Skip to main content

SENDBIRD – DATA PRIVACY FRAMEWORK NOTICE

Sendbird, Inc. (“Sendbird” “we” “us” “our”) has self-certified its compliance with the EU-U.S. Data Privacy Framework (“EU-U.S. DPF”), the Swiss-U.S. Data Privacy Framework (“Swiss-U.S. DPF”), and the UK Extension to the EU-U.S. DPF (“UK Extension”), collectively (the “DPF”).

This Data Privacy Framework Notice describes our compliance with the specific requirements of the DPF. For a complete statement of our privacy practices, please see our General Privacy Notice. For the purposes of this Data Privacy Framework Notice, all references to PII and personal information in our General Privacy Notice and its supplements are deemed to be references to personal data.

We comply with the EU-U.S. Data Privacy Framework (EU-U.S. DPF), the UK Extension to the EU-U.S. DPF (UK-U.S. DPF), and the Swiss-U.S. Data Privacy Framework (Swiss-U.S. DPF) as set forth by the U.S. Department of Commerce. We have certified to the U.S. Department of Commerce that we adhere to: (i) the EU-U.S. Data Privacy Framework Principles with regard to the processing of personal data received from the European Union in reliance on the EU-U.S. DPF and from the United Kingdom (and Gibraltar) in reliance on the UK Extension to the EU-U.S. DPF; and (ii) the Swiss-U.S. Data Privacy Framework Principles with regard to the processing of personal data received from Switzerland in reliance on the Swiss-U.S. DPF (collectively, the “DPF Principles”). If there is any conflict between the terms in this DPF Notice and the DPF Principles, the DPF Principles shall govern. To learn more about the DPF, and to view our certification, please visit https://www.dataprivacyframewo...; We process personal data as a controller (who determines the purpose and means of processing) or processor (who acts upon the written instructions of the controller).

Notice of Privacy Practices: Controller

Our General Privacy Notice sets forth our privacy practices when we act as a data controller, including:

  • The types of personal data collected;
  • The purposes for which we collect personal data;
  • The type of third parties to whom we disclose personal data;
  • The right of individuals to access their personal data; and
  • The choices and means we offer for limiting use and disclosure of personal data.

Notice of Privacy Practices: Processor

When we act as a data processor, our customers determine the types of personal data collected, and the practices relating to the collection and use of such personal data. Our rights and obligations as a processor are set out in a written data processing agreement (“DPA”) executed between us and our customer. We process personal data in accordance with applicable law and the instructions provided by our applicable data controller customer. Our customers, as data controllers, are responsible for ensuring that they:

  • Have a lawful basis for processing the personal data provided or made available to us;
  • Have provided appropriate notices to data subjects as required under applicable law;
  • Have the right to transfer personal data to the United States;
  • Provide responses to requests from data subjects with respect to their personal data; and
  • Have otherwise complied with applicable laws relating to the processing of personal data.

When we act as a data processor, we disclose personal data:

  • To third parties (including our affiliates and sub processors) for the purpose of performing our services and / or operating our business;
  • To third parties at the request of our customer; and
  • When required to do so pursuant to law or in response to lawful request from government authorities, including in response to national security, government interests, or law enforcement requests.

Onward Transfers of Personal Data

When transferring personal data to a processor (or sub processor) pursuant to the DPF (an “Onward Transfer”), we:

  • Require the processor to enter into a written DPA;
  • Require the processor to process the personal data for only limited and specific purposes defined in the DPA;
  • Take reasonable and appropriate steps to ensure that the personal data is processed in a manner consistent with the DPF Principles;
  • Require the processor to notify us if the processor determines that it can no longer meet its obligations under the DPF Principles;
  • Take reasonable and appropriate steps to stop and remediate unauthorized processing; and
  • Will provide a summary or representative copy of the relevant privacy protections in our agreements with our processors to the Department of Commerce upon request.

We remain liable under the DPF Principles if our processor or any other party to whom our processor transfers personal data processes personal data in a manner not consistent with the DPF Principles, unless we demonstrate that we are not responsible for the unauthorized processing.

Data Security

Our General Privacy Notice contains a description of the measures we employ to protect the confidentiality, integrity, and availability of personal data we process.

Recourse, Enforcement, and Liability

We have established internal mechanisms to verify our ongoing adherence to the DPF Principles and the other requirements described in this Data Privacy Framework Notice and our General Privacy Notice. We also are subject to the investigatory and enforcement powers of the U.S. federal government, including the U.S. Federal Trade Commission (“FTC”). EU, UK, and Swiss individuals with inquiries or complaints regarding our handling of personal data received in reliance on the DPF should first contact us at: privacy@sendbird.com or through one of our other contact methods described below.

In compliance with the DPF Principles, we commit to refer unresolved complaints concerning our handling of personal data received in reliance on the DPF to JAMS, an alternative dispute resolution provider which has locations in the United States, EU, the UK and Switzerland. If you do not receive timely acknowledgment of your DPF Principles-related complaint from us, or if we have not addressed your DPF Principles-related complaint to your satisfaction, please visit https://www.jamsadr.com/DPF-Dispute-Resolution for more information or to file a complaint. The services of JAMS are provided at no cost to you.

Under certain conditions, a binding arbitration option may be available to you in order to address complaints not resolved by any other means. For further information, please visit the DPF site at: https://www.dataprivacyframework.gov

Changes to this Notice

This Data Privacy Framework Notice may be amended consistent with the requirements of the DPF. When we update this Data Privacy Framework Notice, we will also revise the "Last Updated" date at the top of this document.

Questions or complaints. If you have any questions, concerns or complaint regarding our privacy practices, or if you’d like to exercise your choices or rights, you can contact us by email at privacy@sendbird.com.