Frequently Asked Questions about LiveChat, Inc’s GDPR compliance

The General Data Protection Regulation (GDPR) is the result of many years of work by the European Union to unify and strengthen data protection for all EU citizens. Taking care of your and your customers’ privacy is our number one priority.

GDPR gives you more control over how your data is used, while to us, it will be a simple legal environment where we can operate. That makes this change desirable for both parties!

The new regulation came into effect on the 25th May 2018 and we are glad to report that LiveChat has fulfilled all the required regulations to become fully GDPR compliant.

Below you will find a list of frequently asked questions regarding GDPR compliance. If you can’t find an answer that relates to your question, please let us know by writing to legal@livechat.com – we will reply as soon as possible and update this document.

01. What has LiveChat done about the GDPR?

We take our responsibilities under the GDPR seriously. That’s why we have taken steps to identify which measures we need to implement to be compliant with the GDPR.

Here: https://www.livechat.com/general-data-protection-regulation/ is a quick summary of what we’ve done.

02. What organization provides Services and stores my data? Is LiveChat, Inc. a data controller or a data processor?

Services are provided and your personal data are processed by LiveChat, Inc. (101 Arch Street, 8th Floor, Boston MA 02110, United States of America). You can contact us via chat or at support@livechat.com (or via support email of the Service you use). LiveChat, Inc. is a data processor since we do not determine the purposes of your (including your customers/users/visitors data) data processing. It is you who decide to use our software, thus, you decide to supply us with the personal data to facilitate communication between you and your customers. We only process the data in order to provide, maintain, and improve our Services as well as to secure yours and our potential claims. In some exceptional cases LiveChat, Inc. may also act as a data controller. It is explained fully in our Privacy Policy: https://www.livechat.com/privacy-policy/.

03. What data does LiveChat, Inc. process?

While registering for one of our Services (www.livechat.com, www.helpdesk.com, www.chatbot.com, www.knowledgebase.ai) we request you to provide us with such information as the first name, last name, company business name, address, website address, email address. This is the basic data of yours that we process and store. We also store the data you and/or your customers insert into the Service (i.e. your chat content, your tickets contents, knowledge base articles, ChatBot scenarios, files or any other content inserted into the Service). We also store your customers/visitors data such as email addresses or other data you ask your customers for via the Service you use (i.e. in a pre-chat survey). You can find a full description of the data processing in our Privacy Policy: https://www.livechat.com/privacy-policy/.

The basis for your personal data processing by LiveChat, Inc. is an Agreement between you and us which is concluded when you sign up for the Service (create an account). The Agreement is constituted by “Terms and Conditions” and “Privacy Policy”:
https://www.livechat.com/terms-and-conditions/
https://www.livechat.com/privacy-policy/

This is why a separate consent for your data processing by LiveChat, Inc. is not required. However, you may need to gain consent for data processing and transferring from your customers/users/visitors. It depends on whether you need to be GDPR compliant or not if you collect your customers/users/visitors data, and what your data processing basis is. To help you comply with the GDPR requirements we have created a tool (working with LiveChat Service) that helps you gain such consents. If you think you need it please go to point 9. If you use a Service other than LiveChat you may need to at least notify your customers about using LiveChat, Inc.’s Services and transferring data to us.

05. Am I a data controller or a data processor?

Firstly, you need to figure out if you process or provide personal data of EU citizens. For instance, if you are an Australian company and you only process Australian citizens data, GDPR does not apply to you. However, if you process the personal data of European citizens, you need to comply with this regulation. You or your company (organization) may then act as a data controller. It happens when you are a natural or legal person, public authority, agency or other body, and you, alone or jointly with others determine the purposes and means of the processing of personal data. You may also act as a data processor. It happens when – as a natural or legal person, public authority, agency or other bodies – you process personal data on behalf of the data controller. Simply, when you do not determine the purposes of the processing but use data according to the controllers’ instructions.

06. Do I need to enter into a Data Processing Agreement/Addendum?

Regardless of being a data controller or a data processor, when you transfer the personal data to us (and you do so while using our Services) you may need to enter into DPA with us if you transfer any EU citizens’ personal data.

07. Do you have a GDPR compliant Data Processing Agreement/Addendum for us to sign?

Yes, we have prepared this document for our customers. You can review and sign a copy of LiveChat’s Data Processing Addendum here: https://app.hellosign.com/s/11HpZdOT. Instructions for execution are set out in the Addendum. If you have any questions about its contents you can email: dpa@livechat.com.

08. How is my personal data used/processed in LiveChat, Inc? How can I execute my right to be forgotten?

LiveChat, Inc. stores and processes the personal data of its customers and people employed while using LiveChat, Inc. Services. We store such data as a first name, last name, email address, IP number, browser information, operating system, geolocation, payment/credit card details (and other information listed in our Privacy Policy: https://www.livechat.com/privacy-policy/). We process these data only for purposes listed in our Privacy Policy. We do not sell your data. LiveChat, Inc. also stores the data you and/or your customers inserted into the Service via the system (i.e. the chat history, ticket’s content, ChatBot scenarios, files depending on the Service you use as well as your customers’ personal data if supplied by you). It allows you to have constant access to the history of your conversations and other content. However, if you intend to delete any of your chat, ticket, ChatBot scenario, article, or other content you can check https://www.livechat.com/kb/prepare-chat-gdpr#be-forgotten/ to get information on how to do it. You can also freely decide whether you want to have your data and content permanently deleted from a system. If you wish to delete the data permanently just send us a request at support@livechat.com (or a support email of the Service you use) and we will delete your data within 30 days.

09. What can I do to become GDPR compliant using LiveChat, Inc.’s Services? How to prepare my Service for GDPR?

LiveChat, Inc. also stores/processes the personal data of your customers, visitors (end-users of the Service you use). Especially we store data provided in the pre-chat survey, chat content, your customer’s email address and ticket content, ChatBot scenarios as well as your KnowledgeBase articles. Thus, if you collect your visitors’/end-users’/customers’ personal data and transfer them to us, you may need to gain their consent and/or notify them you use LiveChat, Inc.’s Services. You can find the instructions on how to customize your pre-chat survey (applies for LiveChat Service) to comply with this rule here: https://www.livechat.com/kb/prepare-chat-gdpr. If you wish and if they meet your company’s requirements, you can use one of (or more than one) the clauses we have prepared for you. The clauses can be found here: https://www.livechat.com/kb/chat-surveys#pre-chat-gdpr. If you use HelpDesk, you may need to inform that you use LiveChat, Inc.’s Services (or include LiveChat, Inc. as a sub-processor on your sub-processors’ list).

10. Where does LiveChat, Inc. store personal data? Are personal data processed outside the EU?

LiveChat, Inc. stores its customers’ data mainly in a data center in Dallas (Texas) U.S. We also have a data center in Europe (Frankfurt). Your data storage location depends on the Service you use. When you sign up and create an account in LiveChat your data is automatically collected and stored in our US data center (regardless you sign up from the EU, the US or from other parts of the world). If you want to have your data stored in the EU (please note this is available only for LiveChat Service), you need to sign up via https://accounts.livechat.com/signup?region=fra. Also, note that for this Service it’s currently not possible to transfer your chats to the other data center, but we can assist you in creating a new account for you, thus, your personal data provided for creating a new account, as well as future conversations, will be stored in a European data center. Additionally, like many SaaS providers, we use top-tier, third-party data hosting providers (Amazon S3, IBM Softlayer and Google) to host our online Services.

11. Does LiveChat share any personal data with any sub-processors (other entities)?

To make our Services work properly we use other companies’ services (generally software). We do so to maintain our Services, improve our tools, enable, and simplify their usage. If there is a necessity to give processors access to a part of your data, firstly, we make sure that this company will gain only necessary data (i.e. only an email address for the email service provider). Secondly, we enter into agreements with such companies to make sure they provide at least the same level of protection as we do. Please note some of our sub-processors process their data outside the EU. You can find more information about rules of sub-processing in our DPA and under the following link you can find a current list of our sub-processors: https://www.livechat.com/kb/livechat-third-party-data-processors.

12. How does LiveChat choose and verify sub-processors?

We are committed to comply with GDPR and accordingly to transfer personal data lawfully. This is why we work only with inspected third-party service providers. We have verified all the sub-processors we cooperate with currently. Besides the ‘location requirement’ (we cooperate mostly with companies from the EU or the US) every time before we start the cooperation with the new sub-processor we make sure it is GDPR compliant (if applicable). We also enter into agreements with our sub-processors that guarantee the adequate obligations due to data protection. Also, before appointing a new sub-processor we make sure the data will be securely and lawfully transferred. We choose providers only based in EOG, the US or other secure countries such as Canada, Switzerland, New Zealan. Only if we are sure your data will be transferred and stored securely, we will work with the provider. If the data transfer requires that we apply additional measures (i.e. Standard Contractual Clauses) to transfer data in line with the GDPR.

13. Has LiveChat, Inc. appointed a Data Protection Officer?

DPO has been appointed and the information about that can be found in our Privacy Policy: https://www.livechat.com/privacy-policy.

14. What security measures does LiveChat, Inc. implement to protect the data? Are the data encrypted and if so, to what standards?

As a company offering its Services in SaaS model we are aware that the security of our customers and their data is crucial. We treat security as a basic aspect of our business. We know that it is a matter of trust. This is why we have implemented a number of safeguards even before GDPR was adopted. Currently, we made sure our safeguards comply with the regulation and adjust some new if necessary. We encourage you to familiarize yourself with our Security Overview: https://www.livechat.com/legal/security.

15. Does LiveChat, Inc. carry out external penetration tests on the application? If so, how frequently?

LiveChat, Inc. uses external auditors to verify the adequacy of its security measures, including the security of the physical data centers. These audits are performed at least annually and include penetration tests.

16. How does LiveChat, Inc. comply with the EU data transfer restrictions?

When personal data is hosted or processed outside of the European Economic Area, GDPR requires that it remains protected by appropriate safeguards in line with EU law. LiveChat, Inc. meets these requirements. Most of our EU customers’ data is processed in the United States (where our headquarters are located). If we process EU customers data outside the EU we ensure appropriate safeguards that - required by GDPR - are in place. I.e. the Data Processing Agreements including Standard Contractual Clauses (as the GDPR requirement) with the entity the data is transferred to).

17. For how long do you hold the personal data?

We explain it in our Privacy Policy, Terms and Conditions (which both are an Agreement between you and us) and our DPA:
https://www.livechat.com/privacy-policy
https://www.livechat.com/terms-and-conditions
https://app.hellosign.com/s/11HpZdOT

It’s possible to request periodic data purge; in order to do that, please write a request to support@livechat.com with information: which data should be deleted, how often do you want to delete them, what time these chats and tickets should be deleted (hour + timezone). However, this feature may vary depending on what Service you use.

18. Does LiveChat, Inc. have an incident management process in place?

Yes, we have it in place. In case of any management incident, we are ready to take a reaction immediately to protect your data from unjustified disclosure or any other infringement.

19. What are your processes for identifying and remediating vulnerabilities in your application and the underlying software and infrastructure?

a) Running an external audit, fixing all found vulnerabilities, testing the implemented fix and iterating this procedure until the issue is fixed;
b) Periodic systems scanning with tools for automatic issue recognition.

20. What process should we follow if we suspect that a security breach has occurred?

Contact support via support@livechat.com or chat on our website.

21. Have you had any information security breaches in the last 12 months?

No, we haven’t any. You can follow the website https://status.livechat.com where we report any security issues and incidents.

22. Who is responsible for Information Security?

LiveChat, Inc. has appointed a Data Protection Officer. You can find more information about DPO and data protection in our Privacy Policy.

23. Do you have a DR plan? How quickly could you restore from a data backup if you suffered a major loss and what is the maximum amount of data that might be lost?

We do have a DR plan, each part of the system can be restored from 24 to 48 hours (considering a complete disaster). Moreover, each instance of the whole infrastructure is multiplied, so losing a single instance will not cause Service to degrade. Provided time refers to the flood scale of the disaster.

24. Are we able to take a full copy of our data in a standard format (e.g. CSV)? Is it possible to export all chats and tickets using your API in a JSON format, that can be easily converted to CSV?

Regardless of the Service you use, you can ask us for a copy of your data. It is possible to download a copy of the data in JSON and to do that please refer to https://www.livechat.com/kb/prepare-chat-gdpr to check how you can get your LiveChat data.

25. Do you have any DDoS protection in place?

Yes, we do have DDoS protection provided by Akamai.

26. Is LiveChat Service a single tenant or multi-tenant? If multi-tenant, what steps have been taken to secure the data from being accessed by other tenants?

The application is multi-tenant, data for each license is accessible only to accounts assigned to the license, so the person that wants access to a license data, needs a corresponding login and password. This is the basic logic behind the whole application infrastructure, it’s not possible to access other users’ data, as the access request without needed credentials will be considered an unauthorized call and denied. Also, one set of credentials (login + password) can be used for one license only.

27. Cookies at LiveChat, Inc.

LiveChat, Inc. uses cookies to provide you with the best software service possible. Cookies are used while using Services rendered by LiveChat, Inc. or browsing any of the websites where our Services are installed. Cookies are pieces of information sent by the server, stored on a user’s computer for the purpose of automatic identification of a particular user when using our Services or browsing the website. We have decided to set different expiration dates depending on the type of your activity on the website but remember you can simply delete cookies from your browser anytime. You can read more about our cookie policy in our Privacy Policy.

Legal note: Please note that the materials available on this website are for informational purposes only and not for the purpose of providing legal advice. You should contact your attorney to obtain advice with respect to any particular issue or problem.