Acceptable Use Policy | Envoy and GDPR | Privacy Policy | User Agreement

Envoy and GDPR

The General Data Protection Regulation (GDPR) is an EU regulation that sets out new standards for the protection and processing of personal data of individuals residing in the EU. The GDPR replaces the current EU privacy standard (known as the EU Data Protection Directive) with a comprehensive regulation to be enforced more uniformly across all EU member states. This legislation is designed to give EU residents more control over, and information about, use of their personal data across digital platforms.  

Envoy is dedicated to protecting the privacy of its customers. Below you will find information about our current practices and our plans related to the GDPR compliance. Envoy may update this page from time to time to reflect changes in our operations and practices.

Data Transfers

The GDPR requires that an adequate transfer mechanism is in place in order to facilitate the transfer of personal data from the European Economic Area (EEA) to the United States.

Is Envoy certified under Privacy Shield?

Yes. Envoy self-certifies under the EU-US Privacy Shield which is a valid transfer mechanism under the GDPR. You can view Envoy’s status on the Privacy Shield website.

Does Envoy sign Standard Contractual Clauses?

Envoy does not sign the Standard Contractual Clauses with customers because Envoy is Privacy Shield self-certified, which is a valid transfer mechanism under the GDPR. You can verify Envoy’s status under Privacy Shield by visiting the Privacy Shield website here.


Envoy values individuals’ privacy and understands the desire and interest in knowing how information about them is collected and used. For transparency and clarity, Envoy has reorganized and updated our Privacy Policy to ensure individuals understand what data we collect and how we use and share it. The Envoy Privacy Policy describes how we collect, use and disclose information that we gather about visitors to our websites; from users of the Envoy software-as-a-service application; and the information we collect when we communicate with customers, users or other individuals related to our services (whether by phone, email, or other method). The Privacy Policy also outlines individuals’ rights and choices with regard to the information collected about them. We encourage individuals to periodically review the Privacy Policy for the latest information on our privacy practices. To the extent required by applicable law, Envoy ensures that persons authorized to process personal data for or on behalf of Envoy are obligated to maintain the confidentiality of personal data.

Does Envoy have a Data Protection Officer?

Envoy is not currently obligated to appoint a Data Protection Officer under Article 37 of the GDPR. Envoy’s privacy contact can be reached directly at

Does Envoy have a Data Processing Agreement (DPA) for their role as a processor?

Envoy does offer a DPA to customers for Envoy’s role as a data processor. Envoy’s DPA has been tailored to Envoy as a cloud service provider and to address the unique nuances of our product, operations, and the way Envoy interacts with Customer Content. Please reach out to to request a DPA.

Customer Content

What is Customer Content?

Customer Content is data, information, file attachments, text, images, personally identifiable information, and other content that is uploaded or submitted by users or collected by users from third parties using Forms or other features of the service.

What is Envoy’s role with Customer Content?

Envoys role in relation to Customer Content is as a processor. The customer is the controller of their Customer Content.

Where is Customer Content stored?

Customer Content is stored within North America or the EU. Envoy will not transfer personal data to a third country or an international organization without documented instructions from the customer.

How is Customer Content secured?

Keeping the personal data customers entrust to Envoy private and secure is something that Envoy takes very seriously. Envoy’s security practices are SOC2 examined and tested (Type II) and our application is penetration tested at least annually. Such policies and safeguards will contain technical and organizational measures appropriate to ensure a level of security appropriate to the risk.

What happens to Customer Content when our services cease?

Upon the expiration or termination of our services and at the request of the customer, Envoy will cease processing Customer Content and will delete or return to the customer all personal data and copies of personal data.


Envoy utilizes Subprocessors to provide our service to customers. A Subprocessor is a third party appointed by or on behalf of Envoy to process personal data on behalf of customers in connection with Envoy providing services to customers.  

How does Envoy review Subprocessors?

Envoy reviews each potential Subprocessor to ensure that their practices match our commitments to customers as it relates to privacy and security. We gain contractual agreements from Subprocessors to ensure that these commitments are met.

Who are the Subprocessors that Envoy utilizes for Customer Content?




Amazon Web Services, Inc.

Hosting Provider

United States, Europe

MongoDB, Inc.

Hosting Provider

United States

Google LLC

Hosting Provider of Optional Features

United States

The Rocket Science Group, LLC

Hosting Provider of Optional Features

United States


What will Envoy do if it receives a request from a data subject?

Envoy will refer requests from data subjects to the data controller, our customers, if the request is related to Customer Content. Envoy will assist customers on how to utilize the product features to respond to a data subject request. Where Envoy is a data controller, Envoy will evaluate the nature of the request and work with the data subject in the allowable time frames under the GDPR to respond to the request.

Does Envoy have features that customers can use to help them comply with their GDPR obligations?

Envoy offers the following product features:

  • Export. Envoy allows users to export customer data and reports in machine-readable formats such as Microsoft Excel and PDF.
  • Sharing. Envoy enables customers to choose who they want to share their content with.
  • Delete Data. Envoy gives Admins and Editors the ability to delete any and all data that has been updated to the Envoy.

To the extent required by the GDPR, Envoy will make available to customers all information necessary to demonstrate compliance with the obligations set forth in Article 28 of the GDPR and allow for and contribute to audits, including inspections, conducted by the customer or another auditor mandated by the customer. Additionally, to the extent required by the GDPR, Envoy will make commercially reasonable efforts to assist Customers in ensuring compliance with the obligations set forth in Articles 32 to 36 of the GDPR, taking into account the nature of Envoy’s services and the information available to Envoy.