Iterable is committed to partnering with customers and users to help them understand and meet the General Data Protection Regulation (GDPR) requirements.

Iterable’s GDPR Initiatives include:

• Continuing to invest in our security infrastructure
• Ensuring that appropriate contractual terms are in place
• Ensuring we can continue to support international data transfers, by executing Standard Contractual Clauses through our Data Processing Addendum

What is the GDPR?

The GDPR is a European Union (EU) law on data privacy protection, which supersedes the 1995 EU Data Protection Directive. At its core, the GDPR aims to strengthen the security and protection of Personal Data in the EU.

How does the GDPR apply to Iterable and Iterable Customers?

The GDPR defines and applies to two types of entities: a Data Controller and Data Processor. A Data Controller is an organisation that determines the purpose and means of processing Personal Data. A Data Processor is an organisation that processes Personal Data on behalf of the Data Controller. Customers of the Iterable services are the Data Controller and Iterable is the Data Processor. In line with the GDPR requirements, Iterable will process EU Personal Data at the direction of its customers, ensuring appropriate technical and organisational measures to safeguard EU Personal Data. Iterable is also a Data Controller, as it may collect EU Personal Data from the Iterable website or through our marketing programmes for its own business purposes.

How does Iterable process Personal Data?

Iterable allows customers to create omni-channel relevance at scale, by leveraging customer Data for personalisation. Personal Data such as user (Data Subject) behaviours and preferences are used by the customer to send messages across email, SMS, rich push, in-app messaging, web push, direct mail and social media through the Iterable platform.

How will Customer lifecycle marketing be affected by the GDPR?

Customers utilise Iterable services to deliver seamless, personalised experiences that drive engagement and Data Subject development. Under the GDPR requirements, customers may only make use of EU Personal Data for the explicit purpose and length of time the Data Subject consents to. By receiving the required consent, customers will be able to leverage Iterable’s dynamic segmentation and workflows, to create highly relevant experiences by diving deeper into preferences and values, throughout the Data Subject lifecycle.

Iterable’s GDPR Commitment

How does Iterable assist customers with Data Subject requests for rectification, erasure or access to EU Personal Data?
Iterable understands the importance of Data Subject control over EU Personal Data, and is committed to providing customers with assistance in responding to Data Subject requests. Through the use of Iterable, customers are provided with the necessary API calls to accommodate Data Subject requests for rectification, erasure or exportation of EU Personal Data. A full overview of Iterable’s API functionality can be found at Iterable’s Support Centre.

Can customers utilise Iterable to track Data Subject explicit consent and withdrawal?
As Data Controllers, customers will determine the audience and content of personalised messages. Iterable’s segmentation tool allows customers the ability to segment across all EU Data Subjects and create dynamic or suppression lists. These lists will not only accommodate EU Data Subject requests under the GDPR but deliver highly relevant marketing messages. To learn more about Iterable’s segmentation tool, visit Iterable’s Support Centre.

How does Iterable safeguard Personal Data?
Iterable maintains appropriate technical and organisational measures to protect the security, confidentiality and integrity of EU Personal Data. In line with the GDPR requirements, Iterable regularly monitors these measures. For more information regarding Iterable’s safeguards, visit the Security and Compliance Overview.

Safeguarding Personal Data outside of the EU
To comply with EU data protection laws around international data transfer mechanisms, we offer European Union Model Clauses, also known as Standard Contractual Clauses, to meet adequacy and security requirements for our customers who operate in the EU.

How does Iterable ensure that its sub-processors are also GDPR-ready?

Iterable may utilise third-party service providers (sub-processors) for programme delivery to customers. As such, Iterable regularly conducts due diligence on each sub-processor, to ensure their Personal Data protection processes meet the necessary requirements, as required by the GDPR. A full list of Iterable’s third-party service providers can be found on Iterable’s Sub-Processors page.

Stay Updated

Fulfilling our privacy and data security commitments is important to us. Iterable will help customers and users stay informed of any and all changes to the GDPR. This page will be revised to reflect any revisions as they become available. For questions or concerns relating to the GDPR, please contact compliance@iterable.com.

Resources

• Iterable Support Centre
• Iterable’s API Guide
• Iterable’s Privacy Policy
• Iterable Blog: How Does GDPR Affect Marketing?
• Iterable Blog: How To Navigate Customer Consent Under The GDPR