Onspring is a data processor, as defined by the GDPR. As stated in our Master License Agreement (MLA), we do not own customer data. Clients are responsible for the nature, accuracy, quality, and legality of their own data. They are also responsible for using commercially reasonable efforts to prevent unauthorized access to the data they store in Onspring.
Who has access to my Onspring instance and the data stored there?
Only the client’s authorized users have access to their Onspring instance and the data stored there. Onspring employees cannot access a client’s instance without the client’s express written consent, and only for the purposes of providing services or assisting the client in addressing technical difficulties. Onspring provides a complete audit log of user access, which clients may access at any time.
Does Onspring share my data with any third parties?
As stated in our MLA, Onspring cannot disclose customer data to any third party except as compelled by law or as expressly permitted in writing by the client.
How does Onspring protect my data?
Onspring maintains commercially appropriate administrative, physical, and technical safeguards for protecting the security, confidentiality, and integrity of customer data. We are happy to provide clients with additional details upon request or to facilitate a discussion with our security team to address any questions.
Can I delete data (if required) from my Onspring instance?
Clients that need to delete data from Onspring, in accordance with the GDPR, may do so. Data deleted from the system is permanently deleted and cannot be recovered. Therefore, extreme care should be taken in the deletion of data. Onspring provides technical safeguards to help prevent accidental data deletion, but responsibility for data deletion rests with the client.
What about the contact forms on the Onspring website (onspring.com)?
When visitors submit a form on the Onspring website to request a demonstration, request pricing, access educational resources or submit a general inquiry, that data is stored in our GDPR-compliant Customer Relationship Management (CRM) system. We do not share or sell this contact data, and we use commercially reasonable efforts to prevent unauthorized access to this data. Upon request from a “data subject,” we will delete personally identifiable information from our system.