Mindtickle and the General Data Protection Regulation (GDPR)

At Mindtickle, we take data security and privacy seriously. We constantly try to make sure that we meet our obligations under GDPR and are transparent about processing data.

Mindtickle is committed to ensuring the protection of our customers’ data by complying with the General Data Protection Regulation (GDPR) and other applicable privacy-related regulations such as California Consumer Privacy Act (CCPA) and the UK Data Protection Act (UK DPA) 2018.

The GDPR is designed to give European Union residents more control over their data and unify several privacy and security laws under one comprehensive rule. Any organization that offers goods or services to EU residents must comply with the GDPR. Regardless of the company’s location, GDPR applies to organizations within the EU and all companies processing and holding the personal data of data subjects residing in the EU.

 

We are here to support our customers

The GDPR defines different organizations’ roles when managing or dealing with personal data.

There are two major roles – Controllers and Processors. Controllers are organizations that own personal data. Mindtickle customers are Controllers because they collect personal data, decide its purpose and method for using it. Mindtickle plays the role of the Processor since Mindtickle processes this personal data provided by the customers.

We’re committed to helping our customers meet their obligations in their role as Controller under the GDPR. Mindtickle has implemented data security and privacy processes and controls to ensure that our customers meet their GDPR obligations.

 

Approach to Security and Privacy

As the global leader in sales readiness, Mindtickle delivers a cloud platform that the leading enterprises across the globe trust for business-critical services. Protecting our customers’ information and their user’s privacy is essential for Mindtickle. Mindtickle has adopted privacy and security by design for all developments on the platform, ensuring that security and privacy are built into every layer of the Mindtickle platform. Visit Mindtickle’s Trust Page to learn more about our approach to security and privacy.

 

Security Architecture

Data protection laws require organizations to use appropriate technical and organizational security measures to protect Personal Data against unauthorized processing and accidental disclosure, access, loss, destruction, or alteration. Mindtickle has a robust security and privacy program that meets industry standards. These enable Mindtickle and its Customers to comply with various data protection laws and regulations applicable to the Mindtickle platform and services.

 

International Data Transfers

Mindtickle understands the rules for onward transfers of personal data outside of the European Economic Area (EEA) and offers customers a robust international data transfer framework as a part of our Data Processing Addendum. This addendum ensures that our customers can lawfully transfer personal data to the Mindtickle platform outside the EEA by relying on the Standard Contractual Clauses.

 

Data Processing Addendum (DPA)

Mindtickle offers a GDPR-compliant Data Processing Addendum to provide our customers with privacy protection assurance, which helps us comply with our obligations as a Data Processor and helps our customers meet their obligations as Data Controllers. Mindtickle’s DPA supplements the Terms of Service or any master subscription agreement. This addendum reflects our requirements as a processor of Customer Data.

 

Standard Contractual Clauses

The Commission Implementing Decision (EU) 2021/914 of 4 June 2021 to transfer personal data to third countries under Regulation (EU) 2016/679 of the European Parliament and the Council published New Standard Contractual Clauses (SCCs, also known as Model Contractual Clauses) to help safeguard European personal data. Following the applicable transition period, these new SCCs will replace the SCCs previously adopted by the EC. Mindtickle has incorporated the new SCCs into our Data Processing Addendum to help protect our customers’ data and meet the requirements of European privacy legislation.

 

UK International Data Transfer Addendum

Mindtickle is fully compliant with the provisions of Article 46 of the UK GDPR and offers an International Data Transfer Addendum (IDTA) issued by the Information Commissioner’s Office (ICO) under Section 119A of the Data Protection Act 2018. The IDTA acts as a transfer tool that allows organizations to transfer personal data outside of the UK. The addendum is part of Mindtickle’s pre-signed Data Processing Addendum (DPA) offered to its customers.


Transfer Impact Assessment

Mindtickle has prepared a Transfer Impact Assessment (TIA) report in response to the recent Schrems II decision related to the international transfer of Personal Data. The TIA report describes the safeguards Mindtickle has put to transfer customer personal data from the European Economic Area, United Kingdom, or Switzerland (“EEA”). This report also lists Mindtickle’s ability to comply with its obligations as a “data importer” under the Standard Contractual Clauses (“SCCs”). Upon request, Mindtickle can share the TIA report with customers and prospects.

 

Data Privacy Framework (DPF) 

Mindtickle is certified for compliance with EU-U.S. and Swiss-U.S. Data Privacy Framework (DPF), along with its UK Extension, which were developed by U.S. Department of Commerce and the European Commission, UK Government, and Swiss Federal Administration.

Data Privacy Framework provides us with a reliable mechanism for personal data transfers to the United States from the European Union, United Kingdom, and Switzerland while ensuring data protection that is consistent with EU, UK, and Swiss law.

Our Data Privacy Framework compliance certification along with participation status, the purpose of data collection, and dispute resolution mechanism can be accessed here.


Data Location and Residency

Mindtickle hosts primarily three categories of customer data –

  1. Learning Content & Call Recordings – This data includes the learning content uploaded for the user’s consumption (e.g. training videos, SCORM packages, images, PDF documents, PowerPoint presentations, etc.) and the call recordings along with the transcripts. This is mainly the training content used by the sales enablement and readiness teams to train their sales representatives.
  2. User Profile Data – This data includes the learner profile fields such as business email ID, job title, business title, department, user group, region, employee ID, managers, reviewers, directors, supervisors, hire date, work city, work country, etc.
  3. User Progression Data – This data includes the progress of the learners, statistics, completion status, analytics, quiz score, call recording metadata, etc. 

Customer data is stored on Amazon Web Services (AWS), distributed across multiple availability zones. Data hosting location determinations are based on reducing latency and achieving optimal performance for you and your users. Mindtickle optimizes where to host customer data based on how it is accessed worldwide. Mindtickle provides the below options for prospects to choose the AWS data center for storing learning content and/or call recordings.

  • Ireland in Europe Region
  • Singapore in Asia Region
  • North Virginia in United States Region

Mindtickle stores the user profile and user progression data in the Singapore region.

With the above-mentioned options, Mindtickle will access the customer data in India and the United States for administrative and customer success, professional services, and technical support activities respectively. Before configuring and setting up the Mindtickle site, you can contact your Mindtickle point of contact to understand the data storage location options.

 

Access Management

Mindtickle may need access to customer learning sites to provide customer success, professional services, and technical support services. This access is controlled and managed by the customers.

Cloud infrastructure hosting customer data can be accessed from India for performing administrative and maintenance activities.

  • Only limited individuals, from DevOps and Storage teams, part of Mindtickle’s India entity are granted access to cloud infrastructure hosting customer and personal data.
  • This access is provided based on the principle of least privilege using Lightweight Directory Access Protocol (LDAP) groups mapped to the IAM access permissions and reviewed on a quarterly basis.

 

Encryption

Customer data is encrypted in transit through HTTPS connection over TLS 1.2 using SHA-256 with 2048-bit RSA encryption and at rest with AES 256 encryption through cryptographic keys maintained in AWS Key Management Security (AWS KMS). For data encryption in transit, AES 128 Encryption with Galois Counter Mode (GCM) Block Operation Mode for SHA-256 signature and AES 256 Encryption with Galois Counter Mode (GCM) Block Operation Mode for SHA 384 are supported. This is selected based on the handshake and negotiation with the browser.

Access to the AWS console for administration requires multi-factor authentication and this entire access is encrypted at rest (at both AWS and Mindtickle laptop end) and in transit through a secure encrypted HTTPS connection used by AWS for console access.

 

AWS Key Management Security

Mindtickle uses AWS Server-Side Encryption (SSE) – Key Management System (KMS) that requires AWS to manage the data encryption keys. Mindtickle makes use of the option of SSE-KMS encryption during the creation of S3 buckets storing customer data.

The decryption process is managed by AWS before serving the data to authenticated requests made by the authorized Mindtickle account. In this entire process, the keys used to encrypt/decrypt the customer content are not used by Mindtickle in any of the workflows. AWS Key Management System (KMS) uses hardware security modules (HSMs) to protect keys inside the HSM devices and can never leave the device in an unencrypted/plaintext form. This ensures that no one has access to the keys that were used to encrypt the data.

 

Certifications

We have invested heavily towards ensuring our platform is built and designed per widely accepted standards and certifications. These standards mirror many of the security and privacy requirements of GDPR and give our customers a transparent framework by which they can measure our software development and data management practices.

Mindtickle regularly audits its platform against the Trust Service Principles and Criteria prescribed by The American Institute of Certified Public Accountants (AICPA) and obtains a Service Organization Control 2 (SOC2) Type 2 report. This third-party assurance audit is performed annually to get an independent opinion on the suitability of the design and operating effectiveness of the implemented controls. Mindtickle can share its SOC2 Type 2 report with customers and prospects upon request.

 

Privacy and Security Measures

Information security is our highest priority, and we have implemented robust technical and organizational measures to ensure that our customers’ data remains secure.

Mindtickle’s technical and organizational security measures, as updated from time to time, provide an appropriate level of security and privacy to all its users, taking into account the nature, scope, context, and purpose of the processing, and the risks to the rights and freedom of natural persons.

 

Privacy Policy

We have worked with independent auditors and lawyers to ensure our privacy policy complies with GDPR. Our policy outlines our commitment to maintaining the privacy of our customers’ data. It also explains what we have done to ensure our customers’ data is secure and what choices are available to them.

 

Pseudonymization

Information stored in activity logs and databases is pseudonymized wherever possible using a unique randomized user identifier that cannot be back-traced to a specific data subject.

 

Data Minimization

Mindtickle only collects the minimum information necessary for the provision of our service. Mindtickle platform administrators of customer organizations typically need user details (name, business titles, and business email addresses) and training content to run enablement programs on the Mindtickle platform. The customer-designated administrators will decide the exact data scope based on the use case.

We do not process special personal data categories (as per Article 9 of GDPR). We have signed contractual agreements and DPA with third parties to store and process your personal data and that of your customers. You can find the list of these sub-processors in our Sub Processor Repository.

 

Purpose of Data Collection and Storage

Mindtickle hosts data as part of the service it provides to its customers but doesn’t make any claim to said data. Mindtickle’s customers are the owners and controllers of all data they submit onto the platform.

 

Controls with Sub-processors

As specified in the Data Processing Addendum, Mindtickle

  1. takes responsibility for the actions of its Sub-processors, and
  2. has entered into a written agreement with each Sub-processor containing, in substance, data protection obligations no less protective than those in our Customer agreements.

Customers can find up-to-date information about the hosting locations of Sub-processors in our Sub Processor Repository. Customers may subscribe to notifications of new Sub-processors. Mindtickle will notify all subscribed Customers of a new Sub-processor before authorizing the new Sub-processor to process Customer Data. Customers may object to the intended use of a new Subprocessor using the procedure set out in the Data Processing Addendum.

 

Mindtickle’s Access to Customer Personal Data

Mindtickle’s Data Processing Addendum contains a contractual commitment from Mindtickle that its personnel may access Personal Data only in accordance with the Customer’s documented instructions for specific purposes. These purposes include: (i) as required under the Data Processing Addendum; (ii) as initiated by the Customer in their use of the Mindtickle Services; and (iii) to comply with other instructions provided by the Customer. The locations of Mindtickle’s Affiliates that employ personnel who may access Personal Data for these purposes are set out in the Sub-processor List.

 

Mindtickle Employee Training and Confidentiality Obligations

Mindtickle commits in its Data Processing Addendum to ensure that personnel has been appropriately trained, are reliable, and enter into confidentiality agreements. Employees also regularly undergo security, data protection, and privacy training.

 

The Rights of Data Subjects

Our customers and their end-users can access, correct, and modify their data stored on the Mindtickle platform. End-users can also contact us at [email protected] if they want to access, correct, or remove their data. As a Processor, we will forward these requests to the relevant customers and help them respond if needed.

 

Right to Access and Data Portability

Mindtickle supports individuals’ right to access and right to portability of their personal data. Any Mindtickle platform user will be able to request an export of their personal data and the personal data of their end-users.

Mindtickle also provides easy access and options to export all platform data, including learning content and user profile data. Mindtickle administrators of customer organizations can perform these actions from the admin site via reporting APIs and can download or email the required data. Further, they can reach out to the Mindtickle support team at [email protected] for assistance.

 

Right to Accuracy, Correction, Deletion, and Modification

Mindtickle provides ways of keeping all personal data of your learners accurate via its platform and APIs.

Mindtickle also supports all data subject requests for change, correction, or deletion of their personal information. Users can reach out to us at [email protected] for such requests, and as a Processor, we will forward these requests to the relevant customers and help them respond if needed.

 

Data Retention Policy

As processors of its customer’s data and to protect the privacy of information it stores, Mindtickle holds data no longer than is needed to provide its services. Mindtickle has implemented the following data retention policy:

  • Mindtickle deletes all customer personal information from the platform 180 days after contract termination.
  • Customers can also ask us to permanently delete their company data or individual users’ data stored on our platform anytime.

We have put in place robust mechanisms to delete our customers’ data upon request or at the end of their contract. If you are a Mindtickle customer and would like to delete specific data, please contact us at [email protected]. The only information retained post-contract termination is that which is necessary from a compliance or legal standpoint.

 

Right to Notice

Mindtickle enables customers to notify their users about collecting and using their Personal Data through a privacy policy link (drafted by the customer) that can be displayed on the Mindtickle platform login page.

 

Incident Management

Mindtickle maintains multiple monitoring systems to detect and alert incidents. Mindtickle will notify Customers after becoming aware of any accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to Customer Data, including Personal Data, within the period required under applicable Data Protection Laws. Mindtickle will also provide such timely information to Customers to enable customers to fulfill any data breach reporting obligations under Data Protection Laws.

 

Data Protection Officer

Mindtickle has a dedicated Data Protection Officer (DPO) and a team of privacy and security professionals dedicated to security and privacy to help our customers maintain their compliance when using Mindtickle.

If you would like to reach our DPO or have or have follow-up questions, please reach out to us at [email protected].

 

EU Representative

As required under Article 27 of the GDPR, regarding representatives of processors not established in the European Union (EU), Mindtickle has employed its EU legal representatives appointed in one of the Member States. You can contact our privacy team or data protection officer for further information.

 

New Product Features

As a leader in Sales Readiness Software Solutions, we are constantly innovating and adding new product capabilities. Our new product capabilities follow three cornerstone principles:

  • They align with GDPR principles of “privacy by design” and “privacy by default.”
  • They give EU and non-EU customers flexibility within the GDPR guidelines.
  • All significant changes are communicated to our customers.

 

We are Here to Answer Your Questions

We are always happy to answer any questions about the privacy and security of our customers’ data, GDPR, or Sales Enablement, in general. Feel free to contact us at [email protected] for security questions or [email protected] for privacy questions.