GDPR
Overview

Percept AI is fully GDPR compliant.

At Percept AI, we understand the importance of protecting the security and privacy of customer data, and we are committed to partnering with our clients to help them understand and prepare for the General Data Protection Regulation (GDPR). The GDPR is the most comprehensive EU data privacy law in decades, and will go into effect on May 25, 2018.

Under the GDPR guidelines, our customer is the Data Controller, and Percept AI is a Data Processor. This means the customer will determine the purposes and means of processing Personal Data, while we as the Data Processor processes data on behalf of the Data Controller.

Personal Data in the context of the GDPR includes any information which can identify an end user such as their name, email address, postal address, username and IP address. Depending on the use case, a subset of these information will be stored in or transmitted via the Percept AI services, by, or on behalf of, our customers and their end-users.

Here we list some of our main efforts in pursuance of GDPR compliance:
  • Reviewed data security measures
  • Added public instructions on how to exercise GDPR rights
  • Audited third-party sub-processors
  • Created standard DPAs (Data Processing Agreement) for future clients
  • Appointed DPO (Data Protection Officer) per GDPR requirements
Data Security

At Percept AI, our engineering team has invested heavily into our security systems to make sure our customers’ data are protected with high security standards by utilizing the state-of-art application and system security techniques.

All communication with our service is performed through a secure connection. We do not provide any non-SSL endpoints. Data encryption is applied wherever possible which means that even in transit between our servers, your data is kept encrypted. All our servers are firewalled and kept updated with the latest security patches. All security keys and passwords stored by our application on your behalf are kept encrypted at rest.

We also work with independent third-party security firms to run regular security reviews and penetration tests. The latest review results will be shared with our customers upon request.

Exercise GDPR Rights

Under GDPR, EU data subjects are entitled to exercise the rights listed below. Here the data subjects include both our customers (also known as “business users”) and their end users. For business users, the request must be sent from the same email as the account owner. For end users, the user must provide identification information that matches with the Personal Data collected in our system.

We respond to requests within 30 days. However, it may take longer to complete the request. We’ll be sure to let you know these details over email. We use any information you give us in your request only to fulfill the request and delete it within 12 months.

Right of Access

All data subjects can request full access to their user's data by contacting privacy@percept.ai. For end users, this is limited to their own user profile and all the interactions that they have had with the Percept AI system.

Right of Rectification

For business users, most of their data can be viewed and edited directly through our console page. For information that are not available in console, please contact us to request modification.

Right to Erasure (“Right to be forgotten”)

All data subjects can request to have their personal data deleted by contacting privacy@percept.ai. For end users, this is limited to their own user profile and only the interactions that they have had with the Percept AI system.

Right to Restriction of Processing

All data subjects can ask for their personal data to stop being used in certain cases. Simply contact us at privacy@percept.ai and we will process your request.

Right to Data Portability

Upon request, we provide full export of a data subject’s account data in machine readable format. Please send the request to privacy@percept.ai.

Right to Object

Similar to Right to Erasure, we handle all requests on this matter from all our customers and their end users. Simply contact us at privacy@percept.ai and we will process your request.

Sub-processors

Percept AI uses sub-processors to assist in providing our Service. A sub-processor is a third party data processor engaged by Percept AI, who has or potentially will have access to or process service data (which may contain personal data). Percept AI evaluates the security, privacy and confidentiality practices of proposed sub-processors that have access to or process service data both before they are engaged and on an ongoing basis.

The following is an up-to-date list (as of July 2018) of the names and locations of Percept AI sub-processors:

Amazon Web services
Purpose: Hosting
Location: United States
Website: https://aws.amazon.com/

Papertrail
Purpose: Log management
Location: United States
Website: papertrailapp.com/
Data Processing Agreement (DPA)

We provide standard DPAs for our customers, which documents our responsibilities as a Data Processor and our approach to collecting, processing and storing Personal Data. If you are a customer who needs a signed DPA, please send an email to privacy@percept.ai using the same email address as the account owner. Here is an example of our DPA.

Data Protection Officer (DPO)

We have appointed a DPO that can be reached at dpo@percept.ai should you have any further questions regarding our data protection policy.