GDPR Policy Overview

Updated 1 week ago by Katja Ritchie

Tip: You can permanently delete individual contacts from Siftrock. Go to this guide for more info.

Siftrock has aligned our policies and practices with GDPR regulations. We have also outlined GDPR considerations and best practices for your Siftrock configuration. 


Siftrock stores a minimum of Personal Data, and only as instructed by our customer (the Subscriber), for the purposes of delivering the Siftrock Services.

For the purpose of this document we will refer to “Contact Data” as any Personal Data that Siftrock collects, processes, or stores as a data importer on behalf of the Subscriber.

Data Summary


Siftrock collects, processes and stores Contact Data about people who reply to Subscriber’s email marketing campaigns, only as allowed by Subscriber.

Data Types:

Limiting Scope: 

If desired by Subscriber, Siftrock offers multiple features to exclude processing Contact Data from EU residents. Subscriber can limit Siftrock access to specific email inboxes or specific marketing programs (e.g. Subscriber may exclude email campaigns sent to EU residents). In addition, information can be selectively synced from Siftrock to Subscriber’s marketing automation platform based on customized business rules.

Siftrock has implemented the following practices relevant to GDPR.

  • Privacy Policy: Siftrock privacy policy has been updated to align with GDPR:
  • Model Clauses & Data Processing Agreement (DPA): Siftrock is able to sign the EU Model Clauses or Subscriber DPA if desired as part of the Subscriber service order.
  • Basis for processing: Siftrock collects and processes Contact Data to fulfill performance of our contract with Subscriber. Subscriber, as the data controller, is responsible for determining the lawful basis for processing Contact Data and documenting EU data subject consent, if consent is the lawful basis for processing.
  • Data Storage: All data is stored securely in the United States via Amazon Web Services.
  • Data Deletion, Correction, Editing, or Extraction: Siftrock will export, correct, or delete all Contact Data upon request by the Subscriber or EU data subject. You can search and delete contacts directly from Siftrock Settings > Data Privacy. All data storage & back-end infrastructure is designed to allow these requests. For more information see
  • Security: You can see an overview of our security program here. Siftrock has implemented technical and organizational measures to ensure a level of security appropriate to the risk, including, as appropriate, the measures referred to in Article 32(1) of the GDPR.
  • Consent: Siftrock is a data importer and data subject consent is the responsibility of the Subscriber as a data controller. Features of the Siftrock platform that collect Contact Data without explicit consent may be disabled for EU specific communication and/or disabled entirely by the Subscriber.
  • Onward Transfer: We act as a data processor for Subscribers and are responsible for the processing of EU and Swiss Personal Data, under the Privacy Shield framework, and for subsequent transfers to third parties acting as an agent on our behalf. We maintain contracts with these third parties restricting their access, use, and disclosure of personal data in compliance with our Privacy Shield obligations. We comply with the Privacy Shield Principles for all onward transfers of EU and Swiss Personal Data, and acknowledge that we may be liable in the transfer of such data.
  • Marketing: Siftrock does not market to, nor resell, any Contact Data collected on behalf of the Subscriber.

List of Subprocessors


Description of service

Amazon Web Services, Inc

Cloud hosting services

Google, Inc

Translation services

Marketo, Inc

Sync as directed by subscriber

HubSpot, Inc

Sync as directed by subscriber

Oracle, Inc

Eloqua sync as directed by subscriber, Inc

Pardot sync as directed by subscriber

Act-On, Inc

Sync as directed by subscriber

How did we do?