Yes. Constructor has a long-standing compliance program ensuring continued compliance with the GDPR. Constructor’s service is built with a privacy-by-design and privacy-by-default architecture, only processing the bare minimum of data at all times. Wherever possible we anonymize, pseudonymize and strip identifiers from personal data to ensure customers operate with a minimized approach to data processing. Below are some examples of policies and initiatives Constructor has committed to satisfy GDPR requirements that apply to both Constructor and our customers:

• We maintain an information security policy comparable with ISO27001 series standards and we are maintaining security in the delivery of our Services in accordance with SOC2 standards (or any successor standards). These standards mirror many of the security and privacy requirements of GDPR and help give our customers a transparent framework to measure our development and data management practices. Assurance that Constructor maintains and follows these standards are affirmed through our annual SOC 2 Type 2 audit and ISO27001 certification. For more detailed information, review our security practices.
• When processing personal data regulated under GDPR, we commit to follow any additional security and privacy measures required under GDPR. For more detailed information, review our security practices.
• Although we limit our collection of personal data to only that which is strictly necessary to operate our services, in cases where personal data must be transferred outside of the UK/EU/Switzerland, we have implemented appropriate data transfer mechanisms as required by GDPR.
• We hold vendors that handle personal data to required data management, security, and privacy practices and standards.
• We carry out data impact assessments and consult with regulators where appropriate.
• We ensure that Constructor staff that process data that may contain personal data have been trained in handling that data and are bound to maintain the confidentiality and security of that data.
• We are U.S. Data Privacy Framework (DPF) certified (including the EU-U.S. DPF, UK Extension to the EU-U.S. DPF, and Swiss-U.S. DPF)

Please review our Privacy Policy for a detailed description of Constructor’s compliance steps with GDPR.

Does Constructor process the personal data of its customers?

Constructor processes minimal customer personal data to provide the products and services as set forth in our customer agreement and for other limited purposes enumerated in our Privacy Policy.

What personal data does Constructor process when providing its services?

For users of Constructor's dashboard and other administrative services, this is limited to "business card" information of users that register for the service such as their names and email addresses, and an IP address. We may also obtain other contact information when we help you with a support issue.

Constructor also processes IP addresses of end users who interact with our customers’ websites and apps. We truncate the last octet for general service use like behavioral tracking, and only store the full IP securely with limited employee access for internal security purposes.

What is Constructor's role?

When providing personal data to Constructor, our customers are acting as a data controller and Constructor is acting as a data processor. Constructor is able to respond to data subject requests if provided with an IP address and timestamp of an end user.

Where does Constructor store and process my data?

Our goal is to provide our customers with secure, fast, and reliable services. Today, Constructor stores data in data centers owned by its third party cloud provider in the U.S., Germany, Singapore and Australia. Customers’ data is generally stored in the data centers closest geographically to where their end users are located, however all data ultimately makes its way to the U.S. for anonymization and aggregation. In order to bring you world class products, and to provide support and maintenance (for example, 24×7 support coverage), Constructor may also allow employees and contractors located outside the U.S. to access certain data for product development, and customer and technical support purposes. We ensure that all such disclosures are compliant with the law and that all use will be for the limited purpose described.

Is the hosting of my data in the European Economic Area (EEA) a requirement under GDPR?

For the purposes of using Constructor and processing your personal data, the hosting of personal data in the EU is not legally required. The European Commission clearly states that, under the GDPR, EEA entities can safely and legally transfer personal data to third countries such as the United States via contractual clauses ensuring appropriate data protection safeguards. This includes model contract clauses—so-called standard contractual clauses (SCCs)—that have been “pre-approved” by the European Commission. This is the reason for the existence of the SCCs.

For more information on this, please refer to the European Commission’s website, including an FAQ describing the validity of the SCCs for exporting personal data from the EEA to US. For example, this FAQ explains:

“SCCs as a tool for data transfers, for example, to comply with the requirements of the GDPR for transferring personal data to countries outside of the EEA. They contain specific data protection safeguards to ensure that personal data continues to benefit from a high level of protection when transferred outside the EEA. They can be used by data exporters, without the need to obtain a prior authorization (for the data transfer or the clauses used) from a data protection authority.”

Does Constructor enter into GDPR-compliant Data Processing Agreements (DPAs)?

Constructor will enter into a DPA with our customers or prospects who are data controllers and are sending us personal data. We provide a GDPR-compliant DPA that is tuned to our service, and we invite such customers to request and execute our DPA. Our DPA incorporates the latest 2021 SCCs published by the European Commission.

What is Constructor's commitment to EU International Data Transfer following the Schrems ii case?

The CJEU (in its judgment dated July 16, 2020) has upheld the SCCs as a valid mechanism to transfer personal data outside of the EEA. This means that Constructor customers can continue to rely on the SCCs included in tour DPA as a valid transfer mechanism under GDPR.