Frequently Asked Questions (FAQs) Guide
This FAQs Guide is designed to help our Customers (“ Customers”, “ you”) understand better Contentsquare privacy practices, or assist you when assessing them in accordance with applicable data protection laws. For any question about Contentsquare’s security practices, please refer to the Security Portal here.
If you have additional privacy questions that are not answered in this FAQs Guide, please contact your Sales or Account representative, who will be happy to assist you and coordinate with our Data Privacy Team to ensure that all your questions are answered.
Capitalized terms used in this FAQs Guide shall have the meaning assigned to them in the DPA (here) and MSA (here).
1. When and to what extent does Contentsquare Process Personal Data in connection with the Services?
Contentsquare processes personal data via cookies when Visitors browse on its Customer’s website/apps.
By default, Contentsquare collects from Visitors of its Customers’ website/apps, only the following:
- Personal Data. IP addresses (website only); Online Unique ID; Behavioral Data (e.g. how visitors interacted with the website or app, mouse or touch movements, scrolls, mouse clicks, screen taps or zoom data, time of engagement, etc.); and, only to the minimum extent necessary, additional types of personal data as may be specifically requested by the customer or incorporated as part of a specific the ordered services; and
- Technical Data. Which may include pages of a website or app visited, type of computer operation system, type of web browser, JS error, other backend technical data, etc.
For more information, please visit this page.
2. Is Contentsquare a Controller or a Processor?
You will be considered a data Controller and we will be considered a data Processor for providing the services to you.
Contentsquare may also be considered a data Controller in some instances as fully described in our Privacy Policies, including where we Process Personal Data for business purposes (e.g. contract management, billing, administrative, marketing), or internal development purposes.
3. Do we need to enter into a Data Processing Agreement (“DPA”)? Why?
Yes. The DPA establishes the rules under which Contentsquare Processes Personal Data. It deals with the Services provided by Contentsquare and is part of the MSA between Contentsquare and its Customers.
4. Is Contentsquare “GDPR”, “CCPA” (or any other applicable data protection law) certified?
Although there is only one recognized certification mechanism adopted to date and limited to GDPR and organizations based in Luxembourg, we have been ensuring that our privacy practices are compliant with applicable Data Protection Laws, including GDPR and CCPA.
However, Contentsquare is ISO 27701 certified (for both data controller and data processor). This certification demonstrates our maturity, high level of commitment to privacy management and our compliance with the main Data Protection Laws in the world such as GDPR, CCPA and other country-specific legislation (Australia, Brazil, Canada).
5. What is Contentsquare doing to ensure that it is compliant with applicable Data Protection Laws, such as GDPR and CCPA?
Contentsquare has implemented a global privacy compliance program to comply with applicable Data Protection Laws, which include the following:
- Appointing a DPOs’ and CISO’s network across the Group;
- Implementing a Data Subject Request portal and procedure;
- Implementing appropriate security measures;
- Implementing policies and procedures (retention, consent, PIA…);
- Embedding a Privacy by design & by default approach in the Solution;
- Signing a DPA with our Sub-Processors and Customers.
6. What is Contentsquare’s data retention policy? Is it customizable?
Personal Data in our Solution is kept for 13 months, so that our customers may view aggregated data retroactively if they so choose. This retention period may be extended upon request.
By default however, IP addresses are deleted after 3 days, and Session Replay data is deleted after 1 month. The IP address and Session Replay retention periods may be extended or reduced upon request.
7. Who is Contentsquare’s Data Protection Officer (DPO) and Contentsquare’s Article 27 Representative?
Contentsquare has appointed the following DPOs to oversee the protection of your Personal Data:
- Global DPO: Content Square Inc., Attn: Global DPO, 53 Beach St New York, NY, 10013-2304 United States. Email to email@example.com.
- EEA DPO: Content Square SAS, Attn: EU DPO, 7 rue de Madrid 75008 Paris, France. Email to firstname.lastname@example.org.
Content Square SAS has been designated as Contentsquare’s representative in the European Union for data protection matters pursuant to Article 27 of GDPR.
8. Do we have additional legal documentation and information about Contentsquare’s privacy and security compliance?
Yes, please see below:
- Contentsquare’s DPA can be found here;
- Contentsquare’s MSA can be found here;
- Contentsquare’s Security Documentation and Compliance Program can be found here;
- Contentsquare Privacy Statement can be found here;
- Contentsquare’s 10 things to know about data processing can be found here;
- The list of Contentsquare’s Sub-Processors can be found here;
Contentsquare’s Privacy Policies can be found here.
1. Do we use Sub-Processors?
Yes. Contentsquare engages Sub-Processors in order to provide the Services to Customers. These Sub-Processors are affiliates of Contentsquare as well as third-party service providers.
Contentsquare’s current sub-processors are listed here.
As set forth in Section 5.4 of the DPA, Contentsquare has entered into an agreement with each Sub-Processor containing appropriate privacy safeguards and remains liable for the actions of its Sub-Processors.
The use of these Sub-Processors may involve the transfer of Personal Data to those organizations. For more information, please refer to the International Data Transfers/Processing section below.
2. How do we notify you of a new Sub-Processor?
We will notify you 30 calendar days prior to using our intended new Sub-Processor. Please subscribe here if you want to be notified.
International Data Transfers/Processing
1. Do we Process EU/UK personal data outside the EU/UK?
Yes. We may Process EU/UK Personal Data outside the EU/UK solely for providing the Services to you. Such may include access by our Affiliated Companies outside the EU/UK for the purpose of providing our follow-the-sun 24/7 support to our Customers. However, EU/UK Customer’s Data would be accessed only and not stored in these regions (Data will remain stored in the EU).
2. What type of transfer mechanism do we provide for Contentsquare services?
Contentsquare relies on appropriate data transfer safeguards, such as adequate decision and new Standard Contractual Clauses as applicable to transfers from EU and UK.
The DPA between you and Contentsquare incorporates by reference, where applicable, the new EU and UK Standard Contractual Clauses for each type of data processing performed by Contentsquare as part of the agreement with our Customers (Controller-to-Controller, Controller-to-Processor, Processor-to-Processor).
3. Where is Customer Data hosted for Contentsquare Services?
This depends on Customer’s location.
For example, the applicable data center region for Customers based in the EU is EU by default and the US for Customers based in the US.
For more information about applicable hosting locations, please visit this page.
4. Is there a way to exclude any Sub-Processor located outside the EU/UK from the data processing for providing the Services in order to avoid transfer outside the EU/UK?
No. Contentsquare is a global SaaS company with resources all around the world supporting all our global Customers under the same standards and terms, therefore access to Personal Data by our Affiliates Companies is essential in providing our Services and cannot be excluded.
5. Did we implement supplementary measures to protect Customer’s Data?
We understand that Customers need to be reassured about how their Data is protected by Contentsquare when providing the Services to them.
Below is an overview of some of the key technical, contractual and organization safeguards that Contentsquare implements to protect Customer’s Data:
- hosting EU Customer’s Data in EU data centers;
- encryption at rest and in transit;
- VPN and SSH for technical administrative access;
- ISO 27001 & 27701 certification;
- data minimization controls;
- data masking and IP-less features;
- public authorities access request policy;
- transparency report.
For more information about our commitment to protect our Customer’s Data and our available supplementary measures, please see our Data Transfer Impact Assessments (‘DTIA’) in that regard, which can be shared with our Customers upon request.
6. What are our takes on the Google Analytics & international Data transfer topic?
Although we believe that the measures taken following Schrems II ruling were sufficient to protect our EU Customers’ Data, we thought it was important to assess the impact of Google Analytics decisions on Contentsquare’s Data Processing activities. As such, our Privacy and Security teams conducted a new DTIA with the support of a reputable international law firm specializing in data protection and US national security laws, in order to assess whether additional measures were necessary. Such DTIAs are available to our Customers upon request.
The CNIL released guidelines ( here, in French only) regarding the transfer of Personal Data of EU residents from the EU to the US by audience measurement tools in light of the Google Analytics decisions referenced above. Here are the key takeaways:
- These guidelines do not directly apply on Contentsquare practices since our EU Customer’s Data remains stored within our data hosting centers located in the EU;
- Contentsquare considers that the current supplementary measures implemented by Contentsquare (and currently being implemented following our DTIAs) are sufficient and compliant with these CNIL guidelines;
- Our Privacy & Security Teams constantly continue to monitor ongoing developments with regard to data transfer, in order to evaluate whether additional supplementary safeguards are required to ensure compliance with applicable Data Protection Laws.
For more information about the Google Analytics topic, please see here.
Contentsquare’s assistance as a Processor
1. How are Data Subjects’ Requests handled by Contentsquare?
In case Contentsquare receives a request from a Data Subject that identifies as a Visitor of your website/app, Contentsquare will promptly refer such Data Subject directly to you, as the Controller and will support you with any means available to resolve such request.
Contentsquare has launched a portal for managing Data Subject Requests to help our Customers respond to data subjects within the legal deadlines. Therefore, you can forward any Data Subject Request to Contentsquare via this Data Subject Portal at https://contentsquare.com/privacy-center/data-subject-request-portal/.
2. When are you notified in the event of a Personal Data Breach?
In the event of a Personal Data Breach affecting Customer Data, Contentsquare notifies you without undue delay and no later than 48 hours after becoming aware of it. We cannot commit in a shorter period of time since we need to do our due diligence before communicating on said event to ensure we do not over communicate on false positives.
1. What types of cookies does Contentsquare use for providing the Services?
Contentsquare uses first-party cookies for analytics purposes. For more information about the purpose, data retention of each cookie used by the Contentsquare’s Solution, please see here.
Our cookieless solution, if enabled by Customers, replaces cookie technology with SessionStorage technology, which may fall under the cookies regulation. For more information, please see here.
2. Does applicable Data Protection Laws require a cookie consent banner for Contentsquare’s cookies?
As a Processor, Contentsquare cannot decide for its Customers whether consent is needed or not for the use of its cookies. If you consider that Contentsquare’s cookies should be used on the basis of the Visitor’s consent, you will need to include a cookies consent banner to collect that consent. If you consider this type of cookie as “essential” or “exempted”, then you may be able to skip the cookies consent banner, and use our cookies without Visitor’s consent.
Note if you and/or your Visitors are based in France: although it is still up for Customers to determine and make a decision concerning the lawful basis of their data processing (as Controllers), we recommend obtaining Visitor’s consent unless our "Exemption Mode" feature is properly activated.
1. What are some of Contentsquare’s available privacy dedicated features?
Contentsquare particularly offers the following privacy-oriented features:
- Data Blocking: whether enabled by default or can be implemented by using JS scripts that are dedicated to prevent collection of personal data in our Solution;
- IP-Less: to avoid IP address collection;
- Exemption Mode (France only): to use Contentsquare Solution without Visitor’s consent.
- “Cookieless” solution: replaces cookie technology with SessionStorage technology.
2. How do third-party integration tools apply with Contentsquare?
When you configure Contentsquare to connect with third-party tools (e.g. Adobe Analytics, Google Analytics, etc.), Contentsquare is not directly engaging with such third-party. Therefore it is up to you, as Controller, to ensure that: (i) those vendors are also compliant with applicable Data Protection Laws and to enter into an agreement with them; and (ii) any Data transfer between Contentsquare and such third-party tool is properly regulated in your privacy notice and consent management (as applicable).
The information contained in this FAQs Guide does not constitute legal advice and does not form part of the agreement between the Parties. We recommend that you consult with your own legal counsel in order to obtain advice specific to your own unique situation and how you intend to use the Contentsquare Services.
Feel free to contact Contentsquare’s Privacy Team at email@example.com directly with any additional questions, ideas or concerns.