Spredfast MSA and Data Protection FAQs
- Where can I find your MSA?
Our MSA is located at https://www.spredfast.com/SpredfastMSA.pdf
- If the MSA is online, how does it get signed?
Signature on the Service Order will serve as signature to the MSA.
- What does your MSA require Spredfast to do?
Key obligations are:
Spredfast provides its services to customers on a Software as a Service (SaaS) basis. The particular services will be identified and described further on one or more Service Orders that will operate under the MSA.
Spredfast protects your data when it is on the Spredfast platform.
Spredfast agrees to various confidentiality, indemnification and other legal obligations.
- What does the MSA require Customers to do?
Customers are responsible for the data that they submit to the Spredfast platform, which is typically data required to log in and use the platform. They need to have consent to submit that data to our platform and cannot allow unauthorized access to our services.
Any consents or authorizations necessary for the content Customers use in connection with Spredfast services need to be obtained by the customer. See the explanation below.
Customers will need to agree to terms of social media networks and potentially other third parties (see below).
Customers also agree to various confidentiality, indemnification and other standard and reasonable legal obligations.
- Why Can’t Spredfast be 100% Responsible for Consents Necessary for the Data and Information Used by Customers?
Spredfast’s services provide functionality, but Spredfast does not make the determination of what content is utilized. The customer controls the content and Spredfast then processes it as the customer directs. Consequently, customers need to determine what consents and authorizations are necessary and obtain them as may be required. From time to time, there may be exceptions to this general rule, but only pursuant to specially negotiated agreements for Spredfast to provide additional services.
- Why Do Customers Need to Agree to Social Media Networks or other Third Party Terms?
Spredfast provides tools that work with social media networks, such as Twitter and Facebook, to allow our customers to easily perform various tasks on these sites. The Spredfast services are not separate consumer facing sites. Consequently, both Spredfast and customers must agree to any applicable terms and conditions of social media networks (such as Twitter or Facebook) and any other third-party applications that may be used in connection with the services. Any of these other third party applications will be identified in the Service Order and subject to the customer’s approval.
- Does Spredfast Use Subprocessors?
Yes, Spredfast does make limited use of third parties, from time to time, to provide its services. The most common use is for the provision of cloud services, which is provided by Amazon Web Services (“AWS”). For a full list of subprocessors, please click here. Under the MSA, Spredfast takes responsibility for the services provided by subprocessors.
- Does Spredfast Move Data Internationally?
Yes, Spredfast maintains servers in both the US and EU and maintains offices in the US, EU, and other locations listed at https://community.lithium.com/t5/Policies-and-Guidelines/What-companies-.... Spredfast may move data between such locations. However, note that (i) Spredfast is certified under Privacy Shield Program; and (ii) Spredfast cannot control how data that is posted to social media networks or other third party sites may move around the world as this is determined by those sites. See below for more information on data protection.
- By Posting Your MSA Online, is Spredfast Trying to Make Customers Sign up to One-Sided Terms that Can Change at any Time?
Absolutely not. Our online MSA is part of our streamlined process to make it easy on both parties to seal the deal quickly. Our MSA is intended to be straightforward and reasonable for both sides. When a customer signs a Service Order, they are agreeing to the MSA version that is current as of the date that Service Order is signed, and those terms cannot be altered without the written consent of both parties.
Spredfast Data Protection
- What Does Spredfast do to Protect Data?
Spredfast takes data protection very seriously and takes all reasonable measures to secure all data its customers and partners submit to its platform. Spredfast has successfully passed a SOC 2 audit each year and employs industry best practices. For example, Spredfast trains its personnel on security and privacy measures, enforces controls on access to its systems and encrypts any sensitive data. Additional details about Spredfast’s security practices are available upon request.
- What Role Does Spredfast Play with Respect to Data on its Platform?
Spredfast processes data in accordance with customers’ directions. Customers control what data and information are provided to the platform and what social media content it will access or create in connection with the Spredfast platform. Spredfast cannot control any content or data that is under the control of a social media network or other third party. Spredfast is a data processor and not a data controller. However, Spredfast protects the customer data contributed by customers directly to its platform, such as log in details. Limited exceptions may exist if a special agreement for Spredfast to provide additional services is negotiated.
- Do Customers Have a Role in Data Protection?
Absolutely. Customers must guard against unauthorized access to their accounts and are responsible for obtaining any required consents to any data or content they provide through the platform.
- What Role Do Social Media Networks or Other Third Parties Play in Data Protection?
Data and content that comes from or is provided to social media networks or other third-party sites will be subject to the data protection and privacy policies of those social media networks and third parties. Spredfast’s platform provides tools for customers to access and interact with such sites, but because data and content contributed to or accessed from the Spredfast platform reside on those third-party sites, they are also protected in accordance with their policies. This is also the reason customers and Spredfast must agree to the applicable terms and conditions of such social media networks and third parties.
- What Social Media Networks or Third Parties Are Involved & How Do Customers Know?
Customers know which of the Spredfast tools interact with which social media networks or other sites because they are described in the product descriptions made accessible to customers and/or they are apparent on the customers’ dashboards. Customers can find the applicable privacy policies posted on each of those sites. If they don’t want to use any particular social media network or other site, Customers can make those choices.
- What is Considered “Content” and How is it Handled?
Content is a defined term in our MSA and it consists of the data that customers input into the Spredfast platform, including personal data for log in information, notes and internal customer communications. It does not include anything posted on social media networks or any other third-party site. Spredfast protects Content on its platform and customers can access and download their Content during the term of their contracts for at least a rolling 24-month period.
- Is Content encrypted?
Yes, all data is encrypted using TLS 1.2. in transit and AES-256 at rest.
- Does Spredfast Move Data Internationally?
See the answer to this question above.
- Can Customers Download Their Content and How Long is it Retained?
Yes, customers can download their data through the Spredfast platform during the term of their agreement and we guarantee access to and download of customer Content on a rolling 24-month basis. Customer Content will be retained for 30 days post termination of any Service Order, or such longer period that Spredfast may be required to retain such data under applicable laws or regulations.
- Can Customer’s Content be deleted or destroyed?
Spredfast functions as a data processor of social content. The social data lives on the relevant third party social network and Spredfast does not have access nor the ability to delete this content on those third party social networks. At the end of contract, Spredfast will delete any such data that has been stored on Spredfast systems thirty (30) days following the end of the contract, absent other reasonable instructions by the customer.
- For additional information about our Privacy Notice go to https://www.spredfast.com/privacy and our data protection and privacy practices, including our compliance under the General Data Protection Regulation (“GDPR”) at https://www.spredfast.com/privacy-center.
Last Updated November 2018