Blueshift: Privacy, Security & Compliance

Blueshift's response to Questions on Privacy, Security & Compliance in the RFP Guide

Overview: Blueshift's application is built for enterprise customers with strong security and privacy needs around Personally Identifiable Information (PII). We are certified by Truste and participate in the EU-US Privacy Shield Framework. We comply with regulations for GDPR, CCPA & HIPAA.

Blueshift takes security, data integrity and privacy seriously. We achieve this by following a philosophy of “security by design”:

  • Architecting the application & network from the ground-up with security in mind

  • Ensuring compliance with customer data & privacy laws

  • Mandating regular employee training with adequate process & controls for checks & balances

  • Holding ourselves accountable with regular 3rd party audits & testing

Blueshift's Responses to Questions on Privacy, Security & Compliance

Privacy & Compliance

1. Describe how your solution supports customer data privacy preferences and adheres to privacy compliance regulations (e.g. CCPA, GDPR, HIPAA).

Security and trust are at the core of our values, and therefore we provide multiple capabilities, safeguards and processes to ensure the security and privacy of our customer’s data. Blueshift undergoes an annual security audit. In addition, we have customers in the financial industry that have performed stringent due diligence on our platform and leverage Blueshift for their critical customer transactional and marketing messaging.

From a data privacy standpoint, Blueshift participates in the EU-U.S. Data Privacy Framework, the UK Extension to the EU-U.S. DPF, and the Swiss-U.S. Data Privacy Framework administered by the U.S. Department of Commerce. Blueshift’s privacy policy is outlined at: https://blueshift.com/privacy_policy/.

We also have a data center in EU to ensure EU customers' data never leaves the EU region. Blueshift's global regions data center is outlined at: https://help.blueshift.com/hc/en-us/articles/4404624313235-Blueshift-global-regions

We are SOC2 Type 2 compliant and also compliant with both CCPA and GDPR compliance (https://help.blueshift.com/hc/en-us/articles/360003291413-GDPR-Compliance).

We are HIPAA compliant and independently audited to ensure that we have implemented the necessary controls to comply with the HIPAA Security, Privacy, and Breach Notification Rules.

Additionally, Blueshift stores all PII data in a compliant manner with regular penetration testing by a 3rd party security firm.


2. Describe how your solution manages Personally Identifiable Information (PII) such as name, address, email, and phone number in ways that comply with privacy and security regulations in the regions where it is deployed.

Blueshift stores all PII data in a compliant manner and performs regular penetration testing by a 3rd party security firm. Only user data that will be used for driving marketing programs and strategy is imported into the Blueshift platform. Sensitive PII data (i.e., SSN, credit card number, etc.) isn't sent to Blueshift.

Furthermore, we are compliant with the current Privacy Shield Framework, along with being compliant with both CCPA and GDPR regulations (https://help.blueshift.com/hc/en-us/articles/360003291413-GDPR-Compliance). We are also a participant in [Truste's Privacy Seal Certification] (https://privacy.truste.com/privacy-seal/validation?rid=94a55167-474f-4051-bc44-407e1a4ddd8b)

Moreover, Blueshift’s privacy security team, led by our Chief Security Officer, includes a dedicated director for security operations and a supporting staff of security engineers who are responsible for responding and addressing customer questions regarding privacy and security and staying ahead of the most recent privacy and security regulations to ensure that we are always up-to-speed and compliant with the latest local regulations and compliancy requirements.


3. Describe your solution's functions to store and enforce customer consent for data usage to comply with privacy regulations.

Blueshift is compliant with both CCPA and GDPR and offers various features to comply and enforce user consent for data usage to comply with these privacy regulations, including the ability to ensure the deletion and automatic suppression of customer data per customer's request. More specifically, you can use our API endpoint for deleting user data and for automatic suppression. Calling this endpoint for a user will ensure that all personal data related to the user is deleted from the index of user data that Blueshift stores for our customers. Any future data related to the user will also be suppressed. As a result, the data cannot be used in any manner for any marketing communications within the Blueshift platform.

[Additional information on how we can enforce customer consent for data usage] (https://help.blueshift.com/hc/en-us/articles/360003291413-GDPR-Compliance)


Security

4. Does your solution provide user-level and role-based access controls as well as custom user management to what data is available to which user?

Yes, Blueshift offers several built-in capabilities to support multiple users with varying roles and different levels of permissions to limit their access to data. For example, different user roles can be assigned within Blueshift to limit what the user can access with the data. An “Analyst” user has view only access and can view user data and audience segments, but cannot edit/update user profile data or audience segments. On the other hand, a “Manager” user has the full capability to view and edit/update user data and audience segments. Furthermore, custom roles with specific permissions can be created to meet customer's specific user data access requirements, if neither the Analyst nor Manager role, as described above, is sufficient.

[Additional information on the various roles that we support] (https://help.blueshift.com/hc/en-us/articles/4402644461843-Users-and-user-roles)


5. Does your solution undergo stringent security audits? Can you provide certifications (e.g. SOC2)?

Yes, Blueshift undergoes an annual security audit. In addition, we have customers in the financial industry that have performed stringent due diligence on our platform and leverage Blueshift for their critical customer transactional and marketing messaging. Blueshift’s underlying architecture (AWS) maintains security audit for the hardware, facilities security, etc.

We are SOC2 Type 2 compliant, compliant with the current Privacy Shield Framework, and compliant with both [CCPA and GDPR compliance] (https://help.blueshift.com/hc/en-us/articles/360003291413-GDPR-Compliance). Additionally, Blueshift stores all PII data in a compliant manner with regular penetration testing by a 3rd party security firm.


6. Does your solution encrypt data in transit and at rest?

Yes, Blueshift supports encryption in transit and encryption at rest. More specifically, all customer data is stored in a virtual private cloud that is accessed over an encrypted VPN with 2FA. Access to the VPN is protected through multi-factor authentication. Archived data is encrypted at rest using AES256.


7. Does your solution maintain audit trails for interactions with the system?

Yes, Blueshift offers a robust audit trail feature for Administrators that captures and tracks interactions for each user within the Blueshift platform.


8. Does your solution support Single-Sign On?

Yes, Blueshift supports SAML 2.0 federated single-sign on. [Additional information on our single-sign on support] (https://help.blueshift.com/hc/en-us/articles/360021977053-Configure-Single-Sign-On-via-SAML)