Cyren and the General Data Protection Regulation (GDPR)

The General Data Protection Regulation (“GDPR”) is a new legal framework that comes into effect on May 25, 2018. The GDPR’s focus is the protection of personal data (i.e. data about individuals) and affects, among others, companies that process the personal data of individuals who are based in the EU. This includes suppliers and other third parties a company might utilize to process personal data. As a security-as-a-service provider, data privacy and security is at the core of our business and we are committed to protecting our customers’ personal data. We are committed to GDPR compliance across our applicable products and services. Our internal cross-functional team has been working diligently to ensure our GDPR readiness.

The GDPR allocates responsibility between the data controller (i.e. our customers and partners) and the data processor (Cyren) with respect to the processing of personal data. Under the GDPR, both the data controller and data processor have duties and obligations to protect personal data and both face liability for failures to comply with the GDPR requirements. 

Cyren is committed to meeting our customers’ privacy requirements, including compliance with the GDPR. Below are some of the measures we have taken to comply with key areas of the GDPR:

  • Cyren ensures that appropriate technical and organizational measures are taken to protect personal data. 

  • As the data processor, Cyren processes personal data on behalf of the data controller and on written authorization from the data controller (i.e. through a written agreement). 

  • Cyren has updated its Data Processing Agreement to align with GDPR requirements. This updated DPA contains contractual provisions to assist our customers in their compliance with the GDPR. You may access the DPA at www.cyren.com/legal

  • Cyren expects that its customers and partners, as the data controllers, will notify their employees and users (i.e. the data subjects) of the processing carried out by processors such as Cyren and will obtain the appropriate consents for such processing activities.

  • Cyren limits the amount of personal data stored to that required for the performance of its contracted services (i.e. email address, IP address, etc.) on behalf of the data controller.

  • Personal data will not be disclosed, made available, or otherwise used for purposes other than to perform the contracted services on behalf of the data controller, except as may be required by law. 

  • For certain products/services, Cyren stores all personal data for its EU customers in the EU.

  • Transfers of personal data that do take place outside of the European Economic Area (EEA) will only be done for the purposes of providing the contracted services to the data controller and will be to jurisdictions deemed by the European Commission (EC) to provide an adequate level of data protection (adequate jurisdictions), subject to EU-US Privacy Shield principles and/or in accordance with the EC Standard Contractual Clauses for transfers of data outside the EEA.

  • Cyren has an inter-company Data Transfer Agreement, which includes the use of the EC Standard Contractual Clauses for transfers of data outside the EEA. This agreement facilitates the secure movement of personal data between Cyren affiliates and helps ensure compliance with GDPR.

  • Cyren limits access to customer personal data to only those personnel with appropriate authorization. Such personnel who are authorized to process personal data have committed themselves (through employment and confidentiality agreements) to the confidentiality and security of personal data.

  • Cyren will obtain the consent of the data controller before engaging any sub-processors and Cyren will be responsible for the performance of such sub-processors. 

  • In order to ensure data security and to minimize the amount of personal data processed, Cyren uses a combination of encryption, anonymizing, pseudonymizing and/or obfuscating data where technically feasible.

  • Cyren will notify the data controller without undue delay after becoming aware of a personal data breach and will assist the data controller in its required reporting obligations to supervisory authorities and/or affected data subjects.

  • Cyren continues to make further technological advances and product updates to ensure we comply with, and can facilitate, GDPR requirements such as the right to erasure.

  • Cyren will be accountable and responsible to ensure its own compliance under the GDPR.