR
The Nutshell team has been diligently planning our approach to GDPR. We are eager to assist our current and future customers to confidently use Nutshell to serve their EU-based clients.
Nutshell is a data processor for your organization.
Nutshell has been:
- Conducting a full-scale data mapping exercise; we know where your data is stored, who can access it, and how it’s used.
- Nutshell uses certain third-party services to enhance your experience. These third parties will be required to adhere to Safe Harbor Privacy Principles or, at a minimum, Nutshell will require the third party to certify they follow privacy protection equal to Nutshell’s. Please contact our team for more information about third party processors at firstname.lastname@example.org.
- Conducting organization-wide trainings for customer privacy and data security awareness.
- Our employees only view personal data stored in your account with your permission or for technical troubleshooting.
- Preparing to provide necessary model clause agreements.
- Planning product changes to assist with your compliance efforts.
- On-demand full deletion of any company, person, or lead record.
- On-demand individual exports of any company, person, or lead record.
Nutshell considers the security of our users and the data they collect to be a top priority. We are trusted with our customers’ valuable data every day, and we’ve set high standards for data safety and reliability.
Nutshell has invested in our technical, administrative, and physical infrastructure to continuously meet or exceed industry standards. In preparation for GDPR, we are expanding awareness around security and best practices across our entire organization. We are also maintaining a detailed data map to record where personally identifiable data is stored, who has access to the data, the purpose of the data storage, and how the data is imported/exported.
Nutshell uses Amazon Web Services (AWS) to store and secure all customer data. Your data is encrypted at rest in our databases, and accessed through 256-bit TLS 1.2 encryption. We do not store credit card or other financial information on our servers, and billing information is always secured with a PCI-compliant provider.
Our security page provides in-depth information about our approach to security.
International data transfers
Your data is securely stored in the United States on AWS servers. Nutshell has entered into a Data Processing Addendum with AWS that protects the transfer of data from the EU to our US servers. Data transfers from the EU and EEA to the US are covered under these agreements and the AWS EU-US Privacy Shield certification.
Nutshell will offer EU Model Clauses, also known as the Standard Contractual Clauses, to meet the requirements of our customers who operate or collect personal data in the EU.
To request a copy of our AWS DPA or enter into a Model Clause Agreement with Nutshell, email email@example.com.
Data portability and how you can comply with GDPR using Nutshell
Nutshell is dedicated to providing our customers with the tools they need to maintain compliance under GDPR. Our product development roadmap is informed by the needs of our customers and product changes to enable compliance are a priority.
The tools Nutshell already provides to help customers become GDPR compliant include:
- Importing and exporting tools: You can easily add data to Nutshell as well as export a copy of data. Imports and exports are used for data portability and simple updating of the personal data that you store in Nutshell. Also available via our API.
- Edit, bulk edit, and delete companies, people, or leads: If your customers request deletion or updates to their personal data, these tools allow you to handle those requests easily. Also available via our API.
- Origin and source tracking: Understand where personally identifiable information regarding your companies, people, and leads came from.
- User profiles: Your personal information in your Nutshell user profile may be edited or deleted at any time.
- Automatic data purge: If you cancel your account with Nutshell, your entire database is deleted from our servers in 90 days.
New tools that Nutshell will provide to enable even easier control over how your data is processed:
- The option to immediately and permanently delete a company, person, or lead from Nutshell.
- A one-click export option for any individual company, person, or lead.
Nutshell is happy to assist you in complying with the requirements of GDPR as your data processor, and to provide you with the resources you need as a data controller.
Check this page for future updates regarding GDPR preparedness and compliance.