The General Data Protection Regulation (GDPR) is the result of many years of work by the European Union to unify and strengthen data protection for all EU citizens. Taking care of your and your customers’ privacy is our number one priority.
GDPR gives you more control over how your data is used, while to us, it will be a simple legal environment where we can operate. That makes this change desirable for both parties!
The new regulation came into effect on the 25th May 2018 and we are glad to report that LiveChat has fulfilled all the required regulations to become fully GDPR compliant.
Below you will find a list of frequently asked questions regarding GDPR compliance. If you can’t find an answer that relates to your question, please let us know by writing to firstname.lastname@example.org – we will reply as soon as possible and update this document.
We take our responsibilities under the GDPR seriously. That’s why we have taken steps to identify which measures we need to implement to be compliant with the GDPR.
Here: https://www.livechat.com/general-data-protection-regulation/ is a quick summary of what we’ve done.
This is why a separate consent for your data processing by LiveChat, Inc. is not required. However, you may need to gain consent for data processing and transferring from your customers/users/visitors. It depends on whether you need to be a GDPR compliant or not if you collect your customers/users/visitors data, and what are your data processing basis. To help you comply with the GDPR requirements, we have created a tool (working with LiveChat service) which helps you gain such consent. If you think you need it, please refer to point 9. If you use the service other than LiveChat you may need to at least notify your customers about using LiveChat, Inc.’s services.
Firstly, you need to figure out if you process or provide personal data of EU citizens. For instance, if you are an Australian company and you only process Australian citizens data, GDPR does not apply to you. However, if you process personal data of the European citizens, you need to comply with this regulation. You or your company (organization) may then act as a data controller. It happens when you are a natural or legal person, public authority, agency or other body, and you, alone or jointly with others, determine the purposes and means of the processing of personal data. You may also act as a data processor. It happens when – as a natural or legal person, public authority, agency or other bodies – you process personal data on behalf of the controller. Simply, when you do not determine the purposes of the processing but use data according to the controllers’ instructions.
Regardless of being a data controller or a data processor, when you transfer the personal data to us (and you do so using our services) you may need to enter into DPA with us if you transfer any EU citizens personal data.
Yes, we have prepared this document for our customers. You can review and sign a copy of LiveChat’s Data Processing Addendum here: https://app.hellosign.com/s/11HpZdOT. Instructions for execution are set out in the Addendum. If you have any questions about its contents you can email: email@example.com
LiveChat, Inc. also stores/process personal data of your customers, visitors (end users of the service you use). Especially we store data provided in the pre-chat survey, chat content, your client’s email address and ticket content, ChatBot scenarios as well as your KnowledgeBase articles. Thus, if you collect your visitors/end-users/clients personal data and process them to us, you may need to gain their consent and/or notify them you use LiveChat’s services. You can find the instructions on how to customize your pre-chat survey (applies for LiveChat service) to comply with this rule here: https://www.livechat.com/kb/prepare-chat-gdpr. If you wish and if they meet your company’s requirements, you can use one of (or more than one) the clauses we have prepared for you. The clauses can be found here: https://www.livechat.com/kb/chat-surveys#pre-chat-gdpr. If you use HelpDesk, you may need to inform that you use LiveChat, Inc.’s services (or include LiveChat, Inc. as a sub-processor on you sub-processors’ list).
LiveChat, Inc. stores its customers’ data mainly in a data center in Dallas (Texas) U.S. We also have a data center in Europe (Frankfurt). Your data storage location depends on which service you use. When you sign up and create an account in LiveChat your data are automatically collected and stored in our U.S. data center (regardless you are signing up from the EU, the US or other parts of the world). If you want to have your data stored in the EU (please note this is available only for LiveChat service), you need to sign up via https://accounts.livechat.com/signup?region=fra. Also, note that for this service it’s currently not possible to transfer your chats to the other data center, but we can assist you in creating a new account for you, thus, your personal data provided for creating a new account, as well as future conversations, will be stored in a European data center. Additionally, similarly to many SaaS providers, we use a top-tier, third-party data hosting providers (Amazon S3, IBM Softlayer and Google) to host our online services.
To make our services work properly we use other companies’ services (generally software). We do so to maintain the services, improve our tools, enable, and simplify its usage. If there is a necessity to give processors access to a part of your data, firstly, we make sure that this company will gain only necessary data (i.e. only an email address for the email service provider). Secondly, we enter into an agreement with such company to make sure they provide at least the same level of protection as we do. You can find more information about rules of sub-processing in our DPA and under the following link you can find a current list of our sub-processors: https://www.livechat.com/kb/livechat-third-party-data-processors.
We are committed to comply with GDPR and accordingly to transfer personal data lawfully. This is why we work only with third party service providers from Europe (EOG) or countries recognized by the European Commission as providing an adequate level of protection of personal data (mostly the United States). We have verified all the sub-processors we cooperate with currently. Besides the above ‘location requirement’ we made sure they are GDPR compliant and – if based in the US – Privacy Shield certified (or – if based in another country recognized as secured – are the subject of a similar agreement and adequate obligations due to the data protection). Also, before appointing a new sub-processor, we make sure the data will be securely and lawfully transferred. We choose providers only based in EOG and the US (or another secure country such as Canada, Switzerland, New Zealand). We verify if the provider is GDPR compliant and Privacy Shield certified. Only if we are sure your data will be transferred and stored securely we will work with the provider. If the data transfer was not secured by the mentioned measures we would apply additional measures (i.e. Standard Contractual Clauses), to transfer data in line with the GDPR.
As a company offering its services in SaaS model, we are aware that the security of our customers and their data is crucial. We treat security as a basic aspect of our business. We know that it is a matter of trust. This is why we have implemented a number of safeguards even before GDPR was adopted. Currently, we made sure our safeguards comply with the Regulation and adjust some new if necessary. We encourage you to familiarize yourself with our Security Overview: https://www.livechat.com/legal/security.
LiveChat, Inc. uses external auditors to verify the adequacy of its security measures, including the security of the physical data centers. This audits are performed at least annually and include penetration tests.
When personal data is hosted or processed outside of the European Economic Area, GDPR requires that it remains protected by appropriate safeguards in line with EU law. There are a few ways that LiveChat, Inc. achieves this.
Firstly, most of our EU customers’ data is processed in the United States (where our headquarters are located). The United States is recognized by the EU as an ‘adequate’ country (i.e. safe country) to receive and process EU personal data, pursuant to European Commission Decision 2013/65/EU. According to the GDPR, a transfer of personal data to a third country may take place where the Commission has decided that the third country ensures an adequate level of protection. Such transfer shall not require any specific authorization.
In the event we process EU customers data in other territories, we ensure appropriate safeguards are in place that is prescribed by GDPR – i.e. by entering into the Data Processing Agreements with the entity the data is transferred to, or by ensuring the entity is Privacy Shield certified (for transfers to US-based entities).
The decision of the Court of Justice of the European Union on 16 July 2020 regarding the EU-U.S. data transfer has invalidated the EU-US Privacy Shield Framework as a mechanism for transferring such personal data from the European Union to the United States.
Following this decision, LiveChat continues to comply with the Privacy Shield as set out below.
LiveChat remains committed to ensuring our clients’ data is protected with the utmost care. Our clients can continue to use LiveChat services and transfer EU data in compliance with European law such as the GDPR, and Standard Contractual Clauses “SCC” (incorporated into our Data Processing Addendum) which the Court of Justice of the European Union upheld to be a valid data transfer mechanism from the EU to the US.
In addition, with respect to such invalidation, the U.S. Department of Commerce has issued the following public statement of continuing to administer the Privacy Shield program:
“The Department of Commerce will continue to administer the Privacy Shield program, including processing submissions for self-certification and re-certification to the Privacy Shield Frameworks and maintaining the Privacy Shield List. Today’s decision does not relieve participating organizations of their Privacy Shield obligations.”
To the extent LiveChat has ongoing obligations under our Privacy Shield certification, we will continue to honor them. The Swiss-EU Privacy Shield remains operational and is not currently impacted. LiveChat confirms its compliance with Privacy Shield frameworks to the U.S. Department of Commerce and its self-certification can be find here: https://www.privacyshield.gov/participant?id=a2zt0000000L16xAAC&status=Active.
It’s possible to request periodic data purge; in order to do that, please write a request to firstname.lastname@example.org with information: which data should be deleted, how often do you want to delete them, what time these chats and tickets should be deleted (hour + timezone). However, this feature may vary depending on what service you use.
Yes, we have it in place. In case of any management incident, we are ready to take a reaction immediately to protect your data from unjustified disclosure or any other infringement.
a) Running an external audit, fixing all found vulnerabilities, testing the implemented fix and iterating this procedure until the issue is fixed;
b) Periodic systems scanning with tools for automatic issue recognition.
Contact support via email@example.com or chat on our websites.
No, we haven’t any. You can follow the website https://status.livechatinc.com where we report about any security issues and incidents.
We do have a DR plan, each part of the system can be restored from 24 to 48 hours (considering a complete disaster). Moreover, each instance of the whole infrastructure is multiplied, so losing a single instance will not cause service degrading. Provided time refers to a flood scale of the disaster.
Regardless of the service you use, you can ask us for a copy of your data. It is possible to download a copy of the data in JSON and to do that please refer to https://www.livechat.com/kb/prepare-chat-gdpr to check how you can get your LiveChat data.
Yes, we do have DDoS protection provided by Akamai.
The application is multi-tenant, data for each license is accessible only to accounts assigned to the license, so the person that wants access to a license data, needs a corresponding login and password. This is the basic logic behind the whole application infrastructure, it’s not possible to access other users’ data, as the access request without needed credentials will be considered unauthorized call and denied. Also, one set of credentials (login + password) can be used for one license only.
Legal note: Please note that the materials available at this website are for informational purposes only and not for the purpose of providing legal advice. You should contact your attorney to obtain advice with respect to any particular issue or problem.