GDPR Compliance

The following is updated as of February 2022

As is the case for all companies, we are taking GDPR seriously and are endeavouring to adapt to the new legislation as best we can. Inevitably we will make further amends to our policies as time passes and we all have a better understanding of our obligations.

We have recently updated our DPA to incorporate the new requirement for both UK and EU SCCs, This article details Cyclr’s actions taken as at February 2022, and our stance on GDPR. We will refresh this page as and when variations are required.

 

Cyclr as Data Controller

Cyclr is a Data Controller when it comes to handling the personal information of our Direct Clients and any Client Prospects. Cyclr is strictly a Business to Business enterprise and does not actively target individual consumers.

Direct Clients are companies with a direct paid subscription to the Cyclr application. Client Prospects are those companies that we are actively targeting as prospective clients and companies/individuals who have provided us with their contact information.

We take the right to be forgotten seriously and use any Direct Client or prospect information solely for the purposes of dealing with existing Direct Clients and prospecting for new business. We do not use personal information for any other purposes. Should you wish your record in Cyclr’s systems to be deleted then please email us – dpo@cyclr.com

In additions, for full transparency, we have disclosed the various applications that we use to store Direct Client and prospect information here.

You can also see our privacy policy here.

 

Cyclr as Joint Data Processor

Cyclr acts as a Joint Data Processor with our Direct Clients when it comes to providing services to, and enacting the instructions of, our Direct Clients. Direct Clients are companies with a direct paid subscription to the Cyclr application, who in turn provide integration functionality to their own End Users (an individual, company or entity that is a client of our Direct Client). We have a Data Protection Agreement to which we and all Direct Clients adhere when they take out a subscription to Cyclr.

Our obligations to Direct Clients are also covered by our online terms and conditions or an independent Enterprise Agreement depending upon the subscription and service level the Direct Client has with Cyclr. We endeavour to regularly review and update our terms and conditions and contracts and communicate any such amends in a timely fashion.

 

Functional Overview

The Cyclr platform enables our Direct Clients to offer integration and connectivity functionality between two or more applications to their End Users. This can be achieved by embedding Cyclr into the Direct Client’s application or the Direct Client using Cyclr to deliver a service to their End Users. Cyclr processes data at the instruction of our Direct Clients who in turn are acting on the instruction of their End Users.

By enabling an integration the Direct Client is instructing Cyclr to enable the transfer of data from one application to another. Inherently Direct Clients are enabling integrations at the behest of their own End Users and it is critical that Direct Clients ensure that their End User is aware that they are making the instruction and have given permission. Direct Clients are responsible for this part of the process.

When an integration is activated by an End User, in almost all instances, it is standard for the End User to provide an explicit and unique Authorisation Key for any application to which data is transferred from, or to which data is transmitted to, in order for any data transfer to take place. This is the authorisation of the data transfer. The integration workflows can also be stopped at any time.

Except in circumstances where an error arises and Cyclr is asked by the Direct Client to explicitly resolve any issues, Cyclr does not proactively analyse or access any data transferred across the Cyclr application.

 

Geography

At the simplest level we offer our Direct Clients the option to host their Cyclr Application in the UK (London), the EU (Germany) the US (North Virginia) or Asia Pacific (Sydney) such that when data is transferred it remains within the requested geographic location whilst in the Cyclr environment.

The application and databases are currently hosted with Amazon Web Services. Amazon Web Services assert full compliance with GDPR, please see link here – https://aws.amazon.com/blogs/security/all-aws-services-gdpr-ready/

If Direct Clients take out an Enterprise/Scale subscription with Cyclr, the Direct Client may also select their own hosting provider, and location, of choice.

Data Transit and Storage Security

We always encourage the use of https:// or SSL where possible when customers are connecting to Cyclr or third party APIs such that data is encrypted on the way in to and out of the Cyclr application.

Whilst in the Cyclr application environment all data is encrypted.

Account access credentials, Authorisation tokens and API keys are all encrypted using AES (an encryption algorithm).

Two factor authentication (2FA) is enforced when accessing Cyclr.

Data Management in Cyclr

As a conduit of data consolidation and movement on behalf of our Direct Clients and their End Users, we have worked hard to include new features that put the parties in full control of their data.

These options include:

Data Retention Settings

We provide complete control over how long data transactions are stored in Cyclr. Cyclr enables each individual workflow to have different data retention periods in hours, minutes or days in order to keep Direct Clients in compliance with your data policy.

We also allow for a separate retention period for transactions with errors, enabling the completion of any support tasks with the full picture.

Whilst Direct Clients have the ability to set their company’s data retention period, End Users can also have separate control over their retention duration. This can be set within their account inside your console, giving your users even more control of their data.

As a backstop we purge all data that is greater than 180 days old and hasn’t already been deleted under the instruction of a Direct Client or an End User.

You can access this in the following menu:

Settings > Data Retention

OAuth Client Credential Settings

Direct Clients have the ability to revoke Access Tokens if necessary. This can be used to prevent and control misuse of their platform.

You can access this in the following menu:

Settings > OAuth Client Credentials

Notification Settings

Direct Clients and End Users can set what notifications they receive via email. These can be turned on and off within the management console.

You can access this in the following menu:

For Users: Settings > Integration Settings > Enable User Notification Users


For Console Admins: Settings > Console Administrators > Receive Notification Emails

Assigning a Data Protection Contact

To prove a single point of contact for any data related queries and enquiries we have a dedicated point of contact for data protection. If you have any data related questions please direct them to dpo@cyclr.com

Summary

Thank you for reading this far. We at Cyclr understand the importance of data, the importance of privacy and the right to be forgotten. We will endeavour to adapt rapidly to legislation as it changes and to work proactively with our Direct Clients, Client Prospects and our Direct Clients’ End Users in order to respond to requests.

Should you have any further questions then please contact us at dpo@cyclr.com

Ready to start your integration journey?

Recommended by G2 users

Book a demo to see Cyclr in action and start creating integration solutions for your customers