Conjoint.ly and GDPR


Last updated on: 6 July 2020

In 2012, the European Commission began a process to reform Europe’s existing data protection laws by proposing a new data protection regulation to replace the current Data Protection Directive. GDPR was agreed and adopted in 2016 and came into effect on 25 May 2018.

Conjoint.ly takes our GDPR responsibilities seriously and on this page provides answers to commonly asked questions.

Where does Conjoint.ly store customer data?

Similar to many SaaS providers, we use a top-tier, third-party data hosting provider (Amazon Web Services) with servers located in the U.S., to host our online and mobile services. For more information about AWS’s approach to compliance with the GDPR, see https://aws.amazon.com/compliance/gdpr-center/.

Will Conjoint.ly be storing EU customer data in the EU?

Conjoint.ly has no short-term plans to store data in the EU, and this isn’t required under GDPR. Instead, GDPR requires companies to implement appropriate safeguards when they export personal data out of the EU.

Conjoint.ly makes sure that it complies with EU data export restrictions when it exports data outside of the EU.

How does Conjoint.ly comply with EU data export restrictions?

When personal data is hosted or processed outside of the European Economic Area by Conjoint.ly, GDPR requires that it remains protected by appropriate safeguards in line with EU law. There are a few ways that Conjoint.ly achieves this.

First, some of our EU customers’ data is processed in Australia (where our Headquarters are located). Australia is recognised by the EU as an ‘adequate’ country (i.e. safe country) to receive and process EU personal data.

When we process EU customer data in other territories, like the United States of America or New Zealand, we ensure “appropriate safeguards” are in place that are prescribed by GDPR – i.e., by entering into the European Commission’s Standard Contractual Clauses with the entity the data is transferred to, or by ensuring the entity is Privacy Shield certified (for transfers to US based entities).

Why isn’t Conjoint.ly signed up to Privacy Shield?

Conjoint.ly is an Australian company, with team members all over the globe – we are not a US-headquartered company. Privacy Shield is only one of a few available mechanisms to transfer data outside of the EU, and certification against the Privacy Shield is not a legal requirement. We rely on a combination of measures to ensure compliance with EU data export rules, including Model Clauses.

Do you have a GDPR compliant Data Processing Agreement/Addendum for us to sign?

The Conjoint.ly Data Processing Addendum is found here. You don’t need to sign it because it automatically applies as part of the Conjoint.ly Privacy Policy whenever it is relevant to your use of the Conjoint.ly platform or services.

Who are Conjoint.ly’s subprocessors?

A full list of Conjoint.ly’s subprocessors is available on our subprocessors page.