• Updated
This article answers common questions about how the General Data Protection Regulation (GDPR) affects Act-On and its customers.

Corporate Information

Is Act-On a US corporation?

Yes. Act-On is incorporated under the laws of the State of Delaware. Act-On is headquartered in Portland, Ore., and also has offices in Scottsdale, Ariz., and Reading, UK.

Does Act-On host customer data within the United States?

Yes. Act-On primarily hosts customer data in the US with options for customers to have their data hosted in data centers located in Ireland or Germany. Regardless of data center chosen, some data may be temporarily transferred to the US when specific features are used.


Has Act-On appointed a Data Protection Officer?

No. Act-On’s business and technical activities do not require us to appoint a DPO under GDPR.

Who is responsible for data protection and compliance within Act-On?

Responsibility for data protection and compliance resides within our legal department and is a priority established by our General Counsel.

Are Act-On’s business practices, contracts, policies and agreements compliant with Privacy Shield requirements?

Yes. Act-On has maintained this compliance since 2016. Please see here for more information:

Access and Logs

Does Act-On require credentials to access its platform?

Yes. Users must access the Act-On platform using a username/password. Access to Act-On is session based, and an auto logout is in place (the timing of the auto logout can be set at admin level).

Does Act-On retain access logs?

Yes for a period of three (3) years and then they are archived. Act-On logs security events such as login attempts (failed or successful), privilege enhancement, and changes to, or deletion of data. Act-On does not provide these logs to customers or third parties.

Can Act-On administrators assign privileges?

Yes. Act-On administrators can individually assign rights to other Act-On administrators and marketing users to utilize the platform.

Who can access customer data within the Act-On system?

We restrict access to our platform. We permit the administrators at our customers to determine who within the customer’s organization can access the solution. Additionally, only a limited number of Act-On personnel are permitted to access our customers’ instances of our product. These personnel are designated individuals from our customer success, support and engineering functions and their access is limited to addressing our customers’ needs and requests and for product development purposes. All employees are bound by a duty of confidentiality.

Data Processing Agreements

Does Act-On have a form Data Processing Agreement that is compliant with GDPR?

Yes. Please contact your Account Manager for more information.


Does Act-On require consent for a prospect to be tracked by its solution?

Yes, to comply with applicable laws, the Act-On platform includes settings that require consent in order to track the prospect. This is accomplished by the website visitor accepting the tracking cookie on their first visit to our customer’s website. If the visitor chooses to not accept the cookie, Act-On will not track the website visits made.

Does Act-On require that its customers obtain consent of their prospects to send them marketing communications?

Yes. Best practices require that our customers market to only prospects from whom they have obtained consent or with whom they have a pre-existing relationship.

Withdrawal of Consent

How does the Act-On platform enable compliance with the right of individuals to withdraw consent previously provided?

Our solution offers our data controllers the ability to create a process to permit individuals to exercise their right to withdraw. This process is similar to the process used to obtain double opt-in. Act-On customers can also remove any individual from any mailing list or segment contained within their instance of the product. As a data controller, it is the obligation of our customer to ensure that the right to withdraw is fulfilled.

Data Accuracy

How will Act-On comply with the principle of data accuracy?

Act-On does not review, access or modify the substance of the content that our customers load into our system. It is up to our customers as data controllers to ensure the accuracy and completeness of the information they upload into our system.

Data Management

What is Act-On’s retention policy for data residing in our customers’ instances of the Act-On solution?

Profile data is retained for as long as the customer maintains a commercial relationship with Act-On. Collected behavioral data will be retained for a period of two (2) years. If an individual exercises his/her right to be forgotten under GDPR, then personal data pertaining to that individual will be erased as described below.

How long does Act-On retain data after my organization’s commercial relationship with Act-On ends?

Act-On’s policy is to delete customer data 90 days after our contract with the customer terminates for any reason.

How does the Act-On platform ensure that data about a particular individual is processed and maintained only as long as is necessary?

Act-On does not review the subjective nature of the content uploaded into the Act-On platform. It is the responsibility of our customer, as the data controller, to determine how to process data pertaining to an individual, as well as to determine how long such processing should occur. When a customer determines that processing certain data is no longer necessary or appropriate, the customer can implement this decision within the Act-On platform by limiting or removing the particular information in question.

How does the Act-On platform permit customers to comply with individuals’ rights under GDPR to restrict processing of personal information pertaining to that individual?

Our platform permits our customers to manage data processing requests on behalf of individuals who are in our database. Administrative users can cease or limit processing of particular individuals through our application. Most of the time this will be accomplished by removing a particular individual from the customer’s database of records.
Data Processing and Transmission

Does Act-On consider itself a data controller or a data processor with respect to customers’ usage of the Act-On platform?

With respect to usage of the Act-On platform, the customer who is using the platform is considered the data controller as it is the customer who controls what data is collected and how it is utilized. Act-On is the data processor as the Act-On platform processes data pursuant to instructions provided by the customer.

What type of data does Act-On process?

The type of data processed is determined by our customers who determine the type and quantity of data to collect and process within the system. Typically, this includes contact information such as name, email address and possibly other contact information. This may also include data created by our application while tracking select behaviors and interactions of prospects. Please note our Acceptable Use Policy addresses certain types of information which is not permitted to be uploaded into or transmitted using our platform.

Is any data processed outside of the European Union?

For US-based customers, our data is stored and processed within the United States.

Customers based elsewhere (including in the EU) have the option of having their instance of our solution hosted in data centers located within the EU. In this situation all data including back-ups is stored within the EU. Certain parts of our solution including our email solution are located within the United States. With respect to email only, Customers may request that its email be sent via an email system located within the EU. Act-On will accommodate this request for a fee.

How does Act-On ensure that the transmission of personal information to or from the Act-On solution is accomplished in a secure manner?

All data in transit is secured using industry standard encryption (TLS 1.2 or AES-256).

Security of Data Processing

Does Act-On comply with the obligations under GDPR to ensure that data is processed securely?

Yes. The data centers where we host and transact customer data follow the highest levels of industry best practices from a security standpoint. These locations possess broadly accepted security certifications such as ISO27001, SOC-2 and SSAE 16/SOC1. For data in transit, Act-On performs secure data transmission strong encryption: SSL/TLS, and AES2-256. Act-On complies with the U.S. – E.U. Privacy Shield framework regarding the collection, use, and retention of personal data from European Union member countries.


Has Act-On audited all subprocessors who may have access to customer data and taken appropriate steps to ensure that such subprocessors comply with GDPR as applicable?

Yes. Act-On maintains a list of subprocessors and other third parties that receive and otherwise manage personal information provided by our customers. Act-On has ensured that all such third parties comply with the relevant provisions of GDPR and Act-On has entered into data processing agreements with these parties.

Data Requests

Does Act-On have a process in place for responding to Subject Access Requests?

Yes. Customers can print the data subject's Contact Report which contains all behavioral and profile data for the contact. To ensure all profile data from across your multiple lists is printed, be sure to select the Print All option on the Contact Report.

Under GDPR, individuals may request to have the collected data made available to her at any time (data portability). How will this be enabled within the Act-On system?

Act-On’s customer, as the data controller, may utilize the Act-On system and related APIs to obtain and transfer all information pertaining about a particular individual that resides within the customer’s database of contacts.

Proof of Opt-In

Does the Act-On platform enable double opt-in as required under GDPR?

The Act-On platform includes tools to allow our customers, as data controllers, to meet opt-in requirements. Act-On can offer a double opt-in process using a combination of features including form submissions, automated programs, email confirmation and landing pages.

Does the Act-On platform track and record opt-ins for audit purposes?

All opt-ins are recorded within the assigned form submission list. This record details the submitted data for the form as well as the time/date that the form was submitted.

Right to be Forgotten

How does the Act-On solution enable individuals to exercise their right to be forgotten/erasure under GDPR?

As of May 25, 2018, the Erase Contact tool is available to completely erase all data for a data subject from your account. Simply enter the email address and the Act-On system will remove that email address from all lists and all behavior data associated with that individual email address. Furthermore, email confirmations to the internal email address of your choice ensures you maintain an audit trail of your erasure compliance.

Was this article helpful?

Have more questions? Submit a request