Privacy Battles
lemlist
Privacy Score
92
%
⚔️
Sendinblue
Privacy Score
82
%

Designated DPO or GDPR correspondent

Compliant
Partially Compliant
Not Compliant

Sendinblue has appointed a Data Protection Officer who can be contacted at the following address: privacy@lemlist.com

Compliant
Partially Compliant
Not Compliant

Sendinblue has appointed a Data Protection Officer who can be contacted at the following address: dpo@sendinblue.com

Privacy Policy

Compliant
Partially Compliant
Not Compliant

Regarding website and cloud:

https://www.lemlist.com/privacy-policy

Compliant
Partially Compliant
Not Compliant

Country & Type of Data storage

Compliant
Partially Compliant
Not Compliant

Company Headquarters:

France (EU)

Storage Facilities:

Hosting servers are managed by OVH and located in France. Customer support is managed by Intercom in the US.

Compliant
Partially Compliant
Not Compliant

Company Headquarters:

France (EU)

Storage Facilities:

Sendinblue stores personal data in Ireland, France, Germany and Belgium through several Cloud providers (US and European), including AWS and Google.

Data transfers outside the EU

Compliant
Partially Compliant
Not Compliant

The host servers on which lemlist processes and stores its databases are located exclusively within the European Union.

However, personal data can be accessed for customer support by Intercom from the US. In that specific case, a Data Processing Agreement assorted with Standard Contractual Clauses has been signed with Intercom.

Compliant
Partially Compliant
Not Compliant

Data is not transferred outside the EU (except for SMS routing which depends on the location of the recipient).

Sendinblue undertakes to put in place all the necessary guarantees in order to supervise these transfers in compliance with the applicable legislation. To do so, the controller expressly mandates Sendinblue to sign, in its name and on its behalf, standard contractual clauses with sub-processors: https://eur-lex.europa.eu/legal-content/EN/TXT/PDF/?uri=CELEX:32010D0087&from=EN

Legal tools for Subcontractors

Compliant
Partially Compliant
Not Compliant

Subcontractors are subjects to written agreements providing the same protection level as set out in lemlist’s DPA: https://www.lemlist.com/lemlist-dpa

lemlist has made public its of subprocessors in its DPA: https://www.lemlist.com/lemlist-dpa

Prior to adding a new subprocessor or replacing an existing subprocessor, lemlist informs controllers and provides them 20 days to object.

Compliant
Partially Compliant
Not Compliant

Subcontractors are subjects to written agreements to protect personal data according to confidentiality standards commercially reasonable.

Sendinblue has made public its of subprocessors: https://drive.google.com/file/d/1pApkR8b8daIDgupSEpWhp0gYLftDAwtT/view

Prior to adding a new subprocessor or replacing an existing subprocessor, Sendinblue informs controllers and provides a reasonable deadline for them to object by cancelling their subscription.

Data Breach Notification

Compliant
Partially Compliant
Not Compliant

lemlist commits to notifying controllers immediately after becoming aware of a security incident, and to cooperate and support controllers in the investigation, mitigation and remediation of the breach.

Compliant
Partially Compliant
Not Compliant

Sendinblue commits to notifying controllers within 72 hours after becoming aware of a security incident, to assist controllers in fulfilling their notification and communication obligations, and to take appropriate measures to mitigate the possible adverse effect of the incident.

Right Requests Process

Compliant
Partially Compliant
Not Compliant

lemlist will notify the concerned controller immediately of any communication received from a data subject relating to its rights and will assist the controller within the scope of its ability to fulfil the request.

Moreover, a recipient’s request received by lemlist can be directly processed by lemlist’s team after proper verification of the recipient’s identity and notification of the controller.

Compliant
Partially Compliant
Not Compliant

Sendinblue will notify the concerned controller of any communication received from a data subject relating to its rights and will assist the controller within the scope of its ability to fulfil the request within the time limit set in the legislation.

Also, controllers are able to answer users’ requests via tool features implemented by Sendinblue (rectification, deletion, etc.).

Data Privacy Impact Assessment

Compliant
Partially Compliant
Not Compliant

lemlist assists controllers in ensuring compliance with their obligations in respect of DPIAs and prior consultation.

Compliant
Partially Compliant
Not Compliant

Sendinblue assists controllers in ensuring compliance with their obligations in respect of DPIAs prior to processing.

Employee Trainings

Compliant
Partially Compliant
Not Compliant

lemlist ensures all persons authorised to process personal data are under an appropriate statutory obligation of confidentiality and have received necessary training in the field of data protection.

Compliant
Partially Compliant
Not Compliant

Sendinblue ensures all persons authorised to process personal data are under an appropriate statutory obligation of confidentiality and have received necessary training in the field of data protection.

Security Policy

Compliant
Partially Compliant
Not Compliant

Lemlist’s security policy is available in its DPA : https://www.lemlist.com/lemlist-dpa

Compliant
Partially Compliant
Not Compliant

Sendinblue doesn’t mention having a security policy.

Organizational and Technical Security Measures

Compliant
Partially Compliant
Not Compliant

Server security:

Cloud security relying on OVH and Infosec.

Other measures:

Authentication login and password encrypted at rest, data encryption in transit, encrypted backups, secure development policy, security event logging, firewall, security patch, etc.

Compliant
Partially Compliant
Not Compliant

Sendinblue doesn’t mention having a security policy.

Data Encryption

Compliant
Partially Compliant
Not Compliant

Data is encrypted in transit (HTTPS). Only authentication data is encrypted at rest.

Compliant
Partially Compliant
Not Compliant

Data is encrypted in transit (SSL/https/VPN technology) and at rest when hosted on Google and OVH servers.

Restriction of access

Compliant
Partially Compliant
Not Compliant

lemlist allows external access of personal data to a limited number of people for the purpose of providing support services.

Compliant
Partially Compliant
Not Compliant

Access to processing data on behalf of Sendinblue by third-party services requires authentication of the persons accessing the data, by means of an individual access code and password, that is robust and regularly renewed.

Reuse of data

Compliant
Partially Compliant
Not Compliant

Personal data is processed by lemlist to analyze and track the various rates (for example: click, open, bounce rates) and the number of emails sent with lemlist.

lemlist doesn’t sell, nor share or rent out recipients’ personal data.

Compliant
Partially Compliant
Not Compliant

Recipients’ data is used by Sendinblue to track their behavior (opening rates, click rates, bounce rates at an individual level) in order to improve the efficiency of the emailing campaigns.

Sendinblue appears to use recipient’s data to do retargeting display as well.

Exemption of cookie consent

Compliant
Partially Compliant
Not Compliant

The recipient’s consent is necessary to use the communication services of Lemlist which includes recipients’ behavior tracking. It is however specified by lemlist in its documentation.

Compliant
Partially Compliant
Not Compliant

The recipient’s consent is necessary to use the communication services of Sendinblue which includes recipients’ behavior tracking. It is however specified by Sendinblue in its documentation.

Submission to Cloud Act/FISA

Compliant
Partially Compliant
Not Compliant

YES, customer support managed by Intercom in the US can access to personal data on demand.

Compliant
Partially Compliant
Not Compliant

YES, data hosted on AWS servers doesn’t appear to be anonymized nor encrypted at rest, therefore can be accessed by an American intelligence agency on demand.