Trust
Scripted will protect your data.
Overview
At Scripted.com, we take your security and privacy seriously. As the GDPR legislation comes into effect in the spring of 2018, privacy will become a primary focus for most businesses. We’re committed to helping our customers adjust to the scope of the changes by being transparent about our practices and how we protect data and privacy.
This page covers most topics related to security and privacy on our platform.If you would like additional information, or have questions, please contact our Support team via support@scripted.com
As a Scripted customer, you are subject to several policies regarding how to properly use the service and benefit from it. Please read these policies carefully so you are aware of your responsibilities as a customer of Scripted.
These policies are:
- Terms of Service - explains the relationship between Scripted and you, the customer - when you access and use Scripted and its related domains (together, the “Website “) and/or download, install, use and in some cases purchase Scripted’s proprietary software applications (including all related documentation, updates and upgrades) and any other services offered by Scripted Service.
- Writer Service Agreement -This Writer Services Agreement is part of the Writer Contract between the Writer and Scripted Inc. (“Scripted”), effective upon Writer’s acceptance of a Job on the Site. This Services Agreement incorporates all terms, conditions, rules, policies, and guidelines on the Site, including the Scripted Terms of Service. Capitalized terms not defined in this Services Agreement are defined in the Scripted Terms of Service.
- Privacy Policy - includes our privacy promise and detailed explanation of our privacy practices regarding data, GDPR and EU-US privacy shield related policies articles you are subject to.
- Data Processing Agreement - example of Data Processing Agreements (DPA) between the customer and Scripted. If you need the DPA to be compliant with privacy regulations, we will sign it via an electronic service.
This agreement includes standard model clauses for transfer to third-party countries (the current bar set by the EU Commission). These clauses ensure our customers can transfer data to countries outside of the EEA for use in our system. Further, Scripted has DPA’s in place with all sub-processors where legally required.
Security Safeguards
Physical Security
We are hosted on Microsoft Azure Cloud which provides robust, physical data center security and environmental controls.
Encryption
We enable encryption of sensitive data both at rest and in transit over public networks.
Data Usage
We don't mine or access your data for advertising purposes.
Data Privacy
We only use customer data to provide the services; we don’t sell or rent your data. Only authorized personnel have access to data in limited cases.
Data Recovery
We regularly back up your data and provide a maximum 24-hour RTO and RPO.
Data Ownership
Your data belongs completely to you. We won't delete data in your account without giving you time to export it.
Database Security
We host your data in its own secure database.
Protected connections
All connections to our websites or services are protected via the use of encrypted connections, such as the Secure Socket Layer (SSL) protocol.
GDPR
“GDPR” stands for the European Union’s General Data Protection Regulation. It replaces the Data Protection Directive. The purpose of GDPR is to ensure appropriate protection of personal data in a digital society.
GDPR, like the Data Protection Directive before it, finds its roots in Article 8(1) of the Charter of Fundamental Rights of the European Union, which echoes Article 12 of the Universal.
Declaration on Human Rights adopted by the UN General Assembly in 1948, and Article 16(1) of the Treaty on the Functioning of the European Union, pursuant to which “everyone has the right to protection of personal data concerning him or her.” Though GDPR was adopted in 2016, it does become enforceable on May 25, 2018.
This regulation affects all businesses who are established in the EU, control or process data of data subject(s) who are EU natives. Essentially, almost all businesses working with personal data will be affected by it.
What are main responsibilities under GDPR?
Organizational responsibilities under GDPR will depend on the nature of your business and your personal data processing activities. Nonetheless, broadly speaking, GDPR requires that personal data be:
Processed lawfully, fairly and in a transparent manner
Collected for specified, explicit and legitimate purposes and not further processed in a manner incompatible with those purposes
Adequate, relevant, and limited to what is necessary for achieving those purposes
Accurate and kept up to date
Stored no longer than necessary to achieve the purposes for which it was collected
Properly secured against accidental loss, destruction, or damage
Further, GDPR places additional obligations on companies to document their processing activities and be able to demonstrate their compliance with the above principles.
It also codifies the requirement that companies apply data protection by design and by default when developing and designing processes, products and systems.
In addition, if you use service providers to process personal data on your behalf, you will need to ensure that you have an appropriate contract in place that ensures that they are obligated to apply GDPR’s data processing standards.
Similarly, if you are transferring EU personal data outside the EU, you may only do so if it is being transferred to a country deemed by the EU Commission to have adequate data processing regulations.
For transfers to countries not deemed adequate, you must ensure appropriate alternative safeguards are in place.
Currently, under the Directive, approved transfer safeguards include the EU-US Privacy Shield and standard contractual clauses.
Depending on the nature of your business and your personal data processing activities there are various other GDPR obligations that may apply. You should consult with a qualified privacy professional to understand how GDPR applies to your specific business.
What’s the definition of “personal data” under the GDPR?
Personal data refers to means data that relates to an identified or identifiable natural person (aka “data subject”). An identifiable data subject is someone who can be identified, directly or indirectly, such as by reference to an identifier like a name, an ID number, location data, an online identifier or to one or more more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.
Importantly, this is a very broad definition and can encompass data like IP addresses of a user’s personal device, their device ID, or their phone number. It does not matter that the identifier could change (e.g., that the user could change their phone number or device ID).
What matters is that the information can be used to “pick that user out of the crowd” even if you don’t know who that user is.
It is also important to note that the definition of personal data is not tied to concerns about identity theft the way that definitions of personally identifying information (PII) are under many US data breach laws. So, even if it seems like there would be little privacy harm if someone got ahold of your users’ IP addresses, that does not mean that those IP addresses are not personal data.
It just means that this data may not require the same level of data protection as more sensitive personal data like your users’ credit card numbers.
GDPR Rights and Requests Forms
Access to personal data
Under GDPR, ruling data subjects have the right to access to their personal data. You can post a request to support@scripted.com and we will provide data we store.
Correct data
If you feel your personal is incorrect, you can post a request to support@scripted.com with information regarding the data to be corrected. We will process the needed changes or will notify data controllers on the subject (in case you are not our customer yet).
Restrict processing
You can request restriction of your personal processing by emailing support@scripted.com .
Delete or object personal data
We will respect requests to delete personal data or object processing, they both will be handled by deleting your personal data from our service in 30 days. Make your request to support@scripted.com
Transfer data
Under GDPR, if you need to transfer data to another processor or controller, we can provide you with a copy of the personal data we have.
EU-US Privacy shield related
If you have any questions related to the topics of transfer of data between EU-Swiss and US or EU-US privacy shield regulation please reach out to support@scripted.com and we will get back to you in timely manner.
Data Processing Agreement (DPA) sign up
You can request to sign a DPA via support@scripted.com, it will be submitted via an electronic sign service. Please provide your name, title and email of signee in the description and we will contact you.
Privacy Shield and Data Transfer
Scripted is currently in the process of completing compliance applications with current EU and EEA data protection laws as they stand today regarding onward transfer of data subject information to a data processor.
Such laws represented by EU-U.S. Privacy Shield Framework as set forth by the U.S. Department of Commerce regarding the collection, use, and retention of personal information transferred from the EEA to the United States. Privacy Shield was designed with many of the privacy concepts that are in GDPR in mind.
You can view a description of how we comply with the Privacy Shield Principles in our Privacy Policy. To learn more about the Privacy Shield Framework and the scope of our participation, visit the U.S. Department of Commerce website.
Privacy Shield will allow Scripted to meet the current privacy requirements of Europe for onward transfer by ensuring the following privacy principles:
Notice
Choice
Accountability for Onward Transfer
Security
Data Integrity and Purpose Limitation
Access
Recourse, Enforcement and Liability
Data we collect
There are two types of personal data stored and processed within our service. First is the data of Scripted customers collected in multiple ways, mostly during sign up for our services as a trial on our website. This data includes customer contact name, email, organization name and could include phone number or social accounts (if included). Any other information could be gathered during sales, marketing or support activities to identify and provide the best solutions for the customer’s needs.
We also gather "navigational data" about customer or prospect behaviour on our websites in order to improve our service. For more information on the type of data we collect, you can read our Privacy policy.
We are collecting and processing your personal data under the "Legitimate interest" clause from GDPR regulation, as this data is needed in order for us to provide services, customer support, and billing operations.
Profiling of data
We are profiling customers' data in order to better provide and improve our service. This refers to information about your computer and your visits to, as well as the use of the Service and this website such as your IP address, geographical location, browser type, referral source, length of visit and pages viewed.
In certain cases, we can enrich your profile with social contacts, corporate phone numbers, and organization details. Such profiling and enrichment takes place in semi-automatic mode, when part of the process occurs automatically and partially by humans.
Processing of personal data
Our customers use the Scripted Service to create communication campaigns in order to reach out to or nurture prospects with sales, marketing, or customer success purposes.
When creating, managing, and running such campaigns we process and store personal data on behalf of our customers.
Scripted does not control the content of campaigns (text, email, or other communications templates) or the types of information that our customers may choose to collect or manage using the Scripted Service.
That information belongs to them (as controllers) and is used, disclosed and protected by them according to their privacy policies as stated in our Privacy Policy.
We are committed to helping our customers adhere to privacy laws and regulations to the most possible extent.
During the processing and storage of customer’s data, we can help them comply with regulations by providing tools and dedicated processes that will help respect data subject rights (like Request forms for example) and provide secure storage and access to data.
We also process personal data of our direct customers in order to provide them services, process payments, resolve customer success issues, etc. During the period of our service usage, the data processed by our service and other processors is needed to provide the best possible experience for our customers.
Sub-processors
Is Scripted using sub-processors? Yes, for providing certain features and handling data in the cloud, Scripted.com relies on a list of sub-processors. We can provide list of these and their data protection policies on request.
Legal communication and Contacts info
Scripted Data protection officer: Kevin O'Connor (kevin@scripted.com)
EU representative for GDPR and privacy related topics: Kevin O'Connor (kevin@scripted.com)
For all legal communication not related to privacy and security questions please contact us at support@scripted.com
Contact Authorities
Under GDPR rules, data subjects (regarding controllers or processors) have the right to complain to authorities if they feel their rights have been neglected. For filing complaint please see contacts below:
Data Protection Commissioner Ireland via this link
For EU-US and Swiss-US privacy shield independent recourse mechanism, or to file a complaint, please contact our partners at www.bbb.org/EU-privacy-shield/for-eu-consumers