Mindtickle and the General Data Protection Regulation (GDPR)

At Mindtickle, we take data security and privacy seriously. We constantly try to make sure that we meet our obligations under GDPR and are transparent about processing data.

Mindtickle is committed to ensuring the protection of our customers’ data by complying with the General Data Protection Regulation (GDPR) and other applicable privacy-related regulations such as California Consumer Privacy Act (CCPA) and the UK Data Protection Act (UK DPA) 2018.

The GDPR is designed to give European Union citizens more control over their data and unify several privacy and security laws under one comprehensive rule. Any organization that offers goods or services to EU citizens must comply with the GDPR. Regardless of the company’s location, GDPR applies to organizations within the EU and all companies processing and holding the personal data of data subjects residing in the EU.

We are here to support our customers

The GDPR defines different organizations’ roles when managing or dealing with personal data.

There are two major roles – Controllers and Processors. Controllers are organizations that own personal data. Mindtickle customers are Controllers because they collect personal data, decide its purpose and method for using it. Mindtickle plays the role of the Processor since Mindtickle processes this personal data provided by the customers.

We’re committed to helping our customers meet their obligations in their role as Controller under the GDPR. Mindtickle has implemented data security and privacy processes and controls to ensure that our customers meet their GDPR obligations.

Approach to Security and Privacy

As the global leader in sales readiness, Mindtickle delivers a cloud platform that the leading enterprises across the globe trust for business-critical services. Protecting our customers’ information and their user’s privacy is essential for Mindtickle. Mindtickle has adopted privacy and security by design for all developments on the platform, ensuring that security and privacy are built into every layer of the Mindtickle platform. Visit Mindtickle’s Trust Page to learn more about our approach to security and privacy.

Security Architecture

Data protection laws require organizations to use appropriate technical and organizational security measures to protect Personal Data against unauthorized processing and accidental disclosure, access, loss, destruction, or alteration. Mindtickle has a robust security and privacy program that meets industry standards. These enable Mindtickle and its Customers to comply with various data protection laws and regulations applicable to the Mindtickle platform and services.

International Data Transfers

Mindtickle understands the rules for onward transfers of personal data outside of the European Economic Area (EEA) and offers customers a robust international data transfer framework as a part of our Data Processing Addendum. This addendum ensures that our customers can lawfully transfer personal data to the Mindtickle platform outside the EEA by relying on the Standard Contractual Clauses.

Data Processing Addendum (DPA)

Mindtickle offers a GDPR-compliant Data Processing Addendum (DPA) to provide our customers with privacy protection assurance, which helps us comply with our obligations as a Data Processor and helps our customers meet their obligations as Data Controllers. Mindtickle’s DPA supplements the Terms of Service or any master subscription agreement. This addendum reflects our requirements as a processor of Customer Data.

Standard Contractual Clauses

The Commission Implementing Decision (EU) 2021/914 of 4 June 2021 to transfer personal data to third countries under Regulation (EU) 2016/679 of the European Parliament and the Council published New Standard Contractual Clauses (SCCs, also known as Model Contractual Clauses) to help safeguard European personal data. Following the applicable transition period, these new SCCs will replace the SCCs previously adopted by the EC. Mindtickle has incorporated the new SCCs into our Data Processing Addendum (DPA) to help protect our customers’ data and meet the requirements of European privacy legislation.

Transfer Impact Assessment

Mindtickle has prepared a Transfer Impact Assessment (TIA) report in response to the recent Schrems II decision related to the international transfer of Personal Data. The TIA report describes the safeguards Mindtickle has put to transfer customer personal data from the European Economic Area, United Kingdom, or Switzerland (“EEA”). This report also lists down Mindtickle’s ability to comply with its obligations as a “data importer” under the Standard Contractual Clauses (“SCCs”). Upon request, Mindtickle can share the TIA report with customers and prospects.

Data Location and Residency

Data hosting location determinations are based on reducing latency and achieving optimal performance for you and your users. Mindtickle optimizes where to host customer data based on how it is accessed worldwide. Mindtickle provides below options for prospects to choose the data center where Mindtickle platform infrastructure will store their data.

  • United States – Customers can choose to store all of their learning content, user profile, and user progression data, including backups in the United States as required for achieving US data residency.
  • Singapore – Mindtickle will store the user profile and user progression data in the Singapore region and the backups stored in Ireland and Japan, with an option to select a region from the below options to host learning content.
    • North Virginia in United States Region
    • Ireland in Europe Region
    • Singapore in Asia Region

With both options, Mindtickle will access the customer data in India and the United States for administrative, customer success, professional services, and technical support activities. Before configuring and setting up the Mindtickle site, you can contact your Mindtickle point of contact to understand the data storage location options.

Certifications

We have invested heavily towards ensuring our platform is built and designed per widely accepted standards and certifications. These standards mirror many of the security and privacy requirements of GDPR and give our customers a transparent framework by which they can measure our software development and data management practices.

Mindtickle regularly audits its platform against the Trust Service Principles and Criteria prescribed by The American Institute of Certified Public Accountants (AICPA) and obtains a Service Organization Control 2 (SOC2) Type 2 report. This third-party assurance audit is performed annually to get an independent opinion on the suitability of the design and operating effectiveness of the implemented controls. Mindtickle can share its SOC2 Type 2 report with customers and prospects upon request.

Privacy and Security Measures

Information security is our highest priority, and we have implemented robust technical and organizational measures to ensure that our customers’ data remains secure.

Mindtickle’s technical and organizational security measures, as updated from time to time, provide an appropriate level of security and privacy to all its users, taking into account the nature, scope, context, and purpose of the processing, and the risks to the rights and freedom of natural persons.

Strong Encryption

Mindtickle protects personal data by using platform-wide cryptographic controls. All data is secured in transit with TLS 1.2 using SHA-256 with 2048 bit RSA encryption and is encrypted at rest with AES 256 encryption.

Privacy Policy

We have worked with independent auditors and lawyers to ensure our privacy policy complies with GDPR. Our policy outlines our commitment to maintaining the privacy of our customers’ data. It also explains what we have done to ensure our customers’ data is secure and what choices are available to them.

Pseudonymization

Information stored in activity logs and databases is pseudonymized wherever possible using a unique randomized user identifier that cannot be back-traced to a specific data subject.

Data Minimization

Mindtickle only collects the minimum information necessary for the provision of our service. Mindtickle platform administrators of customer organizations typically need user details (name, business titles, and business email addresses) and training content to run enablement programs on the Mindtickle platform. The customer-designated administrators will decide the exact data scope based on the use case.

We do not process special personal data categories (as per Article 9 of GDPR). We have signed contractual agreements and DPA with third parties to store and process your personal data and that of your customers. You can find the list of these sub-processors in our Sub Processor Repository.

Purpose of Data Collection and Storage

Mindtickle hosts data as part of the service it provides to its customers but doesn’t make any claim to said data. Mindtickle’s customers are the owners and controllers of all data they submit onto the platform.

Controls with Sub-processors

As specified in the Data Processing Addendum, Mindtickle

  1. takes responsibility for the actions of its Sub-processors, and
  2. has entered into a written agreement with each Sub-processor containing, in substance, data protection obligations no less protective than those in our Customer agreements.

Customers can find up-to-date information about the hosting locations of Sub-processors in our Sub Processor Repository. Customers may subscribe to notifications of new Sub-processors. Mindtickle will notify all subscribed Customers of a new Sub-processor before authorizing the new Sub-processor to process Customer Data. Customers may object to the intended use of a new Subprocessor using the procedure set out in the Data Processing Addendum.

Mindtickle’s Access to Customer Personal Data

Mindtickle’s Data Processing Addendum contains a contractual commitment from Mindtickle that its personnel may access Personal Data only in accordance with the Customer’s documented instructions for specific purposes. These purposes include: (i) as required under the Data Processing Addendum; (ii) as initiated by the Customer in their use of the Mindtickle Services; and (iii) to comply with other instructions provided by the Customer. The locations of Mindtickle’s Affiliates that employ personnel who may access Personal Data for these purposes are set out in the Sub-processor List.

Mindtickle Employee Training and Confidentiality Obligations

Mindtickle commits in its Data Processing Addendum to ensure that personnel has been appropriately trained, are reliable, and enter into confidentiality agreements. Employees also regularly undergo security, data protection, and privacy training.

The Rights of Data Subjects

Our customers and their end-users can access, correct, and modify their data stored on the Mindtickle platform. End-users can also contact us at support@mindtickle.com if they want to access, correct, or remove their data. As a Processor, we will forward these requests to the relevant customers and help them respond if needed.

Right to Access and Data Portability

Mindtickle supports individuals’ right to access and right to portability of their personal data. Any Mindtickle platform user will be able to request an export of their personal data and the personal data of their end-users.

Mindtickle also provides easy access and options to export all platform data, including learning content and user profile data. Mindtickle administrators of customer organizations can perform these actions from the admin site via reporting APIs and can download or email the required data. Further, they can reach out to the Mindtickle support team at support@mindtickle.com for assistance.

Right to Accuracy, Correction, Deletion, and Modification

Mindtickle provides ways of keeping all personal data of your learners accurate via its platform and APIs.

Mindtickle also supports all data subject requests for change, correction, or deletion of their personal information. Users can reach out to us at support@mindtickle.com for such requests, and as a Processor, we will forward these requests to the relevant customers and help them respond if needed.

Data Retention Policy

As processors of its customers’ data and to protect the privacy of information it stores, Mindtickle holds data no longer than is needed to provide its services. Mindtickle has implemented the following data retention policy:

  • Mindtickle deletes all customer personal information from the platform 180 days after contract termination.
  • Customers can also ask us to permanently delete their company data or individual users’ data stored on our platform anytime.

We have put in place robust mechanisms to delete our customers’ data upon request or at the end of their contract. If you are a Mindtickle customer and would like to delete specific data, please contact us at privacy@mindtickle.com. The only information retained post-contract termination is that which is necessary from a compliance or legal standpoint.

Right to Notice

Mindtickle enables customers to notify their users about collecting and using their Personal Data through a privacy policy link (drafted by the customer) that can be displayed on the Mindtickle platform login page.

Incident Management

Mindtickle maintains multiple monitoring systems to detect and alert incidents. Mindtickle will notify Customers after becoming aware of any accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to Customer Data, including Personal Data, within the period required under applicable Data Protection Laws. Mindtickle will also provide such timely information to Customers to enable customers to fulfill any data breach reporting obligations under Data Protection Laws.

Data Protection Officer

Mindtickle has a dedicated Data Protection Officer (DPO) and a team of privacy and security professionals dedicated to security and privacy to help our customers maintain their compliance when using Mindtickle.

If you would like to reach our DPO or have or have follow-up questions, please reach out to us at dpo@mindtickle.com.

EU Representative

As required under Article 27 of the GDPR, regarding representatives of processors not established in the European Union (EU), Mindtickle has employed its EU legal representatives appointed in one of the Member States. You can contact our privacy team or data protection officer for further information.

New Product Features

As a leader in Sales Readiness Software Solutions, we are constantly innovating and adding new product capabilities. Our new product capabilities follow three cornerstone principles:

  • They align with GDPR principles of “privacy by design” and “privacy by default.”
  • They give EU and non-EU customers flexibility within the GDPR guidelines.
  • All significant changes are communicated to our customers.

We are Here to Answer Your Questions

We are always happy to answer any questions about the privacy and security of our customers’ data, GDPR, or Sales Enablement, in general. Feel free to contact us at infosec@mindtickle.com for security questions or privacy@mindtickle.com for privacy questions.

MSIRobot