Privacy Hub

Shook is committed to protecting the privacy of our customers as well as anyone who interacts with us through our website or our events. This page provides data protection documentation and answers to frequently asked questions about how we comply with the GDPR and other privacy laws.

General Privacy Questions

How does Shook help customers comply with the GDPR, the CCPA, and other data protection laws?

Several Shook features support compliance with global data protection laws, including, for example:

Robust technical and organizational measures to protect personal data, which are enabled by default and regularly subject to external testing and validation;
The ability to readily retrieve, or delete data uploaded to Shook if necessary to respond to a data subject request (DSR), without relying on assistance from Shook;

Shook has a Data Protection Officer (DPO) and dedicated privacy and security teams to oversee Shook’s compliance with the GDPR and other applicable privacy laws when processing personal data on behalf of customers.

For additional information on our dedication to securing and protecting your data with strong technical controls, regulatory compliance, organizational standards, and processes, contact us via [email protected]

To whom should I submit privacy-related questions?

If you have a privacy-related question related to the GDPR or other privacy laws that is not addressed in these FAQs, please submit your question to [email protected]

Shook’s Data Processing Agreement (DPA) for Customers

How can I request a signed copy of Shook’s DPA?

If you are a user of Shook services, you already have a legally binding DPA with us. Our standard DPA is incorporated into our Terms of Service for self-serve customers. If you have signed an order form with Shook on our standard terms, our DPA is incorporated into your corresponding AGGREMENT Our DPA addresses a number of applicable privacy regulations, including the GDPR and CCPA.

What personal data does Shook’s DPA cover?

Our DPA covers any customer personal data for which we act as a “data processor”, as that term is defined under the GDPR. We act as a data processor for any personal data that customers upload to our services (such as personal data stored in a Shook database). By default, Shook does not have visibility into the nature or categories of personal data that customers upload to our services. For this reason, our DPA includes a broad description of the details of the processing in order to cover any customer use case.

Shook’s DPA does not cover personal data for which we act as a data controller. Under the GDPR, we act as data controller for personal data we receive from customers in connection with: (i) creating and administering accounts (e.g., customer usernames, contact information, or billing information); and (ii) providing any other customer service functions or support. Shook’s Privacy Policy covers any customer personal data for which we act as a data controller.

Data Subject Requests (DSRs)

How does Shook help customers comply with data subject requests (DSRs) under the GDPR and other privacy laws?

Customers may retrieve, correct, or delete any personal data that they upload to Shook services. Shook’s assistance is not required to comply with DSRs unless the customer requires technical support.

How can I submit a DSR on my own behalf to Shook?

If you would like Shook to delete any personal data we hold about you, please contact us via [email protected]

To exercise any other rights you may have as a data subject, please submit your request to [email protected]

Customer Data Transfers and Government Access Requests

What supplemental measures does Shook offer to mitigate risks associated with data transfers subject to the GDPR?

Shook customers rely on the following supplemental measures in accordance with the European Data Protection Board’s Recommendations 01/2020 (adopted on June 18, 2023):

Technical measures, which enable a customer to:
- Prevent all Shook personnel, including privileged users, from accessing the customer's data.
- Encrypt sensitive data in their data storage using Queryable Encryption or Client-Side Field Level Encryption, which ensures that no Shook employee (or third party) has access to those data fields outside the application environment in unencrypted form.
Contractual measures, which obligate Shook to notify a customer if Shook receives a government request for the customer's personal data, unless the customer notification is prohibited.
Organizational measures, including, for example: (i) the involvement of Shook’s Data Protection Officer (DPO) and privacy team on all international data transfer matters, including any governmental access requests for customer personal data; (ii) the configuration of our internal systems according to the principle of least access on a strict need-to-know basis; and (iii) adherence to state-of-the-art data security policies.