CCPA, GDPR, Swiss/EU – U.S. Privacy Shield, PIPEDA

Our Commitment

We have demonstrated our commitment to data privacy and protection by meeting the industry standards for ISO 27001 and SSAE-18 SOC 2 Type 2. We also have strong data processing agreements that were revised to meet the requirements of the General Data Protection Regulation (GDPR) and California Consumer Privacy Act (CCPA). E2open® complies with GDPR as a data processor and CCPA as a Service Provider. E2open also complies with Canadian privacy law within the PIPEDA Act.

E2open adheres to the EU/Swiss-US Privacy Shield Framework, which is a set of principles established by the American Department of Commerce, along with the European Union. Some of the requirements of this framework include notifying compliance with the Framework, allowing individuals to opt out of providing personal information, ensuring that the transfer of information is consistent with the Privacy Shield, protecting personal data, limiting the processing of data to the purposes for which it was collected, and allowing customers to access and update their personal information. E2open has been reviewed and verified by TrustArc (formerly known as TRUSTe).

Privacy and security protections are built into our services and contracts to help in compliance with this privacy legislation for our customers. Examples of these are:

  • We enforce data protection features across all our software-as-a-service (SaaS) applications. We have analyzed data protection requirements and correlated them to existing controls or created new controls and systems to meet them.

  • Have a data privacy team to oversee data protection activities and raise awareness

  • Conducted a data protection Gap Assessment through an independent third party as well as a Privacy Impact Assessment (PIA)

  • Review current security and privacy processes in place and, where applicable, update contracts with third parties and customers to meet data protection requirements

  • Conduct annual employee training and awareness to ensure continual compliance with new and existing data protection legislation

  • Evaluated the portability and transferability of data and found that none of our applications store unique end-user content or data that end users do not already possess, such as pictures, stories and so on

  • Define Opt-In/Opt-out Standards for all systems and communications storing personal data

  • Conduct background checks on all personnel and have a Corporate Code of Conduct and Operating Principle that must be observed

  • Enhance data integrity and security, streamlining the processes for our cloud applications by implementing and continually improving data security actions such as:

    • Encrypt, anonymize or delete user data.

    • Perform data audits or assessments.

    • Provide access controls.

    • Identify personal data being collected or stored.
      Some of our applications have a different level of personal data collection, usage, storage and disposal. We have defined the purview of personal data for each of these applications and document the various sources of data to provide a roadmap for compliance. We analyze how customer information is being processed, stored, retained and deleted.

    • Regularly assess any third parties with whom we disclose personal data.
      At this time, there are no third parties with whom we share our customers’ personal data except banks for the purpose of paying rebates.

    • Have policies and procedures in place to respond to data subjects when they exercise their rights.

    • Continually refine processes for data breach notification activities.