We collect information during the signup process as well as when you include Amy + Andrew on emails. This includes but is not limited to your name, e-mail address, calendar information, scheduling preferences, and emails when specifically shared with Amy + Andrew. We do not store the history of any email thread on our servers, just the emails that Amy + Andrew is specifically included on.
How we may collect your information?
You may provide profile information directly when you enter it in x.ai services. In some cases another user (such as a system administrator) may create an account on your behalf and may provide your information, including personal information (most commonly when your company requests that you use our products). If you are an employee of one of our customers and would no longer like us to process your information, please contact your employer. If you are providing information (including personal information) about someone else, you must have the authority to act for them and to consent to the collection and use of their personal information.
Do we process your personal data?
Yes, we process customer personal data to provide the products and services and for other limited purposes enumerated below.
What do we process your information for?
The information we collect from you may be used and processed in one or more of the following ways:
- To send you emails and calendar invites as part of the service itself.
- To personalize your experience.
- To improve and enhance our service.
- To improve customer service.
- To respond to your requests and feedbacks.
- To send you promotional offers, products which may interest you, notifications, updates or surveys. You may, at any time, request to opt-out of receiving future emails or notifications from us by contacting us.
- To perform research, analytics, or for statistical purposes.
- To detect, prevent, or otherwise address fraud, security, or technical issues.
- To resolve disputes and enforce our policies, including investigation of potential violations thereof, for the purpose of law enforcement or in accordance with any applicable law or regulation.
- For other purposes about which we obtain your consent.
Will we share your information with other third parties?
We will never sell, rent or trade your personal information to third parties. However, in order to provide our services, we may need to supply selected third parties e.g. Salesforce, with your personal information, but it will only be for the stated purpose and no other.
How long do we retain the personally identifiable information we collect?
In accordance with and as permitted by applicable law and regulations, we will retain your information as long as necessary to serve you, to maintain your account for as long as your account is active, or as otherwise needed to operate our business. When you close your account, we may continue to communicate with you about our Services, give you important business updates that may affect you, and let you know about products and services that may interest you, unless you have opted out of receiving marketing communications. We may also continue to use some of your information for business purposes and to improve our offerings or in some cases to develop new ones.
Where do we process and store data?
We process and store data on the Amazon Web Services ("AWS") servers that it licenses, which are located in the United States. AWS maintains that they have certified to the Privacy Shields and will be GDPR compliant as well. See https://aws.amazon.com/compliance/eu-data-protection/ for additional information.
Does GDPR require that EU personal data be stored in the EU?
No. Neither current EU law nor the GDPR require that EU personal data be stored in the EU. Instead, what is required is that the processor must provide “appropriate safeguards” for data that it hosts and processes outside the EU/EEA. Because we do not, and do not currently have plans to use servers or data centers in the EU to process or store profile and email data, we are working towards achieving appropriate safeguards through EU-US Privacy Shield Certification.
Is x.ai a controller or processor?
Both, depending on the circumstances.
Where customers create an account with x.ai to schedule meetings as meeting hosts, x.ai will be a data controller over the personal data that hosts provide about themselves as part of their account. x.ai will also be a data controller of the personal data that x.ai obtains in the course of a hosts’ use of x.ai’s services, which x.ai may then use to conduct research and analysis, improve our products and features, and provide targeted recommendations.
However, x.ai will be a data processor over a meeting guest’s personal data that x.ai obtains as a result of providing its meeting scheduling services to our hosts. For example, facilitating the transmission of emails to meeting guests at the request of the meeting host, or providing meeting reports and tools so hosts can gain insights into the effectiveness of x.ai services.
What are we doing to ensure GDPR compliance?
We believe that we have an ethical obligation to protect not only our team’s personal data, but those of our partners’ teams and their beneficiaries. We’ve been working on GDPR compliance for the past few months, and have set up a team to work on laying the foundations, expected May 2018.
Right now, we’re completing the auditing of processes, which allows us to understand what personal data we process, where we process it, and why. Once this process has been completed, we will have a gap analysis detailing which data is high risk, which processes need to be better secured, and where we could minimize what is collected.
How do we manage application security?
x.ai’s security team is involved in every software development project within the company. Security requirements are identified for each project at inception, and are tracked throughout the lifecycle of the project. Security testing is performed prior to release, and issues are remediated as part of the software development life cycle.
x.ai also monitors its systems and services for security vulnerabilities with a variety of methods, including:
- Third party penetration/vulnerability testing: We hire reputable security agencies to perform testing, including application, network, and infrastructure vulnerability scanning and selected penetration testing.
- Regular vulnerability scans: We conduct weekly scans of our offices and production network to identify and remediate known vulnerabilities on our infrastructure and application platform.
- System monitoring: x.ai utilizes a host-based Intrusion Detection (IDS) / Intrusion Prevention (IPS) systems to detect anomalous and/or malicious traffic on our networks and systems.
- Firewall infrastructure: Nextigeneration firewalls are utilized to restrict access to systems from external networks and between systems internally. By default, all access is denied and only explicitly allowed ports and protocols are permitted based on business need.