Here you will find information that will address some of the most frequently asked questions that surround Acoustic Campaign and what we are doing to assist its customers in becoming GDPR compliant by May 25th, 2018.
Acoustic® has several data hosting and other processing locations where data processing takes place. To learn more about these locations, use this link. https://www.acoustic.com/pdf/campaign/Acoustic-Campaign-Data-Sheet-16-September-2020.pdf
Processing of personal data
How does Acoustic Campaign securely and confidentially process personal data which includes personal data that falls under special categories as indicated in the GDPR articles?
Acoustic Campaign is a web-based, multi-tenant, software-as-a-service (SaaS) digital-marketing operating system that is a data-driven self-service solution with a flexible data schema that allows customers to determine the data elements to be stored, collected, and processed. Typical use cases include the means of contacting recipients (email address, mobile number for SMS messaging, and/or App ID for Mobile Push Notification), first names and other elements wanted for the personalization of messages, and data elements needed to segment recipient lists into target groups.
Acoustic treats all data and content as confidential. For more information on confidentiality and privacy, read the in-depth information that can be found at these links:
- Acoustic Data Processing Addendum: https://www.acoustic.com/pdf/Acoustic-Data-Processing-Addendum-1-April-2020.pdf
- Acoustic Campaign Data Sheet: https://www.acoustic.com/pdf/campaign/Acoustic-Campaign-Data-Sheet-16-September-2020.pdf
Data storage and processing
Acoustic stores all structured (“contact list”) data on database servers, encrypted at rest (on disk) by the production storage array (US hosting) or database-management system (other hosting geographies).
The Acoustic Campaign production infrastructure is co-located within dedicated cages or hosted in a cloud service (depending on the specific instance) within Tier 3 (or higher) facilities. These facilities employ physical-security and environmental controls, with redundancy, that meet or exceed industry standards, as evidenced by the SSAE-16 SOC Type II attestation reports and ISO 27001 certifications for the facilities.
Cloud hosting providers:
- Amazon Web Services: https://aws.amazon.com/
Subcontracting and processing of personal data
Acoustic performs a Web Application Security Assessment (WASA) at least one time per year by an independent third party. No subcontractor is outside the European Economic Area (EEA). Those subcontractors that are based inside the European Economic Area (EEA) DO NOT use data systems that process data outside the EEA (for example, servers, dropbox, email providers, and so on).
Only offering representatives and corporate offices have the authority to authorize subcontracting activities and written agreements are in place that cover these sub-contracting agreements.
If a third-party subcontractor is used to access client data in normal performance of their contracted duties and/or such a third-party subcontractor is engaged in the delivery of a cloud service, the sub-processor and its role is provided upon request. Acoustic requires all such sub-processors to maintain standards, practices, and policies that preserve the overall level of security and privacy that is provided by Acoustic. Any addition or change to Acoustic’s list of sub-processors is available upon request.
For more information on these written agreements, see Acoustic Campaign Data Sheet: https://www.acoustic.com/pdf/campaign/Acoustic-Campaign-Data-Sheet-16-September-2020.pdf
Security and data access controls
Acoustic has physical, administrative, and technological procedures in place to ensure that all information processing facilities are secure. Additionally, Acoustic's security standards are audited annually by using the ISO 27001 standards by a third party.
Only permanent personnel of Acoustic have access to the personal data that is processed on behalf of its customers. Employees receive training on data protection and other relevant law at least yearly and often more face to face by video or online methods. Additionally, Board level employees, management, and IT Security attended GDPR awareness training.
No Acoustic personnel, other than any Services personnel to whom the customer provisioned application-user accounts to help operate their campaigns, have regular access to customer data through the application. To facilitate troubleshooting, the “Become User” feature, the use of which must be explicitly authorized by the user from within the user account, allows Client Support to temporarily view the account “through the user’s eyes” without requiring the user’s password or allowing the export of data; use of this feature is automatically logged in a secure database table and included in reports that are sent to Information Security daily for review.
Direct access to customer data, at the database layer, is restricted to authorized Acoustic personnel whose regular job responsibilities require such access and is reviewed by management and Information Security on a quarterly basis to ensure that the access remains current and appropriate. Access to the infrastructure in the production environments that host customer data is restricted to authorized personnel and requires a secure VPN with two-factor (software token) authentication. To access production servers, which are configured to deny direct logins, administrators must use SSH to connect to a bastion host and authenticate by using LDAP credentials that are independent of those used to access the corporate network; access to network devices is restricted and controlled by TACACS. Policy prohibits the export of customer data from the operating system without explicit authorization from the customer or Information Security. No third parties have access to customer data except as required for the delivery of specific optional services that are authorized in advance by the customer.
For more information about these procedures, see these links
- Acoustic General Terms and Conditions (Section: Confidentiality): https://www.acoustic.com/pdf/Acoustic-General-Terms-and-Conditions-March-2021.pdf
- Acoustic Campaign Data Sheet: https://www.acoustic.com/pdf/campaign/Acoustic-Campaign-Data-Sheet-16-September-2020.pdf
Information archive and destruction
Acoustic does have a data retention policy for all its customers. However, customers manage and can delete or overwrite their data at any time while their service is active. Upon deletion of data from the database, the database and underlying storage reclaim the space and overwrite it with other data, rendering the deleted data unrecoverable. As customer data is stored exclusively on disk, all copies are purged as backups and the replication process overwrites backups. After service termination, the operating system retains any remaining data according to the terms of the Services Agreement. Any data-storage devices that are decommissioned or otherwise removed from service are secured until physically destroyed to ensure that data cannot be recovered. A Certificate of Destruction is obtained for all data-storage media.
Acoustic's strategy for storing Archived Data assures that we are not unnecessarily storing personal data for longer than it is needed, and also help us to respond to Right to Erasure requests from our customers on behalf of their data subjects.
As you may be aware, the Acoustic Campaign product has processes for removing older, unused entities from our database and ‘archiving it’ as files.
We did not changing your ability to determine when unused entities are off-lined. You can still set those values up to 450 days. What did change, is that after an email or database is off-lined, you will only have 30 days to download it before it is removed entirely.
- Unused databases
After 'x' days (configurable) of inactivity, Acoustic Campaign currently exports the database to a CSV and removes the database from Database listings. You will have 30 days to download the CSV once it has been created.
- Daily archiving of contacts in Transact databases
'X' days (configurable) after the contact was added to the database, they are purged and written to a file. You will have 30 days to download the CSV once it has been created.
- Email off-lining
You can only get a zip file with all content bodies and associated behaviors (e.g. clicks, opens) within 450 days via the Raw Recipient Data Export processes.
As a reminder, the following is a summary of where archived/off-lined items can be viewed in Acoustic Campaign:
- Resources > Archive Activity: Shows databases/contact sources and emails that were archived in the last 30 days or those that will be archived in the next 30 days.
- Databases: Databases that have been archived are viewable in the Archive tab in Data > Database > View Data.
- Emails: Emails that have been archived (if enabled) are viewable in the Archive tab in Content > View Mailings > Archived Mailings.
- Contacts: Contacts that have been archived (if enabled) are viewable in the associated items, Contacts Archived.
Incident management and breach notification
Acoustic performs regular vulnerability scanning and penetration testing of its systems that includes internal and external tests of infrastructure, applications, and hosts by using a Web Application Security Assessment (WASA) on every major release. This assessment is performed by an application-security specialist in Information Security, and at least one per year is performed by an independent third party. The operating system infrastructure and network are subject to attack-and-penetration testing and vulnerability scans by Acoustic personnel at least quarterly and by an independent third party at least annually. All findings from security testing are presented to the appropriate stakeholders for analysis to determine validity and potential risk exposure, then those that present a risk exposure that warrants remediation is prioritized, placed in the schedule, subject to timing considerations, and tracked through verification of remediation.
Additionally, each Acoustic Cloud service has business continuity and disaster recovery plans, which are developed, maintained, verified, and tested in compliance with the ISO 27002 Code of Practice for Information Security Controls. Recovery point and time objectives for each cloud service are established according to its architecture and intended use and provided in the service description or other transaction document. Backup data intended for off-site storage, if any, is encrypted before transport.
In regard to breach notifications, these Security incidents are handled in accordance with Acoustic incident management and response policies, which take into account data breach notification requirements under applicable law. The core functions of Acoustic’s global cybersecurity incident management practice are conducted by Acoustic’s Computer Security Incident Response Team (CSIRT). CSIRT is managed by Acoustic’s Chief Information Security Office and is staffed with global incident managers and forensic analysts. National Institute of Standards and Technology, United States Department of Commerce (NIST) guidelines for computer security incident handling formed the development and remain the foundation of Acoustic’s global incident management processes.
Your Acoustic sales account team is your primary point of contact when notification needs to be sent to a customer, and are responsible for communications about any Acoustic business impairment that might directly impact customers. Communications are initiated within the Crisis Management Team and managed as part of the Crisis Management Team communications plans.
How does GDPR in Acoustic Campaign impact consent for EU data contacts that were entered into the system prior to May 25th, 2018?
GDPR requires that marketers establish purposeful consent; it requires that you obtain consent that is “freely given, specific, informed and unambiguous”. You should be sure that your opt-in mechanisms require a data subject to explicitly opt-in. That means that things like pre-checked opt-in boxes are not going to be sufficient. Many marketers are evaluating their current processes and existing lists of consented contacts to determine whether they meet the expectations of GDPR. Where there is any ambiguity, a good course of action would be to have contacts 're-consent'. You could send an email with a call to action to confirm consent, later removing any contacts who have not confirmed. For anything related to GDPR and privacy, it is recommended that you discuss with your own legal and privacy counsel in order to determine what is most appropriate for your company.
If a data source has multiple email address records that are the same, how many of those records are deleted with the Right to Erasure request?
The Right to Erasure request will delete all instances of the email records. For example, if there are 30 instances of the same email address record, all 30 instances will be deleted.
Deleted records are permanent and cannot be restored.
Data subject access requests
We added functionality to support your staff when you receive Right to Erasure or Right of Access requests from your data subjects.
Documentation for these APIs is available in our developer experience using the links below.
We also added functionality that allows you to initiate these processes via the Acoustic Campaign user interface. GDPR allows 30 days to respond to Data Subject Access Requests providing a few options:
- You can accumulate any requests you receive and process them in batch in our UI.
- You can use a tool such as Postman to execute the API requests manually.
For any other specific questions or concerns, please open a case by visiting the Acoustic support portal or by calling us via the support numbers listed below:
- Call North America +1 866-820-5136
- Call United Kingdom +44 808 169 2385