1. GDPR Introduction

GDPR is short for the General Data Protection Regulation that went into effect on May 25, 2018. Its purpose is to support privacy as a fundamental human right and therefore give EU residents rights over how their personal data is processed or otherwise used.

1.1 GDPR rights

The rights of each EU resident under the GDPR, and how you can exercise those rights with respect to Core dna, are:

  • Right of access: You, or your customer, can ask us what personal data is being processed (used), why and where.
  • Right to rectification: If you, or your customer, want to correct, revise or remove any of the data we retain on you - as explained in our Privacy Policy - you may do so at any time.
  • Right to be forgotten: If you, or your customer, need to cancel your Core dna account at any time, we will permanently remove your account and all information associated with it.
  • Right to restrict processing: If you, or your customer, believe your personal data is inaccurate or collected unlawfully, you may request limited use of your personal data.
  • Right of portability: We provide you with the ability to move any of your account data to a third party at any time.
  • Right to object: If you, or your customer, decide that you no longer wish to allow your data to be included in our analytics or for us to provide personalized (targeted) marketing content at any time, you may contact us to request removal of this data.

Core dna will provide the necessary mechanism to comply with requests from you, and support you in fulfilling GDPR requests from your customers.

1.2 More background on GDPR

For more information on GDPR we recommend reading the following items

  • Guide to the General Data Protection Regulation (GDPR)Accountability and governance - ICO
  • GDPR in 5 minutes - Core dna
  • Forrester on GDPR for marketing – Forrester

2. Core dna's commitment to GDPR compliance

In preparation for GDPR, we formed a core team of leaders from each area of's business, coordinated by our internal Data Protection Officer (DPO). The representatives in this group were charged with ensuring that all the requirements of GDPR were addressed across all teams. The team met once a week to discuss progress towards GDPR readiness, and has continued to do so following the May 25th 2018 deadline so we can continue to ensure our complete GDPR compliance today and in the future.

3. What steps are we taking at Coredna?

3.2 Client’s responsibility

It is the client’s responsibility to insure that the appropriate GDPR information is accessible on their own main website, whether hosted by Core dna or not. It is also their responsibility to treat customer data in accordance with GDPR regulations.

Note: Items such as 3rd party cookies and relevant disclaimers, which are outside the control of Core dna, fall under the ePrivacy Directive (aka Cookie Law).

3.3 Third-party vendors audit

We have completed an audit of all third party vendors and have validated their GDPR compliance.

3.4 Data subprocessing

Core dna uses the following subprocessors for certain data, only where necessary:

Service / Vendor


Entity Country

New Relic

Software service provider



Software service provider


Oracle, Dyn

Software service provider


StackPath, LLC

Software service provider


Amazon Web Services

Data hosting


Slack Technologies, Inc.

Software services provider


SharpSpring, Inc.

Cloud marketing provider


Google, Inc.

Analytics service provider

USA, Ireland

Note: This information is for educational purposes to demonstrate how Core dna engages with third-party systems. It should not be interpreted as offering any additional rights or binding agreements.

4. Data controls

4. Data controls

All client data belongs to the client, this includes, but is not limited to, user information, contents of applications & settings that are on the Core dna system. We know that you’ll want to provide the same level of GDPR compliance to your customers as we do to you. We make it easy to support your customers and give them the ability to access, handle, and delete their personal data. We also ensure that all of your data – and your customers’ data – is easily exportable in a commonly used and computer readable format.

4.1 Data that is at rest on Core dna

Certain types of data may rest at Core dna for different lengths of time. For example, in the case an order is made, this data would required to be store until the order is delivered successfully and for a set amount of time to support customer support. After this period this data can be safely anonymized.

Core dna can assist in the auto-anonymization of user information in accordance with the client’s policies.

5. Server logging

5. Server logging

Server logs are used for security & performance monitoring as well as for billing purposes. Logs are not shared with any third party partners, processors or vendors, outside of those listed on 3.2. A typical server log contains information about the IP address, the page requested along with the browser’s User Agent. Log information is retained for 12 months.

GDPR gives individuals the right, in certain circumstances, to ask that their personal data be erased, or that a company restrict the processing of their personal data.

"Personal data" means any data that can be used to identify an individual, including:

  • Name
  • Address
  • Email
  • IP address
  • Credit card number.

Personal data does not include information that is purely financial and cannot be linked to an individual, such as:

  • How many times a specific product has sold
  • How much revenue your store has made

Core dna can assist in the removal of user information in accordance with the client’s policies.

6. Breach management

As part of our Information Security policy, we already have management and communication processes in place in the unlikely event of a data breach; we’ve updated these to further comply with the GDPR regulations for notification and reporting.

7. Further information

We know that navigating GDPR can seem daunting at times, but we’re here to help. If you have any questions or concerns regarding how we protect your personal data, please don’t hesitate to reach out: 

  • Name: Dennis Westphal
  • Title: Data Protection Officer
  • Email:

Last updated: Tuesday, March 19th 2019