Highspot Privacy

Highspot and GDPR


GDPR (General Data Protection Regulation) is the most comprehensive EU data privacy law to date. Besides strengthening and standardizing user data privacy across EU nations, it will require new or additional obligations on all organizations that handle EU citizens’ personal data, regardless of where the organizations themselves are located.

At Highspot, we maintain the highest standards for customer and user data privacy and we adhere to all local and regional regulations with full compliance. GDPR introduced new requirements and restrictions and we have taken appropriate actions to ensure that we continue to handle all customer data in compliance with applicable laws related to GDPR.

Highspot’s Commitment to Data Protection


At Highspot, nothing is more important than the success of our customers using the Highspot platform and the protection of their data. Highspot continues to focus on data protection as a key pillar of our values.

Highspot’s back-end is hosted on Amazon Web Services (AWS), the leading cloud infrastructure platform in the industry. AWS has an extensive set of industry standard certifications with regular auditing to ensure compliance, including:

  • SOC 1/SSAE 16/ISAE 3402 (formerly SAS 70 Type II)
  • SOC 2 Type II
  • SOC3
  • PCI DSS Level 1
  • ISO 27001
  • ITAR
  • FIPS 140-2

All Highspot customers benefit from:

  • Data encryption in transit – Data is encrypted using TLS in transit
  • Data encryption at rest – Data is encrypted on servers using AES-256
  • Strong authentication controls – Enforced complexity requirements, two-factor authentication, IP address restrictions and forced resets, as well as optional single sign-on support
  • Role-based access controls – End user viewing, access & uploading permissions
  • Administrative auditing – Manage users, groups, and access permissions, and audit user activity

GDPR Compliance


To ensure all GDPR compliance requirements have been satisfied, we conducted a comprehensive analysis of all Highspot data practices as it relates to EU customers including data consumption, data processing and data storage within the Highspot platform. Through our compliance work, we have created new processes and procedures to meet GDPR requirements. Specifically, these include:

Information use that’s fully transparent
GDPR requires organizations provide information about the way an individual’s information is used

More visibility into processing
Under GDPR, every individual must be able to access a copy of their personal data and know where it’s being processed

The right to be forgotten
Under GDPR, individuals have the right to ask the organizations they work with to delete their personal data

Highspot’s Data Processing Agreement outlines the processes and procedures needed to fulfill GDPR requests when they are received.

Frequently Asked Questions


What is GDPR?
General Data Protection Regulation (GDPR) is a new European privacy law designed to protect and secure the personal data of EU residents and grants those persons specific rights to data, such as the right to access and erase their data.

What information does GDPR apply to?
GDPR applies to ‘personal data,’ which means any information relating to an identifiable person who can be directly or indirectly identified in particular by reference to an identifier.

Does GDPR only apply to EU organizations?
GDPR applies to processing carried out by organizations operating within the EU. It also applies to organizations outside the EU that offer goods or services to individuals in the EU.

How will GDPR impact my organization?
If your business collects, stores, or uses personal information about European residents, whether as a prospect, customer or an employee of your organization, then GDPR will apply.

How is Highspot GDPR compliant?
Our teams have conducted a thorough analysis of how data is consumed, processed, and stored within Highspot’s platform and have created processes to execute GDPR requests. Highspot’s Data Processing Agreement outlines the processes and procedures needed to fulfill GDPR requests if/when they are received.

What role does the Highspot platform play in GDPR?
The Highspot platform processes personal data on behalf of a data controller — the Highspot customer who collects data directly from the data subject and defines how and for what purpose personal data is processed. Therefore, the Highspot platform acts as a data processor that allows data controllers (Highspot customers) to interact with the data subject’s data. Highspot created processes and procedures to execute data subject’s requests to a data controller.

If you have additional questions, please email privacy@highspot.com.