Encharge (PXCH Holding I, LLC) logo/Compliance Portal

Encharge (PXCH Holding I, LLC) is safe, secure, and GDPR-compliant

The security of your data is important to us. This page lists our ongoing efforts to maintain compliance with the EU's General Data Protection Regulation (GDPR).

Submit a data requestView the DPA

Slav Ivanov

Privacy and Security Contact

Email

Encharge (PXCH Holding I, LLC) is safe, secure, and GDPR-compliant

Lawful Basis and Transparency

Not started

Conduct an information audit to determine what information you process and who has access to it.

Organizations that have at least 250 employees or conduct higher-risk data processing are required to keep an up-to-date and detailed list of their processing activities and be prepared to show that list to regulators upon request. The best way to demonstrate GDPR compliance is using a data protection impact assessment Organizations with fewer than 250 employees should also conduct an assessment because it will make complying with the GDPR's other requirements easier. In your list, you should include: the purposes of the processing, what kind of data you process, who has access to it in your organization, any third parties (and where they are located) that have access, what you're doing to protect the data (e.g. encryption), and when you plan to erase it (if possible).

Not started

Have a legal justification for your data processing activities.

Processing of data is illegal under the GDPR unless you can justify it according to one of six conditions listed in Article 6. There are other provisions related to children and special categories of personal data in Articles 7-11. Review these provisions, choose a lawful basis for processing, and document your rationale. Note that if you choose "consent" as your lawful basis, there are extra obligations, including giving data subjects the ongoing opportunity to revoke consent. If "legitimate interests" is your lawful basis, you must be able to demonstrate you have conducted a privacy impact assessment.

Not started

Provide clear information about your data processing and legal justification in your privacy policy.

You need to tell people that you're collecting their data and why (Article 12). You should explain how the data is processed, who has access to it, and how you're keeping it safe. This information should be included in your privacy policy and provided to data subjects at the time you collect their data. It must be presented "in a concise, transparent, intelligible and easily accessible form, using clear and plain language, in particular for any information addressed specifically to a child."

Data Security

Completed

Take data protection into account at all times

Not started

Have a process in place to notify the authorities and your data subjects in the event of a data breach.

If there's a data breach and personal data is exposed, you are required to notify the supervisory authority in your jurisdiction within 72 hours. A list of many of the EU member states supervisory authorities can be found here. The GDPR does not specify whom you should notify if you are not an EU-based organization. For those in English-speaking non-EU countries, you may find it easiest to notify the Office of the Data Protection Commissioner in Ireland. You are also required to quickly communicate data breaches to your data subjects unless the breach is unlikely to put them at risk (for instance, if the stolen data is encrypted).

Not started

Encrypt, pseudonymize, or anonymize personal data wherever possible.

Most of the productivity tools used by businesses are now available with end-to-end encryption built in, including email, messaging, notes, and cloud storage. The GDPR requires organizations to use encryption or pseudeonymization whenever feasible.

Completed

Create an internal security policy for your team members, and build awareness about data protection.

Not started

Know when to conduct a data protection impact assessment, and have a process in place to carry it out.

A data protection impact assessment (aka privacy impact assessment) is a way to help you understand how your product or service could jeopardize your customers' data, as well as how to minimize those risks. The UK Information Commissioner's Office (ICO) has a data protection impact assessment checklist on its website. The GDPR requires organizations to carry out this kind of analysis whenever they plan to use people's data in such a way that it's "likely to result in a high risk to [their] rights and freedoms." The ICO recommends just doing it anytime you're about to process personal data.

Completed

Ensure Access to Backups is Restricted

Completed

Ensure Backups are Stored in on Encrypted File Storage

Completed

Uses SSL (TLS) for secure communications

Not started

Ensure Database Backups of Personal Data are working

Accountability and Governance

Completed

Designate someone responsible for ensuring GDPR compliance across your organization.

Not started

Sign a data processing agreement between your organization and any third parties that process personal data on your behalf.

This includes any third-party services that handle the personal data of your data subjects, including analytics software, email services, cloud servers, etc. The vast majority of services have a standard data processing agreement available on their websites for you to review. They spell out the rights and obligations of each party for GDPR compliance. You should only use third parties that are reliable and can make sufficient data protection guarantees.

Not started

If your organization is outside the EU, appoint a representative within one of the EU member states.

If you process data relating to people in one particular member state, you need to appoint a representative in that country who can communicate on your behalf with data protection authorities. The GDPR and its official supporting documents do not give guidance for situations where processing affects EU individuals across multiple member states. Until this requirement is interpreted, it may be prudent to designate a representative in a member state that uses your language. Some organizations, like public bodies, are not required to appoint a representative in the EU.

Not started

Appointed a Data Protection Officer (if necessary)

There are three circumstances in which organizations are required to have a Data Protection Officer (DPO), but it's not a bad idea to have one even if the rule doesn't apply to you. The DPO should be an expert on data protection whose job is to monitor GDPR compliance, assess data protection risks, advise on data protection impact assessments, and cooperate with regulators.

Completed

Briefed all Staff on GDPR Impact to the organization

Completed

Informed all Employees and Contractors about GDPR Compliance

Privacy Rights

Completed

It's easy for your customers to request and receive all the information you have about them.

Completed

It's easy for your customers to correct or update inaccurate or incomplete information.

Completed

It's easy for your customers to request to have their personal data deleted.

Not started

It's easy for your customers to ask you to stop processing their data.

Completed

It's easy for your customers to receive a copy of their personal data in a format that can be easily transferred to another company.

Not started

It's easy for your customers to object to you processing their data.

If you're processing their data for the purposes of direct marketing, you have to stop processing it immediately for that purpose. Otherwise, you may be able to challenge their objection if you can demonstrate "compelling legitimate grounds."

Not started

If you make decisions about people based on automated processes, you have a procedure to protect their rights.

Some types of organizations use automated processes to help them make decisions about people that have legal or "similarly significant" effects. If you think that applies to you, you'll need to set up a procedure to ensure you are protecting their rights, freedoms, and legitimate interests. You need to make it easy for people to request human intervention, to weigh in on decisions, and to challenge decisions you've already made.

Other

Completed

Offer a way to easily sign a Data Processing Agreement with Encharge

Subprocessors

In order to provide its services, Encharge (PXCH Holding I, LLC) may engage third parties or other members of the Encharge (PXCH Holding I, LLC) corporate group (affiliates) to carry out data-processing activities that involve access to customer data. These organizations, called “subprocessors,” are identified below with their locations and the types of services they provide to Encharge (PXCH Holding I, LLC).

Subprocessors

Amazon Web Services EMEA SARL

Required

Encharge uses an AWS data center in Ireland to host all of our app's data.

Any explicitly appointed 3rd parties

Required

Due to the nature of Enchare's software, 3rd party partners can be explicitly appointed by you by the act of connecting your Encharge's account to your account with the 3rd party partner, either through Encharge's interface or through the 3rd party partner interface. By explicitly appointing 3rd party partners, you agree to allow Encharge to transfer any information needed to provide the Encharge services. You might at any time remove the connection between your Encharge account and 3rd party partners appointed by you.

Twilio Inc

Optional

Encharge utilizes Twilio Sendgrid to send email messages for certain customer accounts. Please note that Twilio's infrastructure is located in the US. If you require your full account data to remain in the EU, please contact us to ensure that your account doesn't utilize email sending via Twilio.

ComplyDog

Optional

Hosts the GDPR page you are currently viewing.

HubSpot

Optional

Encharge uses HubSpot to manage our operations and communicate with our users and customers.

HelpScout

Optional

Encharge uses Help Scout to serve our help documentation and to communicate with our users to answer support requests.

ConvertFlow

Optional

Encharge uses ConvertFlow to serve forms, quizzes, and popups on the Encharge marketing site.

Meta

Optional

Encharge uses the Meta Pixel to track performance of our ad campaigns on the Encharge marketing Site

First Promoter

Optional

FirstPromoter is used by Encharge to run affiliate, influencer and referral marketing programs.

Segment.com

Optional

Segment is a Customer Data Platform (CDP), which is used by Encharge to collect and use data from the users the Encharge App and marketing site.

Hotjar

Optional

Hotjar is a tool that allows to visualize and map how users engage with a site.

Google Analytics

Optional

Google Analytics is used to measure how users interact with the Encharge site.

Google Tag Manager

Optional

Google Tag Manager (GTM) is a tool that allows website owners to manage and implement various code tags on their website.

NitroPack

Optional

Used to provide a faster experience on the Encharge marketing site.

FAQs

Please see our frequently asked questions below. Please keep in mind that this is not legal advice and we recommend consulting with your internal compliance team or privacy attorney for guidance on compliance matters. Encharge (PXCH Holding I, LLC) is committed to helping our customers comply with applicable laws, but we cannot guarantee that your use of our products will be fully compliant. As always, we recommend seeking professional legal counsel for any specific questions or concerns.

FAQs

Should I get consent from a customer to collect their personal data?

It is always good practice to receive explicit consent from your customer, as certain laws and regulations (such as the GDPR) require consent prior to collecting personal data of certain individuals (such as those in the EU).

It is also important to note that under GDPR, consent is one of a number of legitimate interests for processing data. Others include the need to process for the performance of a contract, the need to process in order to comply with a legal obligation, and the need to process in order to protect the vital interests of the data subject or another natural person. Full details can be found in Article 6 of GDPR.

Can I modify personal data?

Yes, you can modify all data to correct personal data as required by GDPR when you receive a Subject Access Request, or for other reasons. Simply contact us and we will work with you to make the adjustments.

Can I delete personal data?

Yes, you can delete any data, including data that contains personal data, as required by GDPR. You can also remove all other requested customer data by sending us a data request.

Is personal data permanently deleted when I remove it?

Yes, the deletion is permanent and unrecoverable.

How long is personal data retained in Encharge (PXCH Holding I, LLC) if I don’t delete it?

Encharge (PXCH Holding I, LLC)’s philosophy is that customers own and control all the data they collect. Any retention period required by law or your company policy is controlled by you.

You should ensure that all people and personal data are deleted prior to stopping your usage of Encharge (PXCH Holding I, LLC), especially if required by policy, law, or regulation.

Does my data get included in backups, and if so, for how long?

Yes. Encharge (PXCH Holding I, LLC) backs up all customer data, and retains the backups for 90 days. After 90 days, the backup is deleted.

Can I delete customer’s personal data from Encharge (PXCH Holding I, LLC) backups?

No. The backup dataset contains all customer data, and is used for disaster recovery purposes only. This is required for legal and compliance reasons related to availability obligations. Any personal data in these backups will be permanently deleted after 90 days.

If my data centre is located in the EU, does Encharge (PXCH Holding I, LLC) transfer my personal data outside the EU at any point?

Our data centers are with Amazon Web Services in Ireland.

Does Encharge (PXCH Holding I, LLC) ensure that my data is accessed only by employees with reasonable justification for doing so?

As required by GDPR, only qualified Encharge (PXCH Holding I, LLC) employees with a specific need are permitted to access your account. The typical reason for accessing your account would be upon your specific request for support.

Does Encharge (PXCH Holding I, LLC) use sub-processors that process my data?

Encharge (PXCH Holding I, LLC) presently uses sub-processors to provide the service. As required by GDPR, Encharge (PXCH Holding I, LLC) maintains a list of those sub-processors here.

If a data breach occurs with the Encharge (PXCH Holding I, LLC) platform that affects my data, how and when will I be notified?

If a confirmed data breach occurs that is caused by Encharge (PXCH Holding I, LLC)’s actions or inactions, we will, without undue delay, notify the account owner. Information about the breach will be released as it becomes available, as allowed by GDPR. The account owner will be the main point of contact for all notifications, and will be kept aware of the investigation and remediation efforts as they progress.

How can I comply with a Subject Access Request and portability as required by GDPR?

As you know about the data you are collecting, you are responsible for handling any Subject Access Request (SAR). Encharge (PXCH Holding I, LLC) only provides the platform and wouldn’t know the details about your customizations, properties, or your customers.

A SAR means that a customer is asking about information being collected about him or her. If you collected personal data of an EU citizen or a person residing in the EU, you may have a legal obligation to respond to a SAR.

Data may be downloaded in industry-standard formats for data portability to comply with GDPR.

If Encharge (PXCH Holding I, LLC) receives a SAR, it will do its best to contact the owner. It may not always be possible to know what who the rightful owner is.

How do I comply with a Subject Access Request to “be forgotten?”

Similar to the above, you know what data you have. If you collected personal data of an EU citizen or a person residing in the EU, you may have a legal obligation to respond and comply with a request to delete all identifiable data.

As previously stated, you have the ability to delete a customer's data.

How does Encharge (PXCH Holding I, LLC) comply with its GDPR obligations to return or destroy all EU personal data?

Encharge (PXCH Holding I, LLC) provide easy ways to download all your data in industry-standard formats. And, as previously described, you may easily delete data, and entire histories for a customer.

How does Encharge (PXCH Holding I, LLC) comply with its GDPR obligations to encrypt personal data?

All data stored in our primary databases and backups are encrypted using an industry standard strong cipher. All data transmitted to the Encharge (PXCH Holding I, LLC) platform are encrypted using the industry standard TLS protocol.

How can I ensure my customers that Encharge (PXCH Holding I, LLC) security meets applicable law and the GDPR (Article 32)?

Encharge (PXCH Holding I, LLC) is committed to safeguarding your data. We use sophisticated controls during processing to maintain the confidentiality, integrity, availability, and resilience of your data. Our Security page outlines the details of our application security, network security, policies, and more.

As related to Article 28 in the GDPR, Encharge (PXCH Holding I, LLC) will only process personal data according to your instructions. In other words, the commands you use in the product are the “instructions,” and Encharge (PXCH Holding I, LLC) does not use personal data for any other means. In addition, it does not transfer personal data to a third party without your consent. If personal data is transferred from the EU to a third country, then adequate safeguards will apply to the transfer (such as the EU-US Privacy Shield Framework).

Encharge (PXCH Holding I, LLC) has developed recovery procedures to minimize downtime related to a disaster, with the ability to restore access to personal data in a timely manner in the event of a physical or technical incident.

We regularly test, assess and evaluate the effectiveness of our technical and organizational measures to ensure the security of the processing.

GDPRPowered by ComplyDog