The European General Data Protection Regulation (GDPR) became enforceable on May 25, 2018. The GDPR is a regulation on the collection and processing of personal data related to individuals residing within the European Union (EU).
The GDPR’s six key principles, as detailed in Article 5 of the legislation, include:
At Rise, we value our worldwide customer base, and your right to privacy. As outlined in our security white paper, Rise employs a holistic approach to security. We welcome the GDPR as an opportunity to deepen our commitment to data protection.
For the GDPR, we are considered a data processor for the data we collect as we deliver e-learning services to our customers, the data controller. As a data processor, Rise commits that data put in our care by EU data subjects is:
As a cloud-based learning platform, the protection of our customers’ information and their users’ privacy is of utmost importance. We will continually invest in the security of Rise by employing an experienced security team and utilizing the most robust tools available for monitoring and mitigating threats. In addition, the Rise security team will comply with GDPR requirements around security incident notifications.
We engage carefully vetted sub-processors for specific purposes necessary to deliver e-learning services. We require that each sub-processor sign and adhere to a Data Processing Agreement (DPA), reflecting our commitment and that of our vendors to take the individual’s right to data privacy seriously.
On July 16, 2020, the Court of Justice of the European Union (CJEU) invalidated the EU-US Privacy Shield, and on September 8, 2020 the Federal Data Protection and Information Commissioner (FDPIC) of Switzerland found the Swiss-U.S. Privacy Shield Framework didn't provide adequate protection for personal data transfers from Switzerland to the United States.
Even before these recent developments, Articulate used alternative safeguards identified in the GDPR, including standard contractual clauses (SCCs). We’ve also assessed our data transfer risks, including engaging an external auditor to evaluate our security controls resulting in SOC 2 Type 2 along with ISO 27001 and ISO 27701 certifications. Additionally, we’ve specifically assessed the risks raised by the CJEU and determined that those risks are highly unlikely for Articulate because some laws (e.g., the U.S. Electronic Communications Privacy Act) don't regulate Articulate, and other laws that could theoretically apply to Articulate (e.g., Executive Order 12333 and the U.S. Foreign Intelligence Surveillance Act) are unlikely to impact us since we don't provide the services government authorities typically target for broad surveillance (e.g., telecommunication providers, ISPs). We've never received a request for surveillance, and if we did receive such a request, we’d notify the impacted customers unless prohibited by law.
Providing you with control over Rise’s collection, retention, and usage of your data is a key component of the GDPR. The following methods describe the controls available to data subjects:
Please contact us at firstname.lastname@example.org if you have any questions about how we comply with GDPR.