Tourmo Data operates on a shared responsibility
model with our customers and we are committed to
partnering to assist you in meeting GDPR requirements..
Tourmo has been preparing for the European Union’s (EU) General Data Protection Regulation (GDPR) since early 2018. Tourmo enhanced processes and procedures to ensure we met both our Data Controller and Data Processor obligations. Looking forward, Tourmo Data is continuing to monitor changes in the Privacy landscape and specifically has started the process of assessing expectations of California Consumer Privacy Act, which will go into effect in 2020.
With respect to GDPR, Tourmo Data is fully compliant (with the rules implemented effective May 25, 2018, set by the European Council). In support of GDPR compliance, Tourmo Data enhanced our website for increased transparency related to our:
- Opt-In Practices
- Legal Terms and Conditions
- Data Subject Request
Tourmo Data’s security team had determined that our current security controls and certifications including SOC 2 Type II, and Privacy Shield compliance, allow us to adhere to the GDPR’s requirements. This analysis also includes supporting our customers in meeting their GDPR obligations in working with our partners in the United States and European Union.
In alignment with Tourmo Data’s practices, we firmly believe in transparency and wanted to provide additional insight into what we are doing to meet ongoing GDPR obligations.
Tourmo Data only stores data that is necessary for the service to be operational for the duration it is required. As a customer, depending on how you set up Tourmo Data, you will control which data is processed by our service. As such, you should follow your internal practices to ensure the security and privacy of your customers’ data and avoid introducing any unnecessary in-scope GDPR information with Tourmo Data. We recommend following the “Goldilocks rule” of using what is “just right” and following the practice of minimization.
Right To Be Forgotten
For any of Tourmo Data’s customers who receive requests from their customers, where Tourmo Data is acts as a Data Processor (Sub processor), if you remove the data from your origin database there is no heavy lifting as the requested customer’s information should be removed automatically. If you would like further details on how this works please reach out to your Customer Success Manager, Account Executive, or through Tourmo Data chat.
For Tourmo Data’s direct customers, where Tourmo Data is the Data Controller, we have an established process to request and process the removal of your information in the case you would like to be forgotten from our various processes and systems. Please use our Contact Us page and let us know how we can help protect and respect your privacy.
Tourmo maintains a log of deletion requests and requests status. Once a user is deleted from our system all associated information is permanently removed and will not be recoverable.
Tourmo Data has implemented many controls to ensure confidentiality, integrity, and availability of data:
- Tourmo Data has strong data protection controls, which include encryption in transit and at rest of customer data to safeguard customer data from unintended access or misuse.
- Tourmo Data employs a continuous security testing strategy to aid in the proactive identification of software vulnerabilities.
- Tourmo Data maintains incident response and customer notification processes. These procedures are tested on an appropriate cadence.
- Tourmo Data is distributed across multiple AWS availability zones (AZs). This posture allows for a self-healing infrastructure with redundant servers for critical services present in each AZ.
- Tourmo Data has reviewed all key sub processors, i.e. Amazon Web Services (AWS), the security controls related to the physical and logical controls have been tested in AWS SOC audit report, ISO 27001 certification and FedRAMP ATO.
To read more about our practices, please see: www.tourmo.ai