GDPR Policy Overview

Updated 14 days ago ​by Adam Schoenfeld

Siftrock has aligned our policies and practices with upcoming GDPR regulations. This page provides a high level summary of our policies and practices. Please contact you CSM or with any questions.

We have also outlined GDPR considerations and best practices for your Siftrock configuration. 


Siftrock stores a minimum of Personal Data, and only as instructed by our customer (the Subscriber), for the purposes of delivering the Siftrock Services.

For the purpose of this document we will refer to “Contact Data” as any Personal Data that Siftrock collects, processes, or stores as a data importer on behalf of the Subscriber.

Data Summary


Siftrock collects, processes and stores Contact Data about people who reply to Subscriber’s email marketing campaigns, only as allowed by Subscriber.

Data Types:

Limiting Scope: 

If desired by Subscriber, Siftrock offers multiple features to exclude processing Contact Data from EU residents. Subscriber can limit Siftrock access to specific email inboxes or specific marketing programs (e.g. Subscriber may exclude email campaigns sent to EU residents). In addition, information can be selectively synced from Siftrock to Subscriber’s marketing automation platform based on customized business rules.

Policies Related to GDPR

Siftrock has implemented the following practices relevant to GDPR.

  • Privacy Policy: Siftrock privacy policy has been updated to align with GDPR:
  • Model Clauses & Data Processing Agreement (DPA): Siftrock is able to sign the EU Model Clauses or Subscriber DPA if desired as part of the Subscriber service order.
  • Basis for processing: Siftrock collects and processes Contact Data to fulfill performance of our contract with Subscriber. Subscriber, as the data controller, is responsible for determining the lawful basis for processing Contact Data and documenting EU data subject consent, if consent is the lawful basis for processing.
  • Data Storage: All data is stored securely in the United States via Amazon Web Services.
  • Data Deletion, Correction, Editing: Siftrock will correct or delete all Contact Data upon request by the Subscriber or EU data subject. Requests must be submitted to and will be processed within 30 days of submission. All data storage & back-end infrastructure is designed to allow these requests. Siftrock manages this process with an internal ticket, reviewed by the CTO, and then confirmation is provided to the requesting parties.
  • Security: You can see an overview of our security program here. Siftrock has implemented technical and organizational measures to ensure a level of security appropriate to the risk, including, as appropriate, the measures referred to in Article 32(1) of the GDPR.
  • Consent: Siftrock is a data importer and data subject consent is the responsibility of the Subscriber as a data controller. Features of the Siftrock platform that collect Contact Data without explicit consent may be disabled for EU specific communication and/or disabled entirely by the Subscriber.
  • Onward Transfer: We act as a data processor for Subscribers and are responsible for the processing of EU and Swiss Personal Data, under the Privacy Shield framework, and for subsequent transfers to third parties acting as an agent on our behalf. We maintain contracts with these third parties restricting their access, use, and disclosure of personal data in compliance with our Privacy Shield obligations. We comply with the Privacy Shield Principles for all onward transfers of EU and Swiss Personal Data, and acknowledge that we may be liable in the transfer of such data.
  • Marketing: Siftrock does not market to, nor resell, any Contact Data collected on behalf of the Subscriber.

How did we do?