Data Privacy FAQs

1. What/where data is stored?

Your Data Privacy team is likely interested in what data is stored in Poppulo, why it is stored, and where it is stored. The data types stored with Poppulo typically includes:

• employee email address data - to support the core business requirement of sending emails to employees
• employee name data - to support the (optional) business requirement of personalizing emails (“Dear John”)
• employee function data - to support the (optional) requirement of targeting or segmenting emails or content on the basis of function or location (“Show this newsletter article to everyone in Sales”)
• content data - to support the core business requirement of populating the employee communication (company news, organizational announcements, etc.)
• content engagement data - to support the core business requirement of understanding engagement with these bulk employee communications (volumes of bounced emails, opened emails, content clicked, etc.) (More detail on the data stored and processed by Poppulo is available in the standard Data Processing Agreement)

Data is stored in the requested region per channel below:

• Email Channel
  • EMEA, with the primary based in London UK, and backups in Cork and AWS eu-west-1.
  • US, with the primary based in Chicago, and backups in Boston and AWS us-east-2.
• Display Channel AWS
  • USW2 – Oregon
  • EUW1 – Ireland
  • APS1 – Singapore
• Workplace Channel Azure
  • eastus2: Virginia
  • westus2: Washington state
  • uksouth: London
  • ukwest: Cardiff, Wales

Poppulo also utilizes subprocessors in rendering the services and details on their locations can be found here: https://www.poppulo.com/subprocessors.

2. What data privacy regulations apply?

Poppulo is a US-based company with wholly-owned subsidiaries in the US, Ireland, and United Kingdom. As a company established in the EU, within the meaning of the General Data Protection Regulation (GDPR), Poppulo attests to being GDPR-compliant. Poppulo also works with its customers to ensure they are able to meet their data privacy regulatory requirements. Poppulo is registered as a Data Processor with the Information Commissioner's Office in the UK (Reg# Z9513693) and Data Protection Commissioner in Ireland (Reg# 5638/A). Poppulo’s US privacy compliance is informed by a patchwork of data privacy laws in the United States comprised of both federal and state-level regulations.

3. Who has access to systems and data?

A limited number of users within Poppulo, and a limited number of users within your organization, may have access to some stored data. In short, within:

• Your organization, there will be a small number of trusted users with a profile and role within the system. There are a number of standard role types that can be applied to these users. We strongly encourage that you apply your own least-privilege policies to these users. The roles available in the system are labelled based on the expectations of a typical user's job or function. ("Can send emails - Background for IT, IS, DP teams | 5 Classification: Confidential but not see reports" is a “Publisher”, "Can create new content - but not edit content from other contributors" is an “Author”, etc). If any of the default role types do not meet your expected use-cases, custom role types can be created.
• Our organization, there are a limited number of vetted and confidentiality-bound users with roles within the system. Poppulo employee users of this type include Customer Support team members, and Technical Support team members. The former may need to access customer data in support of a customer query (“I need help changing the newsletter background to a dark-blue color - can you take a look?”). And the latter may need access to customer data in support of a technical query (“I need help understanding why the most recent newsletter email was bounced - can you take a look?”)

4. What can they see?

As above, what can be seen by a user will depend on the role-type or trust-level assigned to their user profile. Some customers will be sensitive to what can be seen in the system by even the most trusted users or user types. If you expect that zero role-types of any trust-level should be allowed access to (for example) subscriber activity data (opens, clicks, etc), then we can enable what is known as the "Subscriber Anonymity" setting. This is an Account level setting (not a User level setting) which abstracts the Subscriber Record (email, name, etc) from the Subscriber Activity Record (opens, clicks, etc). With this setting enabled, it is not possible to "drill down" to associate Subscriber Activity with an individual Subscriber.

5. How is data access controlled?

The Poppulo platform provides a number of role-based security options which the account owner can assign to named users. These include:

• Administrative user rules - Enterprise Administrator, Account Administrator, Settings Administrator, etc. (Essentially allowing varying levels of control over the account and settings, who can view or change subscriber information, etc.)
• Content user roles - Author, Contributor, Editor, etc. (Essentially allowing varying levels of control over content. Perhaps a user can create and edit their own content, but can't edit anyone elses. Perhaps they can't even see anyone elses, etc.)
• Publisher roles - Publisher, Restricted Publisher, Protected Lists, etc. (allowing varying controls over who can send to what lists, and whether this is completely locked down or whether - if someone attempts to send to a protected list - it triggers an approval workflow with someone with higher rights levels)
• Other user roles - Reporter, Auditor, etc. (who can view the engagement reports, audit trails, etc.)
• Custom roles - roles and levels can be combined or customized. For example, a given user might be given Reporter rights and Publisher rights, "read only" Content rights, but no Subscriber management rights, etc.

6. How is data access monitored?

Data and systems access and audit logs include details on what accounts and data have been accessed (and when data has been accessed). This includes any potential access by Poppulo personnel. These audit logs are available to selected customer account holders based on the role they have been assigned.

7. What subprocessors does Poppulo use?

Poppulo engages the Subprocessors outlined at the following page:https://www.poppulo.com/subprocessors.

Please note that you may choose to sign up for alerts regarding changes to this list.

8. Where can I find Poppulo’s Data Processing Agreement and Transfer Impact Assessment?

Please see the Table of Contents on the righthand side of this page for Poppulo’s template DPA and TIA. These can also be leveraged where you are in need of assistance with documentation serving a similar purpose (Data Protection Impact Assessment, Privacy Impact Assessment, etc.).

9. Is Poppulo going to become certified under the new EU-US Data Protection Framework?

For those who don’t know, the European Commission adopted its adequacy decision of the EU-US Data Privacy Framework. This decision concluded that the United States ensures an adequate level of protection –comparable to that of the European Union—for personal data transferred from the EU to US companies under the new framework. On the basis of the new adequacy decision, personal data can flow safely from the EU to US companies participating in the DPF, without having to put in place additional data protection safeguards.

Poppulo is currently working towards certification under the new DPF and anticipates being certified in the coming months. While this is an exciting development, please note that the DPF only applies to EU-US data transfers, and the UK and Swiss data protection authorities have yet to adopt a similar adequacy decision with regards to the DPF.