How Deque Complies with Data Protection LawPractices, Processes and Contracts
Minimal Personal Data
Deque provides software and services that help customers to improve electronic accessibility, especially making Web content more accessible for people with disabilities.
Deque software automates the analysis of customer Web pages for accessibility. The software looks at the Web pages and provides feedback about accessibility, mostly according to the Web Content Accessibility Guidelines (or “WCAG”), which are part of a series of web accessibility guidelines published by the Web Accessibility Initiative (the “WAI”) of the World Wide Web Consortium (the “W3C”).
Where a customer uses these Deque software tools, no personal data is required to be provided to Deque. The customer simply uses the software.
Deque also provides services that involve analysis and consulting by Deque about accessibility (such as audits, remediation, strategy, and compliance programs), as well as training services during which Deque trains customer personnel about accessibility and the use of Deque software.
Where a customer uses these services, Deque receives only business contact information about the customer personnel who use the software or receive the services and, in the case of training, information necessary to deliver the training and track who has received what training.
Otherwise, Deque receives only:
- personal data necessary for credentialing (such as for named-user licenses) and
- the information that you’d expect to find on a support ticket (usually customer employee name, contact information, organizational role, and nature of support issue).
In any case, Deque receives no personal data about the customer’s customers or the users of customers’ websites. Customers cooperate in this minimization of personal-data exchange by limiting personal data provided to Deque to only the information stated above.
Data protection law often requires that customers themselves (as controllers subject to the law) minimize the personal data that they collect, use and – importantly – share with service providers like Deque. Deque supports this approach by limiting the scope of data that it will receive from customers. Examples of minimization requirements include:
- GDPR minimization principle. GDPR Art. 5(1)(c);
- UK Data Protection Act 2018 minimization principle. Article 5(1)(c);
- California Privacy Rights Act (“CPRA”). Cal Civ Code 1798.100(c); and
- Virginia Consumer Data Protection Act (Va. Code § 59.1-578).
Lastly, and for the avoidance of doubt, Deque needs no protected health information (or “PHI”) as defined by HIPAA, cardholder data as defined by PCI DSS, nonpublic personal information as defined by Gramm-Leach-Bliley, or similar data. Accordingly, contract elements like HIPAA business associate agreements (“BAAs”) don’t apply and won’t be a part of the contractual relationship with Deque.
Systems and Processes
Deque maintains technical and organizational security measures reasonably necessary to protect the personal data from unauthorized access, use, alteration, or deletion.
Personnel and Other Resources
Deque trains, and monitors compliance by, its personnel in accordance with industry practices.
Deque uses counsel who is certified in European and Asian data protection (CIPP/E and CIPP/A) by the International Association of Privacy Professionals (IAPP), as well as US private-sector privacy (CIPP/US) and is a Certified Information Privacy Technologist (CIPA) and a Fellow of Information Privacy (FIP).
Data Protection Officer
Deque’s processing does not entail operations that (a) by virtue of their nature, scope, and/or purposes, require regular and systematic monitoring of data subjects on a large scale or (b) consist of processing on a large scale of special categories of data as contemplated by GDPR Article 9 or personal data relating to criminal convictions and offences referred to in GDPR Article 10. Accordingly, and consistent with the criteria in GDPR Article 37, Deque has not appointed a data protection officer.
Deque does not collect personal information from data subjects other than in the case of a support ticket submitted directly to Deque (name, business contact information, and nature of the support request).
Otherwise, the customer provides personal information of its users directly to Deque for credentialing and training purposes (name, business contact information, training received or to be received).
GDPR and Similar Law
Deque is always a processor, and never a controller, of personal data.
Deque will take on the obligations that GDPR Article 28 requires a controller to impose on processors. Such obligations should be stated, as much as possible, in the actual language of the GDPR. Deque’s form of Data Processing Agreement uses the GDPR language, often verbatim.
Deque will agree to refrain from selling personal information.
Deque will agree to use personal information solely for the specific purpose of performing the services specified in the Deque/customer agreement.
Deque will, where not prohibited by law, pass on to Deque’s customer any user request for deletion or modification of the minimal personal information held by Deque.
Deque it not itself subject to the CCPA and cannot agree to any stipulation that Deque is subject to the CCPA. Deque is, at most, a service provider.
Deque only uses subprocessors where the customer requires hosting of a Deque solution or uses the Deque solution on a software-as-a-service (“SaaS”) basis. In such cases, Deque presently uses Amazon Web Services (“AWS”) for such hosting. It will come as no surprise that this is a common practice among accessibility providers and most other IT providers.
Neither Deque nor any other provider of similar services has any ability to flow down specific customer contractual requirements to AWS or any other major hosting service. That said, Deque will obtain obligations from the hosting provider that are consistent with Deque’s performance under its contracts with customer.
The customer has the primary relationship with the customer’s users of Deque services and software (generally, the customer’s employees and permitted contractors). The customer is expected to have such consents or other rights from such data subjects to provide their personal data to Deque and permit Deque to process such personal data.
Where required in order to comply with the GDPR or similar law, Deque will enter into contractual arrangements with customers. Deque typically agrees to the following things.
- Obligations that GDPR Article 28 and other applicable law requires controllers to impose upon processors;
- Assistance with controller obligations under GDPR Chapter 3 and similar privacy law; and
- Standard Contractional Clauses – Modules 2 (Controller-to-Processor) and 4 (Processor to Controller).
Deque uses a standard Data Processing Agreement that contains the above obligations and the Standard Contractual Clauses. The form is available for review upon request.
Deque does not agree to stipulations that any particular data protection law applies. If the law applies, it applies by its own terms.
Deque will always agree to comply with law that applies to Deque. Deque cannot agree to comply with law that does not apply to Deque or to make a customer compliant with law that applies to the customer.
Deque generally requires that customers refrain from supplying personal data to Deque that is not required by Deque in order to perform under the agreement. This (a) properly allocates the responsibility for data hygiene and (b) often provides a basis for Deque to accept more-expansive customer language inasmuch as it limits the personal data to which the customer language applies.
Deque understands that certain customers are subject to regulatory requirements that apply to those customers. If a regulation having the force of law requires that the customer impose specific contractual obligations on its service providers, Deque will generally agree to those requirements, and to that extent. Deque can do so in one of two contexts, whichever the customer prefers.
- Identify the particular requirements in the actual regulation and reproduce or cite them in the agreement; or
- Define a generic term in the Deque/customer agreement (usually “Regulatory Requirement” or something similar) that refers to express obligations that the customer is required by law to impose on Deque; in which case customer language can be included in the agreement, but it applies only to the extent that it is an actual Regulatory Requirement.
While Deque can accommodate actual requirements of law, Deque cannot agree to terms that amount to the customer’s interpretation of the law or that contain additional obligations that are not actually required to be imposed.
Neither Deque nor the customer is the sole arbiter of whether the law requires that the customer impose a Regulatory Requirement
Deque is always happy to talk about approaches to data protection. The best idea is to have a conversation with Deque’s privacy and data protection subject-matter experts as early as possible in the contracting process.
Deque’s primary privacy contact is:
Deque Systems, Inc.
381 Elden Street Ste 2000
Herndon, VA 20171