GDPR Readiness

Customer happiness is our highest priority at Certify, and this extends beyond our products and into the protection of our customer's data. While we already maintain the strictest data protection and privacy policies for our customers, the GDPR requires additional processes to be implemented to maintain compliance. With the massive scope of changes required to comply with the General Data Protection Regulation, we know that many organizations may have questions about new obligations under the GDPR.

On this page, we'll explain our methods and plans to achieve GDPR compliance, both for ourselves and for our customers.

What is GDPR and why does it matter?

The EU General Data Protection Regulation (GDPR) is the most comprehensive EU data privacy law in decades and will go into effect on May 25, 2018. Besides strengthening and standardizing user data privacy across the EU nations, it will require additional obligations for all organizations that handle EU citizens' personal data, regardless of where the organizations themselves are located.

The new regulations are designed to better reflect the interconnected nature of our world regarding consumer's right to privacy, protection of personal data, and business usage of personal data across the European Union.

How is SpringAheadhandling GDPR compliance?

Keeping our customer's data secure is one of the many ways we keep our customers happy. The recent advances with GDPR and streamlining data protection requirements across Europe have provided an opportunity for us to make changes to how we handle and process our data. While our existing security and privacy programs provide our customers with the highest security standards, the added layer of GDPR compliance will give our customers increased peace of mind.

Additionally, the SpringAhead Legal and Privacy teams have carefully analyzed the GDPR and have taken the necessary steps to ensure we comply with the regulation including:

  • Assessing our current level of compliance, then identifying and prioritizing those tasks needed to update our privacy policies, procedures, and practices to achieve compliance.
  • Conducting an inventory of customer and employee data flows, data sharing relationships, practices and procedures across the Certify, Nexonia, and Tallie products. This will result in the creation of a Data Inventory which we will maintain.
  • Making sure we have the appropriate contractual terms in place.
  • Ensuring we can continue to support international data transfers by maintaining our Privacy Shield certifications, and by executing Standard Contractual Clauses through our updated Data Protection Addendum.

In addition to these specific objectives, we will continue to monitor the guidance around GDPR compliance from privacy-related regulatory bodies and will adjust our plans accordingly.

Is SpringAhead undertaking GDPR compliance on its own?

Certify, Inc. has partnered with TrustArc to assist in our compliance efforts. TrustArc (formerly TrustE) is considered the foremost GDPR compliance expert in the privacy industry. All TrustArc consultants are former Chief Privacy Officers, have completed the EU-US Privacy Shield Verifications, and many have worked personally with European Union officials and working groups on GDPR specifics since the reform was created.

With this trusted partner guiding our compliance process, we're on-track to obtain GDPR compliance before the May 25, 2018 deadline.

What is a Data Protection Addendum (“DPA”)?

Certify, Inc. will be offering customers and prospects a robust Data Protection Addendum (“DPA”), which governs the relationship between the customer (acting as a data controller) and Certify, Inc. (acting as a data processor). The DPA facilitates our customers' compliance with their obligations under EU data protection law.

Our DPA is a key requirement for compliance with the GDPR. Our DPA contains data transfer frameworks to ensure that our customers can lawfully transfer personal data to Certify, Nexonia, Tallie, ExpenseWatch, and SpringAhead brands, which are systems that are hosted outside of the European Union. Such data transfers require the foundation of one of three mechanisms: our Binding Corporate Rules, our Privacy Shield certification, or Standard Contractual Clauses.

What does this mean for SpringAhead customers?

We know that meeting the GDPR obligations will take a lot of time and energy. While the changes you and your team will experience will be a minimum, there are a few steps required in to maintain compliance with the new regulations.

Compliance with the GDPR requires a partnership between SpringAhead and our partners and customers in their use of applicable SpringAhead products. In this context, SpringAhead will act as a data processor and our partners and customers generally will act as data controllers.

Working together, we hope to explore opportunities within our relevant service offerings to assist our partners and customers meet their GDPR obligations. In the meantime, SpringAhead encourages partners and customers to independently familiarize themselves with the GDPR.

What if my company doesn't have any employees in the European Union?

While your company may not have any employees in the EU, if you collect data from users who reside in the EU, your company is required to comply with the GDPR. We’ve included a robust Data Protection Addendum (DPA) that takes most of the heavy lifting out of compliance for your company when using applicable Tallie products.

We can also offer a simple waiver that customers with no EU nexus can sign instead of our DPA. However, it should be noted that customers who sign such a waiver would be choosing to retain all responsibility for compliance with GDPR.

We recommend that all customers sign the DPA so that our GDPR compliance can benefit your organization.

What if we have more questions about GDPR compliance with Certify?

Additional GDPR resources can be found here:

As always, please feel free to contact your Account Manager or Support team with any questions or concerns you may have. Alternatively, you may email us at support@springahead.com.


This page is intended to provide helpful guidance to SpringAhead customers on the GDPR and not as a comprehensive solution or legal advice. Each organization should undertake their own steps to ensure compliance with the new regulation.