E2open does not collect and process users’ personal information beyond what is required for the functioning of our products.

We have demonstrated our commitment to data privacy and protection by meeting the industry standards for ISO 27001 and SSAE-18 SOC 2 Type 2. We also have strong Data Processing Agreements and have revised them to meet the requirements of the GDPR.  E2open participates in and has certified its compliance with the EU-U.S. Privacy Shield Framework with respect to transfer of data to the US.

E2open GDPR Preparation

E2open is GDPR compliant across all of its SaaS applications. We have analyzed GDPR requirements and correlated them to existing controls or created new controls and systems to meet them. Our efforts included:

  • establishment of a data privacy team to oversee GDPR activities and raise awareness;
  • conducted a GDPR Gap Assessment by an independent third party; and a Privacy Impact Assessment (PIA)
  • reviewed current security and privacy processes in place and where applicable, updated contracts with third parties and customers to meet the requirements of the GDPR;
  • conducted employee awareness to ensure continual compliance to the GDPR;
  • enhanced data integrity and security – streamlining the processes for our cloud applications by implementing the following IT policies and procedures:
    • encrypt, anonymize, or delete user data;
    • perform data audits or assessments;
    • provide access controls;
    • identified personal data that is being collected or stored;
      (Note: some of our applications intake a different level of personal data collection, usage, storage, and disposal. Defining the purview of personal data for each of these applications and documenting the various sources of data to provide a roadmap for compliance.  We analyzed how customer information is being processed, stored, retained, and deleted);
    • assessed any third parties with whom we disclose personal data.  There are no third parties with whom we share the personal data of our customers, except banks to pay rebates, at this time.
    • established procedures to respond to data subjects when they exercise their rights; and
    • created processes for data breach notification activities.
  • Portability and Transferability of Data – None of our applications store unique end user content or data that end users do not already possess, e.g. pictures, stories etc.