Drift Email has aligned our policies and practices with GDPR regulations. We have also outlined GDPR considerations and best practices for your Drift Email configuration.
Drift Email stores a minimum of Personal Data, and only as instructed by our customer (the Subscriber), for the purposes of delivering the Drift Email Services.
For the purpose of this document we will refer to “Contact Data” as any Personal Data that Drift Email collects, processes, or stores as a data importer on behalf of the Subscriber.
Drift Email collects, processes and stores Contact Data about people who reply to Subscriber’s email marketing campaigns, only as allowed by Subscriber.
If desired by Subscriber, Drift Email offers multiple features to exclude processing Contact Data from EU residents. Subscriber can limit Drift Email access to specific email inboxes or specific marketing programs (e.g. Subscriber may exclude email campaigns sent to EU residents). In addition, information can be selectively synced from Drift Email to Subscriber’s marketing automation platform based on customized business rules.
Policies Related to GDPR
Drift Email has implemented the following practices relevant to GDPR.
Model Clauses & Data Processing Agreement (DPA): Drift Email is able to sign the EU Model Clauses or Subscriber DPA if desired as part of the Subscriber service order.
Basis for processing: Drift Email collects and processes Contact Data to fulfill performance of our contract with Subscriber. Subscriber, as the data controller, is responsible for determining the lawful basis for processing Contact Data and documenting EU data subject consent, if consent is the lawful basis for processing.
Data Storage: All data is stored securely in the United States via Amazon Web Services.
Data Deletion, Correction, Editing, or Extraction: Drift Email will export, correct, or delete all Contact Data upon request by the Subscriber or EU data subject. You can search and delete contacts directly from Drift Email Settings > Data Privacy. All data storage & back-end infrastructure is designed to allow these requests. For more information see this article.
Security: You can see an overview of our security program here. Drift Email has implemented technical and organizational measures to ensure a level of security appropriate to the risk, including, as appropriate, the measures referred to in Article 32(1) of the GDPR.
Consent: Drift Email is a data importer and data subject consent is the responsibility of the Subscriber as a data controller. Features of the Drift Email platform that collect Contact Data without explicit consent may be disabled for EU specific communication and/or disabled entirely by the Subscriber.
Onward Transfer: We act as a data processor for Subscribers and are responsible for the processing of EU and Swiss Personal Data, under the Privacy Shield framework, and for subsequent transfers to third parties acting as an agent on our behalf. We maintain contracts with these third parties restricting their access, use, and disclosure of personal data in compliance with our Privacy Shield obligations. We comply with the Privacy Shield Principles for all onward transfers of EU and Swiss Personal Data, and acknowledge that we may be liable in the transfer of such data.
Marketing: Drift Email does not market to, nor resell, any Contact Data collected on behalf of the Subscriber.
List of Subprocessors
|Subprocessor||Description of service|
|Amazon Web Services, Inc||Cloud hosting services|
|Google, Inc||Translation services|
|Marketo, Inc||Sync as directed by subscriber|
|Hubspot, Inc||Sync as directed by subscriber|
|Oracle, Inc||Eloqua sync as directed by subscriber|
|Salesforce.com, Inc||Pardot sync as directed by subscriber|
|Act-On, Inc||Sync as directed by subscriber|