Privacy Shield Compliance Statement


The EU-US Privacy Shield is a framework for transatlantic exchanges of personal data for commercial purposes between the European Union and the United States. One of its purposes is to enable US companies to more easily receive personal data from EU entities under EU privacy laws meant to protect European Union citizens. The EU-US Privacy Shield is a replacement for the International Safe Harbor Privacy Principles which were declared invalid by the European Court of Justice in October 2015.


Business - The Company using Vtiger CRM for the purpose of improving Sales and Support activities.

CRM User - Employees of the Business, who are added as Users in the Vtiger CRM.

End User - The customer of the Business. End User data is collected by the Business through different means. Vtiger does not collect any End User data

Privacy Shield Principles

#1 Notice

Participating organizations must provide individuals, in clear and conspicuous language, with notice of the organization’s participation in Privacy Shield, the type of data collected, and the purposes for which the data is collected. Individuals also must be informed of any third parties to whom their data will be transferred, their right to access their data, and the means for limiting the use and disclosure of their personal data. Finally, the organization must describe available recourse mechanisms and acknowledge the FTC’s (or other statutory body’s) enforcement authority.

End User Data - Vtiger does not directly collect information about individuals. The organizations that use Vtiger CRM to manage their customer data are obligated to notify individuals of whom they maintain data.

CRM User Data - The data collected at the time of sign up is used for authenticating users of the service, and for notifying users of updates by email or phone. Vtiger may share some of this information with external services such as Dun & Bradstreet to learn more about the user’s business or the user themselves, to be able to articulate the benefits of our products more precisely.

#2 Choice

Organizations must provide “clear, conspicuous, and readily available mechanisms” by which individuals can opt out of any disclosure of personal data to a third party or the use of data for a purpose other than the one for which it was initially collected. For sensitive information, including data related to health, racial or ethnic origin, political and religious opinions, trade union membership, or information revealing an individual’s sex life, the individual must affirmatively opt in to allowing the organization to disclose the information to a third party or use the information for a separate purpose.

End User Data - Businesses using Vtiger , and collecting sensitive data, should allow individuals to opt-out of any disclosure of personal data.

CRM User Data - Vtiger does not collect any sensitive data from CRM users.

#3 Accountability for Onward Transfer

Privacy Shield expands regulation of and accountability for third party personal data transfers. A Privacy Shield certified organization must specify in third party contracts that transferred personal data “may only be processed for limited and specified purposes consistent with” the data subject’s consent. Third parties must agree to “provide the same level of protection as the Principles.” Where the third party is acting as an agent, such as a vendor, the organization must in addition “take reasonable and appropriate steps” to ensure the agent upholds the Principles, including to stop and remediate any unauthorized processing. This downstream data protection accountability puts significant pressure on vendor selection and monitoring practices. A Privacy Shield certified organization must even provide the DOC with relevant third party contractual provisions, which place some restrictions on contractual confidentiality.

Regardless of contractual language, moreover, a Privacy Shield certificate holder remains liable to the data subject for its vendor’s violation of the Principles, unless it “proves that it is not responsible for the event giving rise to the damage.”

End User Data - Vtiger does not share the end user data with any 3rd party service.

CRM User Data - Vtiger could share CRM User data with 3rd party services to enrich profiles and track usage. Vtiger ensures that any vendors who are provided with this data follow the same contractual provisions as mentioned in the Privacy Shield framework.

#4 Security

Organizations must take reasonable precautions to protect personal information from loss, misuse and unauthorized access, disclosure, alteration and destruction.

End user Data and CRM User Data - Vtiger ensures that safeguards are in place to prevent data from unauthorized access, destruction or disclosure.

#5 Data integrity and Purpose Limitation

Privacy Shield maintains the requirement that the data must be “relevant for the purposes of processing,” but it introduces language requiring organizations to “limit” collection to only the relevant data. Organizations also must “take reasonable steps to ensure that personal data is reliable for its intended use, accurate, complete, and current.”

End User Data - Businesses using Vtiger, and collecting sensitive data, should only collect relevant information, and keep it current.

CRM User Data - Vtiger maintains the integrity and the relevance of the CRM User data collected for enhancing the service.

#6 Access

Organizations must provide individuals with access to their personal data as well as the opportunity to correct, amend, or delete information that is inaccurate or processed in violation of the Principles, except where the burden or expense of providing access would be disproportionate to the risks.

End User Data - Businesses using Vtiger, should provide access to the end users and maintain accurate data. Businesses using Vtiger, can give end users access to web forms, and customer portal to update their data.

CRM User Data - Vtiger User data can be always accessed by the Business through the tools provided.

#7 Recourse, Enforcement, and Liability

Organizations will need to implement processes for handling complaints in order to obtain the approval from the Department of Commerce to operate under the Privacy Shield. Therefore, these new obligations are relevant for all organizations, not just those that are faced with alleged violations.

Privacy Shield sets out three requirements for effective enforcement: “(a)(i) recourse for individuals to whom the data relate; (a)(ii) follow up procedures for verifying that the attestations and assertions they have made about their privacy practices are true; and (a)(iii) obligations to remedy problems arising out of failure to comply with the Principles and consequences for such organizations.”

End User Data - Businesses using Vtiger should offer end users a forum to file complaints. Vtiger CRM ensures that when email campaigns are sent, end users have ability to unsubscribe.

Vtiger also requires businesses to only send emails to end users that have opted in.

CRM User Data - Businesses using Vtiger can contact us to share any concerns relating to the user of their data

Vtiger hosts European customer data in Frankfurt region.

For European customers, Vtiger CRM Service is delivered via servers hosted in data centers belonging to Amazon EC2, residing in Frankfurt.

Note: Businesses using Vtiger in England, Ireland, Scotland, and Wales, are hosted in Ireland region data center.