Sendinblue has appointed a Data Protection Officer who can be contacted at the following address: firstname.lastname@example.org
Hosting servers are managed by OVH and located in France. Customer support is managed by Intercom in the US.
Sendinblue stores personal data in Ireland, France, Germany and Belgium through several Cloud providers (US and European), including AWS and Google.
The host servers on which lemlist processes and stores its databases are located exclusively within the European Union.
However, personal data can be accessed for customer support by Intercom from the US. In that specific case, a Data Processing Agreement assorted with Standard Contractual Clauses has been signed with Intercom.
Data is not transferred outside the EU (except for SMS routing which depends on the location of the recipient).
Sendinblue undertakes to put in place all the necessary guarantees in order to supervise these transfers in compliance with the applicable legislation. To do so, the controller expressly mandates Sendinblue to sign, in its name and on its behalf, standard contractual clauses with sub-processors: https://eur-lex.europa.eu/legal-content/EN/TXT/PDF/?uri=CELEX:32010D0087&from=EN
Subcontractors are subjects to written agreements providing the same protection level as set out in lemlist’s DPA: https://www.lemlist.com/lemlist-dpa
lemlist has made public its of subprocessors in its DPA: https://www.lemlist.com/lemlist-dpa
Prior to adding a new subprocessor or replacing an existing subprocessor, lemlist informs controllers and provides them 20 days to object.
Subcontractors are subjects to written agreements to protect personal data according to confidentiality standards commercially reasonable.
Sendinblue has made public its of subprocessors: https://drive.google.com/file/d/1pApkR8b8daIDgupSEpWhp0gYLftDAwtT/view
Prior to adding a new subprocessor or replacing an existing subprocessor, Sendinblue informs controllers and provides a reasonable deadline for them to object by cancelling their subscription.
lemlist commits to notifying controllers immediately after becoming aware of a security incident, and to cooperate and support controllers in the investigation, mitigation and remediation of the breach.
Sendinblue commits to notifying controllers within 72 hours after becoming aware of a security incident, to assist controllers in fulfilling their notification and communication obligations, and to take appropriate measures to mitigate the possible adverse effect of the incident.
lemlist will notify the concerned controller immediately of any communication received from a data subject relating to its rights and will assist the controller within the scope of its ability to fulfil the request.
Moreover, a recipient’s request received by lemlist can be directly processed by lemlist’s team after proper verification of the recipient’s identity and notification of the controller.
Sendinblue will notify the concerned controller of any communication received from a data subject relating to its rights and will assist the controller within the scope of its ability to fulfil the request within the time limit set in the legislation.
Also, controllers are able to answer users’ requests via tool features implemented by Sendinblue (rectification, deletion, etc.).
lemlist assists controllers in ensuring compliance with their obligations in respect of DPIAs and prior consultation.
Sendinblue assists controllers in ensuring compliance with their obligations in respect of DPIAs prior to processing.
lemlist ensures all persons authorised to process personal data are under an appropriate statutory obligation of confidentiality and have received necessary training in the field of data protection.
Sendinblue ensures all persons authorised to process personal data are under an appropriate statutory obligation of confidentiality and have received necessary training in the field of data protection.
Lemlist’s security policy is available in its DPA : https://www.lemlist.com/lemlist-dpa
Sendinblue doesn’t mention having a security policy.
Cloud security relying on OVH and Infosec.
Authentication login and password encrypted at rest, data encryption in transit, encrypted backups, secure development policy, security event logging, firewall, security patch, etc.
Sendinblue doesn’t mention having a security policy.
Data is encrypted in transit (HTTPS). Only authentication data is encrypted at rest.
Data is encrypted in transit (SSL/https/VPN technology) and at rest when hosted on Google and OVH servers.
lemlist allows external access of personal data to a limited number of people for the purpose of providing support services.
Access to processing data on behalf of Sendinblue by third-party services requires authentication of the persons accessing the data, by means of an individual access code and password, that is robust and regularly renewed.
Personal data is processed by lemlist to analyze and track the various rates (for example: click, open, bounce rates) and the number of emails sent with lemlist.
lemlist doesn’t sell, nor share or rent out recipients’ personal data.
Recipients’ data is used by Sendinblue to track their behavior (opening rates, click rates, bounce rates at an individual level) in order to improve the efficiency of the emailing campaigns.
Sendinblue appears to use recipient’s data to do retargeting display as well.
The recipient’s consent is necessary to use the communication services of Lemlist which includes recipients’ behavior tracking. It is however specified by lemlist in its documentation.
The recipient’s consent is necessary to use the communication services of Sendinblue which includes recipients’ behavior tracking. It is however specified by Sendinblue in its documentation.
YES, customer support managed by Intercom in the US can access to personal data on demand.
YES, data hosted on AWS servers doesn’t appear to be anonymized nor encrypted at rest, therefore can be accessed by an American intelligence agency on demand.