DATA AND SECURITY – Q&A
Q. Does Made with Intent collect personal data?
A. At Made with Intent, we want to allow for personalisation while fully respecting your users’ privacy. We do this by modelling behaviour patterns that allow us to show contextually valuable personalisation without ever having collected or processed any personal data. We collect behavioural data that is disassociated from the user - not personal data.
As a data processor, we facilitate data collection from your website and our tools and scripts never ask that you, as the data controller, must collect personal data from your users.
Q. Do you take any additional measures in relation to PII?
A. We have mechanisms in place to ensure that personal identifiable information is sanitised and deleted before it is our processed into our data warehouse.
Q. What data do you collect?
A. We collect contextual data such as URL, user agent, screen dimensions, page referrer, user local time and timezone; client-available data such as ecommerce product price, brand and category information; and interactive data such as DOM element attributes.
Q. Isn’t behavioural data considered personal data?
A. We understand that there are situations where behavioural data has been considered personal data and we agree that in certain cases it is. We collect behavioural data but it is not considered personal data as:
- it is aggregated
- it is anonymised
- the data is disassociated from the user from the start
Q. Do you use cookies?
A. Made with Intent do not use cookies but do use local storage. We use local storage to store arbitrary user and session IDs and hold references to user behaviour required for segment matching.
Q. What can we do to ensure best practice on data?
A. We encourage customers to follow best practice and suggest that you require the same consent as most analytics tools for Made with Intent; this is usually the "statistics", "analytics" heading of your consent banner, or "analytics_storage" under GA's consent mode. Targeting or marketing permissions are not required.
Q. Who are the data subjects whose data you will be processing (as a Data Processor)? Examples may include customers, prospects, employees and the general public.
A. A data subject is any web site user for which the Made With Intent tracking scripts are executed. In practice we expect that this will be users of a brand website for which consent to track analytics data is given.
Q. What categories of personal data will you be processing as a Data Processor?
A. Arbitrary local storage identifiers.
Q. Will you be processing any special category personal data? If yes, please describe.
A. No.
Q. What personal data, if any, will you be processing as a Data Controller? Please include the data subjects (categories) and the categories of personal data.
A. Online identifiers - arbitrary IDs generated by Made with Intent - e.g. lw93kb8800afp9klav2u-71 - are stored in LocalStorage.
Q. Do we have a data sharing agreement with you, which covers the nature of the processing activity, the data in scope and the obligations of each party in respect to that personal data?
A. No.
Q. Please provide full details of any subsidiaries, affiliates or other group companies that will provide any part of the services; what service elements they will perform, their locations and the arrangements you have in place to ensure that those companies will comply with any data protection terms that you agree with.
A. Data Sub-Processors:
AWS - strong security, ISO 27018 compliance.
Snowflake - Continuous data protection and regulatory compliance (https://docs.snowflake.com/en/user-guide/data-cdp).
Atlas MongoDB.
Q. Where used, do you only use sub-processors that provide sufficient guarantees to implement appropriate technical and organisational measures, and to protection the rights of individuals?
A. Yes.
Q. Do you provide written notice before engaging a sub-processor and allow sufficient time (at least 30 days) to object? If not, please justify and describe the current process.
A. No. We do not actively engage new data subprocessors without (a) discussions covering the security, performance and data privacy implications of such an engagement (b) agreement by CPO, VP Engineering, VP Product Data and Analytics.
The data we collect is pseudo anonymised, aggregated and sent downstream to data warehousing and data processing services.
We also do not directly send data to 3rd party vendors and data sub-processors such as Google analytics - the act of sending Made with Intent data to those vendors is owned by the Data Controller.
Q. Please describe the location the personal data in scope is transferred to (including where it is accessed and the location of any file storage or backups).
A. AWS regions London (eu-west-2) and Ireland (eu-west-1) are used.
Q. If any data is transferred outside of the UK or EU, what transfer mechanisms are used? Please describe these transfer mechanisms and any data transfer risk assessments associated with this transfer. Examples of transfer mechanisms may include Standard Contractual Clauses or Binding Corporate Rules.
A. None.
Q. Does this activity include the sharing of personal data to any sub processors? If so, please describe these (including the name of these subcontractors, the services in scope and the transfer locations).
A. No.
Q. Where sub processors are used, do you have a contract with the sub-processor covering all processing activities and ensure that they only process personal data according to the contract?
A. N/A
Q. At the end of the agreement, or on completion of the processing activity, we will require you to return or delete (on instruction or via associated contractual obligations) any personal data or other confidential information processed in association with this service. Please confirm that you will be able to do this or, if you believe you will need to retain data for any reason, please explain why and provide details of your record retention policy (and a copy, if possible).
A. The platform operates in a tenanted way such that all data is stored in its own database. This means we can effectively delete all website visitor information that is stored in our databases. This can be actioned in a short time window.
Data stored in backups can not be erased immediately on request. The data will remain in the environment for a period of time until it is expired by virtue of its age in line with our data retention policy (24 months). This is because backups are required for disaster recovery, and the data is "beyond use", so is not practically accessible.
Q. Does your organisation have a data protection policy/program, which covers the following areas: - Defined scope of personal data - Roles and responsibilities of all employees - How to identify a Data Subject Access Request - Data breach identification and reporting - Mandatory data protection training requirements.
A. As part of ISO27001 we are formalising policies with regards to Data Protection.
Q. Do you have a Data Protection Officer (or similar senior person responsible for data protection and privacy compliance)? Please provide their name, job title and contact details.
A. Yes - Damian Dawber (damian@madewithintent.ai).
Q. Do you provide data subjects with a privacy notice (privacy policy) which covers the service/processing activity you are providing? Please provide a link or a copy of this notice.
A. Made With Intent customers should update their own privacy terms as per our customer onboarding documentation.
Please see our data privacy onboarding pack: https://madewithintent.notion.site/Data-Privacy-Onboarding-Pack-441e5613d3ca4ec0be1b1c15d5c10599
Q. Where acting as a Data Controller, do you have a process to manage suspected and actual data breaches which: - assesses the risk to data subjects? - requires reporting of suspected or actual breaches, which cause a risk to data subjects, within 72 hours? - Requires the root cause of breaches and requires mitigation and control reviews to address areas of risk? If no to any of these, please describe what is in place and justify where unable to comply.
A. As part of ISO27001 we are formalising policies with regards to Incident Response Plans.
All customers will be notified within 24 to 48 hours should a breach occur (including any information of data compromised).
Q. Where acting as a data processor, do your data breach response plans, and associated policies and processes, require the following: - that all suspected breaches are reported to the relevant data controller (e.g. the retailer) within 48 hours? - to provide data controllers with reasonable assistance, and supporting evidence, to assess the risk to data subjects and the effectiveness of controls? - to cooperate with any supervisory authority or law enforcement agency, where necessary? If no to any of these, please describe what is in place and justify where unable to comply.
A. As part of ISO27001 we are formalising policies with regards to Incident Response Plans.
All customers will be notified within 24 to 48 hours should a breach occur (including any information of data compromised).
Q. Have you ever suffered a confirmed data loss, data breach or other data security related incident in the last twelve (12) months? If yes, please provide full details below confirming whether the breach was resolved and, if so, how.
A. No.
Q. Do you conduct Data Protection Impact Assessments on all processing activities that may cause a high risk to data subjects? If so, please describe.
A. As we do not collect PII / special category data, we do not frequently perform internal Data Protection Impact Assessments for data processing activities outside of our SDLC. As part of our SDLC, we perform code reviews to ensure that data processing activities are in scope of client / contractual agreements, GDPR and other governance frameworks.
Our data processing activities are not considered "likely to result in a risk to individuals".
Q. Are there any risks associated with the service being provided that are high risk and have these been mitigated to a "low" risk? Where yes, please provide details.
A. No. Note, however, that where any risk of capturing PII data exists, we employ data sanitisation tools to mitigate against PII data ever being processed by our data services.
Q. Do you follow privacy by design principles and build privacy and data protection compliance into all stages of process/system/product design and development? Please describe how you achieve this.
A. Our systems and associated access controls are acted in accordance with industry standard privacy principles. We take steps to avoid PII data collection and share detailed privacy breakdowns with our customers, see: https://madewithintent.notion.site/Data-Privacy-Onboarding-Pack-441e5613d3ca4ec0be1b1c15d5c10599?pvs=74
Data tracking scripts are enabled in line with customers privacy policies - tag management solutions are often used to deliver solutions whereby data is strictly only processed if consent is given. This is in the hands of the CSC as the data controller.
Q. Please confirm whether your staff are subject to any employment vetting processes and, in particular, whether they sign non-disclosure agreements ("NDAs") or other engagement terms that require them to keep confidential any personal data or confidential information to which they have access. Please provide a copy of any standard form NDAs or other engagement terms.
A. We undertake standard employment reference checks and screen employees via Thomas Co.
We do not undertake DBS or any other checks.
The raw event data ingested by our service is generally not available to anyone except our data team. Aggregated data is only available to those required to run the service.
Q. Please provide an overview of any data protection and privacy training issued to, and completed by, employees associated with this processing activity. This should include all mandatory training courses, awareness campaigns and other methods of training and awareness instigated by your company.
A. As part of ISO27001 we are formalising our data privacy policies and associated data privacy training programmes.