GDPR Compliance

GDPR Overview

The European General Data Protection Regulation (GDPR) was approved on April 14, 2016, by the European Parliament and went into effect as of May 25, 2018. The GDPR is a regulation on the collection and processing of information related to an individual residing within the European Union (EU).

The GDPR's six key principles, as detailed in Article 5 of the legislation, include:

  1. Provide full transparency on what data is collected and how data will be used before requesting the individual's consent.
  2. Ensure that collected data is used only for the purposes explicitly specified at the time of collection and consent.
  3. Minimize the data collected and utilized solely for the purpose for which it is collected.
  4. Ensure that collected data is accurate throughout the chain of processors.
  5. Carefully evaluate the duration of how long data is stored, as data must only be stored for as long as necessary to serve its intended purpose and provide users the right to delete their data.
  6. Prevent against unauthorized use or accidental loss of data through the deployment of appropriate security measures and adherence to mandatory breach reporting.

Our Role

At Articulate, we value our worldwide customer base, your individuality, and your right to privacy. As outlined in our Trust Center, security white paper, and security policy, Articulate employs a holistic approach to security. We welcome the GDPR as an opportunity to deepen our commitment to data protection.

For the GDPR, we are considered processors for the data we collect from you, the controller. As a processor, Articulate commits that data put in our care by EU data subjects is:

  • Collected conservatively and with willful consent
  • Able to be deleted and managed by the user
  • Always protected with necessary safeguards

We engage carefully vetted sub-processors for specific purposes necessary to operate Articulate services. We require that each sub-processor sign and adhere to a Data Processing Agreement (DPA), reflecting our commitment and that of our vendors to take the individual's right to data privacy seriously.

View a complete list of vendors we utilize as sub-processors.

Areas of Investment

We've invested in the following areas to comply with GDPR:

  • Continuous improvements to our security infrastructure
  • Data breach notification procedures
  • Annual penetration testing
  • Updates to our contractual terms
  • Maintenance of Privacy Shield self-certification
  • Data portability and data management
Data Transfers

On July 16, 2020, the Court of Justice of the European Union (CJEU) invalidated the EU-US Privacy Shield, and on September 8, 2020 the Federal Data Protection and Information Commissioner (FDPIC) of Switzerland found the Swiss-U.S. Privacy Shield Framework didn't provide adequate protection for personal data transfers from Switzerland to the United States.

Even before these recent developments, Articulate used alternative safeguards identified in the GDPR, including standardized contractual clauses (SCCs). We'll continue to use the SCCs, including updating the SCCs to those released by the EU authorities in June 2021 (we'll update to the new SCCS by 9.27.21). We've also assessed our data transfer risks, including engaging an external auditor to evaluate our security controls resulting in SOC 2, Type 2 and ISO 27001 certifications, and should have our ISO 27701 certification by year-end 2021. Additionally, we've specifically assessed the risks raised by the CJEU and determined that those risks are highly unlikely for Articulate because some laws (e.g., the U.S. Electronic Communications Privacy Act) don't regulate Articulate, and other laws that could theoretically apply to Articulate (e.g., Executive Order 12333 and the U.S. Foreign Intelligence Surveillance Act) are unlikely to impact us since we don't provide the services government authorities typically target for broad surveillance (e.g., telecommunication providers, ISPs). We've never received a request for surveillance, and if we did receive such a request, we'd notify the impacted customers unless prohibited by law.

Data Portability and Management

Providing you with control over Articulate's collection, retention, and usage of your data is a key component of the GDPR. The following methods describe the controls available to data subjects:

GDPR Inquiries

Please contact us at if you have any questions about our GDPR compliance.

Additional Resources