General Data Protection Regulation (GDPR)

Updated September 29, 2023

 

Contents

  1. Introduction to the GDPR
  2. Your rights under GDPR
  3. Clari's commitment to protecting your Personal Data
  4. Role of Clari as a Data Controller
  5. Role of Clari as a Data Processor
  6. Clari EU representative
  7. List of sub-processors

See related

 

1. Introduction to the GDPR

General Data Protection Regulation (GDPR) is a European Union regulation that establishes a new framework for handling and protecting the personal data of EU-based residents. It is the most comprehensive EU data privacy law in decades and has been in effect effect since May 25, 2018.

Besides strengthening and standardizing user data privacy across the EU nations, it will require new or additional obligations on all organizations that handle EU citizens' personal data, regardless of where the organizations themselves are located.

GDPR is intended to offer protections for you or any identifiable natural person (the "Data Subject") regarding your information (your "Personal Data"). You, as a Data Subject, have broad rights, whether you are identified directly or indirectly through interaction context in which your information was captured.

Back to Top

 

2. Your rights under GDPR

2.1 Consent

Under GDPR, you opt in to have an organization (the "Data Controller") process your Personal Data. Data Controllers must obtain your consent before they can process your data.

2.2 Special categories of data

Unless specifically authorized, GDPR prohibits processing of certain special categories of data such as race, ethnicity, political and religious beliefs, sexual orientation, and genetic and biometric data. Clari does not acquire or process any data belonging to these categories.

2.3 Right of access

If you consented to a Data Controller processing your Personal Data, you may then request the following:

  • A copy of the Personal Data undergoing processing
  • Purpose of processing (in particular, if automated decision-making or profiling takes place, and if so, the logic involved, significance, and likely consequences of such processing)
  • Categories of data processed (e.g., name, address, online browsing behavior)
  • Any third-party recipients of this Personal Data, both backward- or forward-looking, especially recipients in third-party countries (i.e. countries outside of the EU)
  • Any third-party sources of Data Subject's Personal Data (i.e. not collected from the Data Subject directly, for instance by purchasing said data from another source that previously collected the data directly)
  • How long such Personal Data would be stored or, if that's not determinable, how the length of this period would be determined
  • Data rectification
  • Data erasure
  • Restriction of data processing
  • Objection to data processing

2.4 Right to rectification

You, as a Data Subject, have the right to have any errors on inaccuracies of Personal Data corrected. Your Data Controller shall implement such requests without undue delay.

2.5 Right of erasure

You have the right to have your Personal Data erased or forgotten. Your Data Controller shall remove your Personal Data and confirm deletion via a notification to you. Data Controllers are also required to maintain these transactions.

2.6 Right to data portability

You have the right to have your Personal Data exported and provided to you in complete form.

2.7 Breach notification

In the event of a data breach and your Personal Data is compromised, your Data Controllers are required to notify you at least within 72 hours.

Back to Top

 

3. Clari's commitment to protecting your Personal Data

Clari is committed to partnering with its customers and users to ensure that Clari is fully compliant with the requirements of GDPR. Clari recognizes your rights under GDPR and will ensure that these rights are honored, and your Personal Data is protected. Clari's product and security teams are continuously working to ensure Clari's product offerings and contractual commitments are in line so our customers, prospects, users, and others that interact with Clari maintain compliance with applicable Data Protection Laws.

Measures to achieve this include:

  • A new Data Processing Addendum
  • Additional investments in our security infrastructure
  • New clarity on procedures for consent, data portability, and privacy preference inquiries

We'll also continue to monitor the guidance around GDPR compliance from privacy-related regulatory bodies and will adjust our plans accordingly if it changes. We'll provide you with regular updates along the way so that you're always current.

3.1 Our security infrastructure and certifications

Protecting our customer's information and their user's privacy is extremely important to us. As a cloud-based company entrusted with some of our customer's most valuable data, we've set high standards for security. Clari has received internationally recognized security certifications for ISO 27001 (information security management system). Clari also undergoes an annual SOC 2 type II audit which report is available in our security portal.

If you would like to learn more about Clari's security policies and procedures, please see our security page.

3.2 International data transfers: contractual terms

To comply with EU data protection laws around international data transfer mechanisms, Clari utilizes the European Union Model Clauses, also known as Standard Contractual Clauses, to meet adequacy and security requirements for our customers who operate in the EU.

Back to Top

 

4. Role of Clari as a Data Controller

Your Personal Data may enter Clari's processing scope in multiple ways. Based on how your Personal Data is consented to, who has control over the data and has responsibility for protecting and administering your rights, Clari is either a Data Controller or a Data Processor. This section describes Clari's role as a Data Controller and explains how you can interact with Clari in that role.

When you interact with Clari via its marketing and sales development outreach programs as a website visitor, webinar participant, or asset downloads, Clari is the primary Data Controller from GDPR perspective. In these cases, Clari is responsible for obtaining your consent and providing means for exercising your data rights.

4.1 Personal Data

  • Personal Data you submit during registration, such as your name, email, phone number, and your address.
  • Any other Personal Data that Clari obtains via sources to which you have already provided consent. Clari may use data from these sources for data identification and enrichment. As an example, if you provided only email and company name to Clari, Clari may use another service to identify your business contact phone or your title, so long as such information was submitted by you to the third-party service.

4.2 Consent

  • When you interact with web forms and similar registration pages at Clari's website (or partners that we collaborate with), we will request explicit consent prior to you submitting your Personal Data.
  • When sales development representatives contact you and you provide information to us and you consent to us for using the information we obtained from you.
  • When your colleague from your organization volunteers your Personal Data to us via email or other information channels. We will follow up to obtain consent using the email provided to us or we will indicate in our email communication that we do not yet have consent but you provide us consent to continue our use of your Personal Data.

Clari also ensures that any additional data it procures from third-party services is obtained by that third party after obtaining your consent.

If you had previously provided consent to Clari to collect your Personal Data, you may choose to withdraw that consent at a later point. Please send an email request to privacy@clari.com and we will implement the request and provide a confirmation of your consent withdrawal via a reply email to your email address. The acknowledgement email will also provide you consequences of withdrawing your consent.

4.3 Privacy preferences

During the course of your registration process, we may offer certain preferences that control privacy of your data. Additionally, some registration processes may offer submission of certain data as optional items. You may choose not to provide optional data, but if you do provide them, Clari will track your submissions. Additionally, Clari will honor your choices and will ensure that these preferences and optional data are part of the data that you have access to via GDPR framework-based requests.

4.4 Onward transfers

Clari does not sell your Personal Data to any other third-party organization. Clari also does not transfer the rights to your Personal Data to any other party nor does it use the data other than the original intent. Any transfer to a third party is solely intended for the processing of data and Clari has secured agreements with downstream Data Processors to protect Personal Data and enforce GDPR data rights for you.

4.5 Data subject access rights

4.5.1 Data access

As part of GDPR you have the right to request all Personal Data about you to be made available to you. We will provide information about whether any data was transferred to any other third party.

4.5.2 Data erasure, accuracy, and portability

You may submit a request to delete all data about you. Clari will comply with this request, but will use your email to send a confirmation notice that we performed the requested action.

  • Update Personal Data: You may submit a request to update Personal Data that we have about you. Clari will perform this and will use your email to send a confirmation notice that we performed the requested action. If email itself was requested to be changed, Clari will send a confirmation to both the old and new email.
     
  • Request an export of all your data for data portability: You may also submit a request to request an export of all your data for data portability. Clari will provide this information via a CSV or JSON file. Such a report will include metadata such as when particular data was added, any updates to the data, etc. - i.e., an audit trail of the data.

To submit a request pursuant to any of the above, please complete the request form and a member of the privacy team will respond to you.

4.5.3 Data breach notification

We will notify you if your Personal Data was compromised via a breach using all methods contact information we have about you within 72 hours. This includes any breach that was caused by a Data Processor that Clari has authorized to process your data.

4.5.4 Filing a complaint

Clari has put in place best-in-the-industry processes for providing you with the rights to your Personal Data per GDPR guidelines. In the event that you are not satisfied with our resolution of your requests, you have the right to file a complaint. Please submit a request to file a complaint. You also have the right to file a similar complaint with a supervisory authority for the jurisdiction you are in and seek appropriate remediation.

Back to Top

 

5. Role of Clari as a Data Processor

Your Personal Data may enter Clari's processing scope in multiple ways. Based on how your Personal Data is consented to, who has control over the data, and who has responsibility for protecting and administering your rights, Clari is either a Data Controller or a Data Processor. This section describes Clari's role as a Data Processor and explains how you can interact with Clari in that role.

If we are processing your Personal Data on behalf of your employer or the organization, you may submit a request and Clari will forward the request to your employer. Any final action on the request will need to be approved by the employer (the Data Controller). Clari will assist the Data Controller in expeditiously completing the request.

5.1 Consent

When Clari processes and displays your Personal Data, that data was acquired from your employer or organization that you interact with. If it is Personal Data that you submitted to your employer, you provided consent to your employer for that data for their business purpose. If it is Personal Data that Clari's customer obtained in the process of conducting business with you or your employer, they rely on your consent to use the data for business purpose. As an example, if you are a purchaser of a product from Clari's customer, your relationship to our customer would be that of a vendor, and in furthering that relationship, our customer would have acquired your Personal Data.

To withdraw an earlier consent that you provided, contact your employer or the organization to which you provided the original Personal Data. Clari will not be able to alter your consent as we are not the Data Controller.

5.2 Data access

To request your Personal Data, please submit a request. For data processed by Clari, we will forward your request to your employer (the Data Controller), who will then initiate a request to provide that information. Since Clari's role is only that of a Data Processor, Clari will not be able to provide your Personal Data directly.

5.3 Data breach notification

In the event of a data breach, Clari, as a Data Processor, is required to notify your employer/organization that there was a data breach. Your organization will then notify you regarding the breach, its impact, and potential remedies. Clari will not notify you directly.

5.4 Data erasure, accuracy, and portability

To request an export or erasure or update of Personal Data held by Clari, please submit a request. We will forward your request to your employer/organization, who will then initiate a request Clari to complete the request. Since Clari's role is only that of a Data Processor, Clari will not be able to perform these actions directly.

5.5 Filing a complaint

For filing a complaint related to personal data processed by Clari, use the complaint portal/form of your employer or organization (the Data Controller). Clari will assist the Data Controller in resolving the complaint but will not take any action until and unless such action is authorized by the Data Controller.

Back to Top

 

6. Clari EU representative

Individuals and data protection supervisory authorities in the EU and the UK may contact our data protection representatives according to Articles 27 EU and UK GDPR:

EU: DP-Dock GmbH, Attn: Clari Inc., Ballindamm 39, 20095 Hamburg, Germany 
UK: DP Data Protection Services UK Ltd., Attn: Clari Inc., 16 Great Queen Street, Covent Garden, London, WC2B 5AH, United Kingdom
www.dp-dock.com
clari@gdpr-rep.com

Back to Top

 

7. List of sub-processors

Clari as a Data Processor has engaged the services of the following sub-processors. Some or all of your Personal Data may be transferred to them. All such transfers are governed by Master Service Agreements and GDPR agreements (via Data Processing Addendum) that establish the scope of processing as well as legal basis for such processing. Clari requires its sub-processors to perform the specified processing only for the purposes of delivering the services that are part of the agreement. To learn more about the GDPR initiatives of our sub-processors, please click on their names in the table.

Sub-processor
Location
Category
Purpose
Data exported
Amazon Web Services, Inc. USA Service provider Provides cloud-based hosting, storage, and processing services All account information, data generated through the use, and/or necessary for the provision of Clari Services. Audio and Video recordings are also stored in and served from AWS
AssemblyAI USA Service provider Speech-to-text transcription provider Audio recording files from B2B web calls
Clearbit USA Service provider Data enrichment based on the contact email address; Clearbit provides further detailed information about the user (e.g. first name, last name, job title, location, etc.) Contact email address
Courier USA Service provider Provides Clari users with the ability to subscribe and receive notifications for various use cases (such as subscribing to field updates of specific opportunities of interest), with full notification configuration and management options Depending on communication channel selected, may include contact information (such as name, email, mobile number, company, and job title} or technical usage and telecommunications data (such as language preference, IP address, or device ID)
Deepgram USA Cloud infrastructure and storage Speech-to-text transcription provider Audio recording files from B2B web calls
Datadog USA Analytics Application performance management tool used for troubleshooting and analysis Infrastructure usage analytics data
Fivetran USA Data extraction and loading platform Data extraction and loading platform for Groove to transfer various data sources to a central repository Names, email addresses, email subject lines, phone numbers, and call recordings (dialer users)
FullStory USA Analytics Provides insight on user navigation behavior to product management, design, and customer success teams Clari obfuscates PII and all customer data prior to Fullstory processing
Google Cloud USA Cloud infrastructure and storage Data warehouse and speech-to-text transcription provider All account information, data generated through the use and/or provision of Wingman Services, audio recording files from B2B web calls
Gainsight, Inc. USA Service provider Customer health scoring to forecast churn rates and customer communicatons Customer name and email address
Heap USA Analytics Digital insights platform that gives you complete understanding of your customers' digital journeys so you can quickly improve conversion, retention, and customer satisfaction Internet protocol (IP) address, operating system, browser type, browser ID, URLs visited and the referring page/campaign, date/time of visits, time spent on services, and any errors that may occur during visits
Intercom USA Customer support Messaging-based platform for providing online web support for customers First and last names; email addresses; phone numbers; avatars; company name; your role in your company; operating system type, version number, manufacturer, and model; browser type; screen resolution; IP address; unique device identifiers
Knowlarity USA Service provider Speech-to-text transcription provider Audio recording files from B2B web calls
LaunchDarkly USA Service provider Feature management for products Email addresses; internal account IDs
MailChimp USA Service provider Customer communications First and Last name; User name; Email address
Microsoft Azure USA Service provider Artificial Intelligence analysis and insights First and Last names; Meeting transcript
Mixpanel USA Analytics Provides usage metrics for Clari application All emails of customers who log into the Clari application
MongoDB USA Service provider SaaS solution used only for cloud-based hosting and storage Stores configurations (saved views, forecast templates, feature flags, etc.), activity-related data (emails, calendar-related data), and data science data
Okta USA Service provider SSO/identity management Full name, email address
Pendo USA Service provider Pendo in-app guides allow product teams to highlight new features, drive desired behavior, and provide in-context support across all screens and devices, and personalized guidance offers users help when and where it's most needed; it simplifies the user experience and improves overall usability of a product experience and is also used to collect survey responses User data: email, name, role, user org name

PubNub

USA Service provider Real-time messaging bus service; Clari uses PubNub to securely synchronize signals in its infrastructure backend and for secure message exchange in Clari Connect Only the Clari user ID; for customers who are still using Connect, incidental personal data (via the chat form) may be sent to PubNub
Salesforce USA Service provider Stores merchant contact information as well as other supporting information about the business relationship Name, email, title, company name, account, location, and, based on config, some inferred metadata; activity metadata like subject, body, email time, and meeting start and end time
Snowflake USA Service provider Stores merchant contact information as well as other supporting information about the business relationship Name, email, title, company name, account, location, and, based on config, some inferred metadata; activity metadata like subject, body, email time, and meeting start and end time
Sumo Logic USA Service Provider Application and security logging Names, email addresses
Twilio USA Service provider Enables SMS to customers in order to send link to download mobile app Phone number
VoiceBase USA Voice-to-text transcription service Phone call transcription Phone numbers of prospects/contacts called via Groove Dialer if conversation intelligence is enabled

Clari will notify your GDPR and/or administrative contact if we add any new sub-processors to the list above. For additional details, please review Clari's Data Processing Addendum.

Back to Top