Data protection according to EU-DSGVO
Data protection and information security are central components of contentbird's products and services.
The protection of your data and your trust are very important to us. Therefore, we have implemented technical and organizational measures to ensure the security of processing, which we are continuously developing.
contentbird makes data protection easy and allows you to work in accordance with the requirements of the EU General Data Protection Regulation.
How does contentbird handle data protection requests from data subjects?
As a processor, we have a high interest in handling confidential information and personal data in accordance with data protection requirements. This also includes the protection of rights, in particular the processing and fulfillment of requests from data subjects. Due to legal obligations, all requests from data subjects must be answered and fulfilled by the data controller within four weeks. Requests are forwarded to our data protection team and reviewed according to established processes. Before you receive a request we receive, it is pre-qualified by us.
How does contentbird handle potential data breaches and security incidents?
The high integrity interests of our customers also include the handling of data privacy and security incidents. Due to the legal obligation to report all data protection incidents to the competent supervisory authority within 72 hours if the data protection incident is likely to result in a risk to the rights and freedoms of natural persons, a swift, structured review of security incidents is important and you will be informed without delay. Potential breaches can be detected by the information security structures or reported to and reviewed in detail by the information security and data protection team through the designated internal processes. In this way, we also review supposedly insignificant incidents and regularly train our employees on data privacy and IT security compliance.
How does contentbird implement the information obligations according to Art. 13 and 14 DSGVO?
How are data protection and information security ensured in the home/mobile office?
contentbird has established comprehensive security measures. Special technical and organizational precautions have been taken for the home and mobile office area to ensure data protection and data security. The work devices are additionally equipped with a Virtual Private Network (VPN) and encrypted. Customer data is only kept in the data centers, access to the software is via https, access at system level by administrators is only possible for selected administrators via VPN. Special work guidelines exist for the home/mobile office area.
What data is processed?
The scope of the processing of personal data mainly results from the description of processed data categories(contract for commissioned processing Operations and Trusted Content Software),(contract for commissioned processing Convert Software). Special categories of personal data are also covered in the annex to our Contract for Commissioned Data Processing. The data categories described in the GCU are therefore "broad".
Where can I find a description of the technical and organizational measures?
A description of the technical and organizational measures (TOMs for short) can be found in Appendix A to our contract for commissioned processing (Contract for Commissioned ProcessingOperations and Trusted Content Software),(Contract for Commissioned Processing Convert Software). To demonstrate compliance with and further development of these measures, contentbird conducts regular internal audits and reviews in addition to a data protection and information security management system (DSMS/ISMS).
Who is responsible for data processing?
contentbird provides all services related to the Content Marketing Suite as an order processor, unless personal data is expressly processed for its own business purposes and may be processed legitimately. According to Art. 4 No. 7 DSGVO, the person responsible for data protection in the context of the use of the contentbird Content Marketing Suite is the customer company. In addition, processors (contentbird) are also data controllers within the meaning of the DSGVO, for example with regard to their own subcontractors or processing for their own business purposes
Are there any subcontractors for the order processing by contentbird and if so which ones?
It is important to us that our subcontractors meet adequate security standards. Thus, we pay particular attention to compliance with the DSGVO in the context of contract processing and additionally to common security standards, such as certification according to ISO 27001.
Our data centers provide us with housing services, i.e. they provide us with power, rack space and Internet, including firewalls, load balancers and secure SSL certificates. Maintenance and installation of hardware and software is done by contentbird. The used data centers are checked and audited by contentbird in regular intervals. The data centers are an unconditional contractual component of the service and order processing, without which we cannot provide our products. Currently, data centers of the following providers are used:
- Amazon Frankfurt
- EMC HostCo GmbH
- Hetzner Online GmbH
For the so-called "CV parsing" we use a service of Textkernel B.V. Nieuwendammerkade 26 A 5, (1022AB) Amsterdam, The Netherlands. Textkernel is a subcontractor verified by softgarden in the context of order processing. Since "CV parsing" is optional and not an unconditional part of the contract, its use by our customers must be confirmed separately in the Recruiter backend (so-called "opt-in"). Textkernel uses AI technologies to analyze resumes and to put them into a structured format. This data is temporarily stored by Textkernel on a server in Germany and cleaned 1x per week.
For the calendar integration softgarden uses a service of Cronofy Limited, 1 Broadway, Nottingham, NG1 1PR, England. Cronofy is a subcontractor of softgarden in the context of order processing and represents an optional contractual component of the applicant management system. Cronofy can be used by our customers after a separate "Opt-In" in the Recruiter backend. The service is not activated by default. Further information on the technology and data protection can be found in the proofs provided by Cronofy.
You can find the proofs and certifications of our subcontractors here:
- ISO certificate and proofs Amazon
- ISO certificate and proofs EMC HostCo
- ISO Certificate Hetzner Online GmbH
contentbird uses Intercom for support processing. Why is Intercom not a subcontractor?
contentbird uses Intercom as a tool to process support requests. In our relationship with Intercom, we consider ourselves to be the responsible party within the meaning of data protection laws. Thus, Intercom is not a subcontractor in the sense of order processing. We base the use of Intercom in the context of support and thus the transfer of our customers' data (specifically, the business mail address of the user making the request) on the legitimate interest pursuant to Art. 6 (1) lit. f DSGVO. Alternatively, it is possible to contact the direct contact persons with a request, e.g. by e-mail. Intercom stores data in the USA.
Are contentbird employees regularly trained in data protection and committed to confidentiality?
Training and committing employees to the confidentiality of personal data and customer information is part of both onboarding and offboarding as well as data protection and information security management at contentbird. To this end, we regularly conduct internal data protection and awareness trainings focusing on data protection and information security. Our experts in the field are available to all colleagues as contact persons.
Is a backup concept in place and which tools are used? Have restorative tests been carried out?
In the event of a failure, a restore can usually take place immediately or on the same day. Files, databases and complete hard disks are backed up. There is redundant mirroring of the productive environment, so that even in the event of a failure of one data center, productive operation can be started up in another data center. Backups are geo-redundantly stored on encrypted data carriers. Restore tests are performed on a random basis. Backups are monitored and verified.
Content Marketing Suite
How long is data retained?
In order to meet the legal requirements for data deletion, a global deletion concept was established at the process and product level. One focus is thus on the contentbird products, which, in order to meet the requirements of "privacy by design", contain implementations for data deletion. An essential component is the deletion of subscriber data, which can be deleted by the responsible party according to operational requirements. contentbird recommends that the retention period for subscriber data be set at six months.
Is there a description for the list of processing activities?
We are happy to provide our customers with the information for the legally obligatory directory of processing activities upon request. However, the description of contentbird's processing activities with regard to commissioned processing does not replace the controller's obligation to include the processing in its own directory.
Social share buttons for Convert products
Within the interactive formats in the Convert module, it is possible to activate so-called "social share buttons" (XING, LinkedIn, Facebook, etc.). The buttons are not plugins of the social networks. Unless expressly specified, only external links are used. This means that data is only transmitted to the social networks when the website user clicks on the link.
Which cookies are set in the standard frontend of Convert?
für das Tippspiel wird im Local Storage für die automatische Anmeldung ein Anmelde-Token contilla-webapp-sportsbet-<KampagnenID>-token gesetzt. Die interaktiven Grafiken nutzen den Local Storage für bereits besuchte Hotspots.
Why is there no cookie banner on the default frontend of Convert?
The interactive content formats are integrated into the client's website by the client and are the client's responsibility.
How does contentbird count how often a Convert product has been viewed / clicked on?
contentbird Convert records the use of the played formats through automated and/or interaction-related messages to the delivering server (usually delivery.contentbird-convert.com; however, this can be configured differently on customer request to another subdomain on contentbird-convert.com or other domains owned by contentbird GmbH).
Among other things, the information collected allows conclusions to be drawn about the time of execution in the client browser, the use of content offered (for example, opening hotspots, displaying and clicking on inserted advertising spaces ("banners"), etc.), the progress within the timeline, and the total running time of the format. No personal information is collected in this context. Thus, no conclusions can be drawn about the user or the browser/computer used.
The raw data collected in this way is processed for use by the customer, aggregated in terms of time and event groups. This means that customers cannot perform individual analyses of individual end-user interactions. Customers do not have access to the raw data collected.
Are accesses / activities logged in the system?
The system history logs access attempts to the Content Operations Suite as well as modifying operations on records.
All proofs and important attachments at a glance
Hosting Made in Germany
At contentbird, all hosting is "Made in Germany". Our certified data centers AWS in Frankfurt, as well as EMC HostCo GmbH and Hetzner Online GmbH offer the highest security standards for the storage and availability of your data. The fulfillment of the requirements of ISO 27001 is confirmed by EY CertifyPoint.
Basic Data Protection Regulation
The Content Marketing Suite from contentbird offers you the possibility to work DSGVO-compliant.
You can download our contracts for order processing(Contract for order processing Operations and Trusted Content Software),(Contract for order processing Convert Software) here directly for filling out. Please send the signed contract to: firstname.lastname@example.org