The European Union General Data Protection Regulation (GDPR) is a regulation that aims at unifying EU member state data privacy regulations into a single regulation, enforced on the EU single market. This article describes the GDPR compliance status of Crisp.

If your company needs to ensure it is GDPR-compliant, it also needs to ensure its providers (ie. Crisp) are also GDPR compliant. Crisp is GDPR-compliant, and strictly enforces the regulation as to protect the user data we store.

Crisp and GDPR (in 12 points)

The GDPR regulation can be reduced to 12 important points. For each point, we explain how Crisp handles its compliance.

Also, please note that all Crisp providers have been checked to be all GDPR-compliant (Cloudflare, DigitalOcean, Stripe).

1. Awareness

All employees responsible of software development & infrastructure maintenance of Crisp IM SARL (the owner company for Crisp) are fully aware of the GDPR requirements.

2. Information we hold

Crisp stores data on 2 kinds of parties:

Our users (ie. the operators using the Crisp Dashboard replying to their customers)
Our users' end-users (ie. the customers of our users)

Crisp does not share, or resell, any kind of user data (whether data described in point 1 or 2 above). The data is not used for advertising (both 1 and 2) or analytics (on 2).

2.1. Information held on our users

Crisp collects account information for each user, including:

User first and last name, and profile picture
User payment details (includes invoicing information, eg. company address and country — the credit card number is stored by Stripe)

We don't log user activity, except for system logs that are solely used for debugging and software development purpose and retained maximum 1 year.

2.2. Information held on our users' end-users

Information held on our users' end-users include:

End-user email address (if provided by end-user, thus involving a consent)
End-user phone number (if provided by end-user, thus involving a consent)
End-user message exchanges
End-user last activity date and time
End-user profile information (resolved from public data shared by end-user on the Internet, see notice below)

Crisp resolves end-user identity information (first and last name, avatar, company) from external APIs. Those external APIs source this data from public information that the end-user consented to share (eg. on social networks such as LinkedIn). This end-user identity information is stored on Crisp services, for as long as the Crisp user wishes them to be stored in their Crisp CRM database.

The information help on our users' end-users is solely the responsibility of our users (ie. the individual websites using Crisp). It is the responsibility of our users to manage the data they hold in their personal Crisp Inbox and CRM, ie. to remove sensitive data if someone may happen to share it with them (eg. Social Security Numbers, etc.).

3. Communicating privacy information

Crisp users privacy terms are clearly communicated in our Privacy information.

Crisp users' end-users privacy terms are the sole responsibility of Crisp users. They should be announced on Crisp users website.

4. Individuals’ rights

Crisp users rights regarding to GDPR are considered and enforced, including:

Right to be informed: we clearly inform our users of which use will be made of their data
Right of access: our users can access all their data, without restriction, from the Crisp apps
Right of rectification: it's as simple as contacting us, we'll process all your rectification queries
Right of erasure: it's as simple as contacting us, we'll process all your erasure queries
Right to restrict processing: we don't process the data of our users (and our user' end-users)
Right to data portability: our users may contact us anytime if they wish to get an export of their data
Right to object: we handle all requests on this matter from our users and users' end-users (contact us)
Right not to be subject to automated decision-making including profiling: we don't do that (and never will), period

5. Subject access requests

Crisp replies to all access requests (positively or negatively) under 1 week (the legal limit from GDPR is 1 month).

6. Lawful basis for processing personal data

We don't process personal data, period. Crisp stores user data involving a consent (ie. a conversation), or our user's responsibility in the event they use our CRM feature.

7. Consent

Consent is provided by our users explicitly when proceeding an action or task (eg. when they provide user data).

8. Children

Crisp does not offer online services to children, period.

9. Data breaches

Our team closely monitors any unauthorized system access, and has put in place multiple preventive measures to reduce the attack surface on our systems and services. In 2 years, Crisp has had 0 major security issues, with only a few minor ones, which we fixed the same day they were reported (those would not have allowed a hack or data breach). Security researchers and users can submit a security report to an encrypted email address (security@crisp.chat), for which we process reports in the same day. We also distribute bounties for valid security flaws that are reported to us.

Crisp will notify their users of any data breach, 24h maximum after knowing about it and fixing the flaw. It is then the responsibility of our users to report this data-breach to their end-users in due time.

10. Data Protection by Design and Data Protection Impact Assessments

Whenever Crisp develops a new system, security comes as a first when designing the architecture of such a system. Our first goal is to protect the integrity of the new production system, and second goal to protect the user data that's being stored and used by that system.

Crisp developers are well educated to software and network security, which helped us build a secure by design software over time.

11. Data Protection Officers

Crisp designated a Data Protection Officer, as required by GDPR:

Valerian Saliou, Crisp CTO / lead developer — Email: valerian@crisp.chat

12. International

Crisp may, via its users, processes data from individuals from all over the EU.

Crisp main establishment is France, thus its supervisory authority is based in France.
Was this article helpful?
Thank you!