Enterpret's Commitment to Privacy

Purpose of this document

This document is intended to provide information about Enterpret’s (‘us,’ ‘our’) privacy practices with regard to its processing of ‘Customer Data,’ defined as the data that our customers (‘you’) transfer to us as part of the services we provide to them, pursuant to a business agreement. The primary audience for this statement is business customers that use our service and are looking to understand how we comply with the applicable data protection laws and regulations, including but not limited to the General Data Protection Regulation (‘GDPR’), the California Consumer Privacy Act (‘CCPA’), the California Privacy Rights Act (CPRA), Swiss Federal Data Protection Act and the United Kingdom Data Protection Act (‘UK GDPR’).

About Enterpret

Enterpret is a feedback analytics platform that enables companies to get actionable insights from product feedback. Enterpret’s machine learning-driven solutions aim to provide our business customers with a smarter way to collect and analyze feedback from their end users. The intelligence gathered can further help our customers draw up their future roadmap, gauge the response to their recent offerings, and determine what new features they can experiment with in the future.

Our role in relation to personal data

Enterpret’s customers are primarily companies. Through our contract with our customers, we primarily act as a data processor as we collect and process data on their behalf and at their request. Our customers act as data controllers for the Customer Data transmitted to us.

How does data get from you to Enterpret?

Enterpret streamlines the feedback analysis of its customers' end users by seamlessly integrating with over 25 feedback sources, and for custom data sources, Enterpret offers File Upload and Webhook integration features.

Enterpret takes data privacy seriously. Customers decide the data sources to be ingested during the onboarding process. All data ingested is then converted into a uniform structure and scanned for any personally identifiable information (PII), which is removed to ensure data privacy. In addition, our customers can further customize their data ingestion by configuring Ingestion Blockers and Scrubbing rules to prevent specific types of feedback from entering Enterpret or to scrub particular feedback segments.

Data protection practices and capabilities

Enterpret takes great pride in our respect for customer privacy and has a team dedicated to ensuring that our platform and service are GDPR and CCPA compliant, and that we protect the privacy of our customers and their end users whose data is transferred to us as part of our services.

‍

The following section describes some of the ways in which we protect the security and privacy of Customer Data transferred to us and enable our customers to meet their regulatory privacy requirements.

Section 1) Product Privacy Functionality to Reduce Data Risk

1. Ingestion blockers: We’ve built metadata-based ingestion blockers that allow customers to define rules to block certain types of data for specific integrations. If a specified criteria is met, the records are blocked from ingestion into Enterpret. With such implementation, Enterpret enables you to introduce a line of defense in preventing specific data (e.g., GDPR special category or sensitive data, IP addresses, etc.) from being transferred outside your organization.
2. Data scrubbing/masking: Enterpret provides product functionality to enable you to scrub, mask, and otherwise reduce the inclusion of any personal data that may be contained in the Customer Data you choose to share with Enterpret. Our PII Scrubber library provides pre-built scrubbers for various personal data identifiers that can be applied to strings and objects. Customers can also override the implementation of any of the existing scrubbers or can add their own custom scrubbers or masking operations based on their requirements and the nature of data. 
3. No personal data persisted: We do not persist any Customer Data prior to PII scrubbing. Only once Customer Data has been cleansed, it is then persisted within the Enterpret platform.

Section 2) No Selling/Renting/Sharing of Customer Data

We do not sell, rent, share or otherwise disclose (as such terms are defined within the CCPA, CPRA and other US state privacy laws) Customer Data to any third party in the ordinary course of business.

Section 3) International Transfers

In order to ensure that all cross-border transfers of Customer Data to Enterpret are made under a compliant data transfer mechanism, we will sign a Data Processing Addendum (DPA) with you that incorporates the legally allowed transfer mechanisms, depending upon the requirements of specific jurisdictions (such as the Standard Contractual Clauses as the transfer mechanism for Customer Data from the United Kingdom, EU and EEA to our US-based AWS environment). If you haven’t yet signed a DPA with us and believe you need one, you can request a copy from your sales representative.

Enterpret’s platform runs on Amazon Web Services (AWS) within the United States. As our primary subprocessor, Enterpret has signed a DPA with AWS that reflects the required GDPR and CCPA contractual commitments. As our subprocessor, any data sent to AWS is subject to equal enforcement of the terms of the DPA we sign with our customers. 

Section 4) Data Deletion

Commencing 30 days after the effective date of termination of our agreement with customers, Enterpret will initiate a process on customer’s written request that deletes Customer Data retained in production within a time period of 3-4 weeks.

Section 5) Data Subject Rights

Customer Data that Enterpret processes on behalf of our customers is owned by the customers as data controllers, and Enterpret does not maintain any control over such data. Our access to such data is also time limited as we do not persist or store any identifiable data; Customer Data is scrubbed or masked prior to it being persisted within the platform. Because our customers maintain access control to their data within their systems, as data controllers, they can respond to and act on requests from their data subjects (i.e. their users). If Enterpret receives a request from a data subject in relation to the transferred customer data, Enterpret will advise the data subject to submit their request to the customer, and the customer will be responsible for responding to any such request. We will provide customers with such assistance, where feasible and reasonably required to comply with their obligations under Applicable Data Protection Laws, subject to our contractual obligations, as laid down in our agreement with customers.

Section 6) Safeguards

The below section provides information regarding Enterpret’s technical and organizational safeguards to support the confidentiality, integrity, and availability of Customer Data:

1. Technical Measures
   The security of your data is incredibly important to us. We have implemented and continually maintain a variety of technical measures to protect your data from unauthorized access and against unlawful processing, accidental loss, destruction, and damage. You can visit our Security and Trust page to learn more about the specific security controls we have put in place to safeguard your information. 

2. Organizational Measures
   We have implemented the following organizational measures to safeguard all Personal Data you transfer to us.
   ‍
   ‍→ Confidentiality obligations‍
   All of our employees and Subprocessors that handle Customer Data are required to sign confidentiality agreements.
   
   → Employee training
   We provide privacy and security training to all our employees when they join the company and yearly thereafter. As a result, our employees are always kept up to date on security and privacy best practices.
   
   → Third-party Risk Management
   Prior to onboarding a new Subprocessor, we conduct a comprehensive vendor assessment, which includes a review of the Subprocessor’s security and privacy practices. Moreover, we require relevant documentation from our Subprocessors to demonstrate compliance with the security terms of its DPA.
   
   → Annual audits
   Enterpret currently holds a SOC 2 Type 2 report on compliance with the SOC 2 SSAE 18 standard, and we make our audit report available to you. Please contact your Enterpret sales representative, who can assist you with gaining access to our SOC 2 Type 2 documentation.