📣 Product updates December 2023. Learn more →
Vero logo

GDPR Commitment

Last updated: 2 May 2023
Effective date: 25 May 2018

New SCCs

In light of the new Standard Contractual Clauses adopted and approved by the European Commission, Vero has revised our Data Processing Agreement. Vero administrators can access v2 of our DPA in your Vero account under Account > Privacy or write to us at dataprivacy@getvero.com.

If you have any questions regarding data privacy and protection, the new SCCs, or our commitment to the GDPR, please contact us.

What is GDPR and who does it apply to?

The GDPR is EU regulation designed to protect the privacy of EU citizens and impacts all organizations that process the personal data of such citizens, regardless of whether an organization itself is based in the EU. The GDPR went into effect on 25 May 2018 and aims to give EU citizens and residents greater control over their personal data, while simultaneously simplifying the regulatory environment for international business that takes place in the EU.

The GDPR describes different requirements depending on how an organization handles data subjects' personal data:

  • Data Controllers are businesses that collect customer data and also decide how, when and why that customer data is processed.
  • Data Processors are businesses that carry out the processing of customer data on behalf of a Data Controller.

Vero is both a Data Controller in our relationship with our own customers and a Data Processor in our role as an organization that helps other businesses process their customer data (we generally refer to this as End User Data).

Vero's GDPR compliance

In line with our commitment to GDPR compliance we reviewed, updated and modified many of our internal practices and policies to ensure we meet GDPR requirements as both Data Controller and Data Processor. Below is an overview of several key things we put in place and maintain to ensure such compliance.

Data Processing Addendum

We offer a data processing addendum (DPA) for our customers who collect data from data subjects in the EU. Our DPA offers contractual terms that meet GDPR requirements.

We have published this DPA inside your Vero account and customers that require a DPA agreement with Vero in our role as the processor can download and execute a copy of our DPA here.

To ensure that no terms are imposed on Vero beyond what is reflected in our DPA and Terms of Service, in most scenarios we cannot agree to sign customers' DPAs. If you are unable to comply with our standard DPA, please email us at dataprivacy@getvero.com. We are happy to discuss your concerns and our options.

Data Inventory

We maintain an internal matrix identifying all data subject with which Vero interacts and the categories of data collected about each of these data subjects. This matrix was built in response to the GDPR deadline and has been maintained whenever changes to Vero's product, infrastructure or marketing functions occur. This matrix enables us to validate the legal basis for collecting and processing personal data and ensure that we have in place the appropriate security and privacy safeguards across our infrastructure and software ecosystem.

Third party Subprocessors

We maintain a list of third-party vendors on our website here. We have signed DPAs with each of these subprocessors.

Incident response and breach management

We maintain an internal Security Incident Response Plan that outlines the process our team follows in the event of a suspected data breach. We updated this document in response to the GDPR and other relevant data privacy regulations.

Data Subject Rights in our role as Processor

Ways in which Vero helps you comply with GDPR as a Processor

If you are working with EU customers you need to provide them with the ability to access, update, retrieve and remove personal data. We offer self-service features that help support these requirements. The following features help you fulfil the rights of data subjects in your role as a Data Controller:

  • "Delete" requests ("Right to be forgotten", "Right to the restriction of processing"). We provide a /delete endpoint in our API. This endpoint removes the user record and all related data from Vero's systems. You can also remove users directly in the UI (including in bulk) or contact us at (support@getvero.com)[mailto:support@getvero.com].
  • Updating customer data ("Right to rectification", "Right to object"). Calling Vero's /identify API endpoint updates and overrides a customer's user properties, enabling you to respond to customer requests to ensure accuracy in the data you have about them. You can also update user records using Vero's UI or our CSV import functionality.
  • Exporting customer data ("Right to data portability"). You can download a copy of all user details (user properties) as part of a segment export in Vero. If you would like to export a user, or users', full event history, please email us at dataprivacy@getvero.com with the ID / name of the segment to export.
  • Event tracking (tracking consent). Vero's events enable you to track granular data about your customers. Ensuring that you track consent given by customers is critical under GDPR and our events can assist in this process.

Data provided to Vero is stored indefinitely by default. When you cancel your account we will dispose of provided data in accordance with our Terms of Service.

Under the GDPR you must have a legal basis for all data processing. As a Data Controller using Vero, it is likely that consent will be one of the legal bases used to ensure compliance for the data you send us.

In order to be valid, consent must be verifiable. As the Data Controller, it is your obligation to ensure you have researched and reviewed your consent-gathering processes. The following does not constitute legal or compliance advice but provides some suggestions as to how other Data Controllers manage consent:

  • Verifiable consent requires a stored record of how and when a customer agreed to let you process their data. Vero's "events" capture the activity and timestamp of a user activity and are our recommended basis for tracking consent.
  • Unambiguous and explicit consent requires that data subjects must affirmatively consent to their data being processed. An example of this is actively ticking a box as part of a signup or subscription process. This opt-in process must include a message that clearly (in plain language) states the ways in which the data subject's personal data will be used. The follow are examples of ways in which you are likely to use data when using Vero. These are likely to be uses for which you need affirmative consent:
    • Transferring the user's contact data to Vero.
    • Sending the user email messages using Vero.
    • Tracking behavioural interactions for email marketing purposes.

If you rely on consent to process customers' personal data, double check where and why your customers elected to share their data with you to make sure that the consent you obtained meets the standards for consent set out in the GDPR.

Data subject rights in our role as Controller

As a customer of Vero based in the EU you are able to access, update, retrieve and remove your own personal data.

You may edit the data you have provided to Vero open and manage your Vero account in the Account area of your account. If you would like an export of such data or to otherwise discuss the personal data we store, please email us at dataprivacy@getvero.com.

Refer to our Privacy Notice for information regarding the collection, storage and management of personal data provided to us. Refer to our Cookie Notice for further details and access to your preferences.

We are here to assist

If you have any questions regarding GDPR or data privacy please don't hesitate to email us at dataprivacy@getvero.com.