|In keeping with our ongoing commitment to privacy, ServerBid will be ready for the GDPR before May 25th, 2018. Additionally, we are committed to making it easy for our customers to comply with GDPR.|
GDPR & ServerBid
The European Union's General Data Protection Regulation (GDPR) goes into effect on May 25th, 2018. This law will impact any business that is dealing with personal data of EU residents.
For an in-depth dive into what the GDPR is, please refer to The GDPR: A Quick Synopsis for Ad Tech.
Below lists the steps that ServerBid has undertaken to be compliant with GDPR.
Technical Changes to Ensure Compliance
In order to ensure ServerBid and our clients are compliant with the GDPR, we have enacted the following measures.
1. Automatic Stripping of EU PII
If ServerBid is sent a request with an EU IP address, by default we will:
Not set ServerBid cookies or enable our SmartSync cooking syncing tool
Remove PII data before sending to the exchanges/demand partners. This includes IP and other fields marked as PII according to the GDPR.
|In identifying an EU resident, ServerBid will be looking at their IP Address. This would mean that an EU citizen in the USA wouldn't get blocked. Likewise, a US-citizen in Spain would. Multiple guidance from regulators have said that using IP to identify if they are an EU-resident is acceptable.|
2. Incorporating Consent
ServerBid plans on incorporating consent via the IAB's Daisybit. More info will be given as the IAB provides more guidance.
ServerBid will be PrivacyShield certified for EU traffic.
4. Continuous Risk Assessment
ServerBid has several recurring automated and human-operated risk and vulnerability analyses in place to detect potential security vulnerabilities.
5. What we collect / how long we store it
Our privacy policies are updated to reflect the needs of the GDPR. While we've always considered your data of the utmost importance, some data like IP address and user agent are being protected even more than in the past.
6. Created a Data Processing Agreement
ServerBid DPA is aimed to help you feel confident that you are working with a GDPR-compliant partner and to save both parties from legal harm should the other party breach the agreement. The document lives here.
7. Breach Notification Plan
If ServerBid were to experience a data breach then all impacted customers would be notified within 72 hours.
8. Secure data transfer and storage outside the EU
All data is stored and transmitted via encryption. All EU data transferring outside of the EU will follow the strict rules of the EU PrivacyShield certification.
9. Technical and organizational security measures
ServerBid takes a holistic, risk-based approach to security. This means the platform secures your data in transit and at rest, restricts and secures data access, and provides continuous incident monitoring.
10. Processing according to controller instructions
ServerBid only processes personal data according to instructions from the controller (our customers).
11. We're coordinating with our vendors
We're reviewing all our vendors, finding out about their GDPR plans, and arranging similar GDPR-ready data processing agreements with them.
What Customers Need To Do
Fortunately we've made it as easy as possible for our customers to be compliant. In fact, if you have little European traffic and won't be collecting consent, then you don't need to do anything! In that case ServerBid will conservatively handle requests from European IP addresses to ensure compliance.
However, if you're collecting consent in order to track and use data about European residents, then there may be additional work setting up IAB's Daisybit field to pass consent. At this time, ServerBid is awaiting more guidance from the IAB and looking into what it takes to incorporate this into our platform.
ServerBid as the Data Processor
The GDPR specifies two types of companies in respect to data: Controllers (those who decide what to do with the data) and Processors (those who engage with the data on behalf of the controllers).
For ServerBid clients, ServerBid will be their Data Processor, while our clients are controllers. According Article 28, the relationship between the controller and the processor needs to be made in writing (or signed electronically) - and this is why we have a Terms of Service, and Data Processing Agreement.
ServerBid as the Data Controller
Additionally, ServerBid acts as the data controller for the personal data we collect about you, the user of our web app, mobile apps, and website.
First and foremost, we only process data that is necessary for us to perform our contract with you (GDPR Article 6(1)(b)).
Secondly, we process data to meet our obligations under the law (GDPR Article 6(1)(c)) — this primarily involves financial data and information that we need to meet our accountability obligations under the GDPR.
Thirdly, we process your personal data for our legitimate interests in line with GDPR Article 6(1)(f).
What are these ‘legitimate interests’ we talk about?
- Improving the product
- Making sure that your data and ServerBid's systems are safe and secure
- Responsible marketing of our product and its features
- Collecting and storing form-fill-out information for sales outreach purposes
- Customer relationship management
As the controller for your personal data, ServerBid is committed to respecting all your rights under the GDPR. If you have any questions or feedback, or want to view/delete/rectify the data we have on you, please reach out to us at firstname.lastname@example.org.
Sub-Processors ServerBid Uses
For a full list of sub-processors ServerBid uses, please visit this page.