GDPR

Last Updated September 14, 2023

GDPR Overview

The European General Data Protection Regulation (GDPR) became enforceable on May 25, 2018. The GDPR is a regulation on the collection and processing of personal data related to individuals residing within the European Union (EU).
The GDPR's six key principles, as detailed in Article 5 of the legislation, include:

  1. Lawfulness, Fairness, Transparency
  2. Limitations on Purpose of Collection, Processing, and Storage
  3. Data Minimization
  4. Accuracy of Data
  5. Data Storage Limits
  6. Integrity and Confidentiality

Our Role

At Articulate, we value our worldwide customer base, and your right to privacy. As outlined in our Trust Centersecurity white paper, and security policy, Articulate employs a holistic approach to security. We welcome the GDPR as an opportunity to deepen our commitment to data protection.

For the GDPR, we are considered a data processor for the data we collect as we deliver e-learning services to our customers, the data controller. As a data processor, Articulate commits that data put in our care by EU data subjects is:

  • Collected conservatively and with willful consent
  • Able to be deleted and managed by the user
  • Always protected with necessary safeguards


We engage carefully vetted sub-processors for specific purposes necessary to deliver e-learning services. We require that each sub-processor sign and adhere to a Data Processing Agreement (DPA), reflecting our commitment and that of our vendors to take the individual's right to data privacy seriously.

View a complete list of vendors we utilize as GDPR sub-processors.

Areas of Investment

We've invested in the following areas to comply with GDPR:

  • Continuous improvements to our security infrastructure
  • Data breach notification procedures
  • Annual penetration testing
  • Updates to our contractual terms
  • Data management

Data Transfers

Previously, the Court of Justice of the European Union (CJEU) invalidated the EU-US Privacy Shield, and separately, the Federal Data Protection and Information Commissioner (FDPIC) of Switzerland found the Swiss-U.S. Privacy Shield Framework didn't provide adequate protection for personal data transfers from Switzerland to the United States. However, on July 11, 2023, the EU-US Data Privacy Framework went into force (EU-US DPF).This restored an important data transfer mechanism between the EU and the US and includes limitations and safeguards that apply to data accessible by public authorities. This means European entities are able to transfer data to self-certified businesses in the US without having to put in place additional data protection safeguards. Articulate certifies our participation to the EU-US DPF, which is a commitment to comply with a detailed set of privacy obligations.

In light of these developments, Articulate continues to use alternative safeguards identified in the GDPR, including standard contractual clauses (SCCs). We've also assessed our data transfer risks, including engaging an external auditor to evaluate our security controls resulting in SOC 2, Type 2 along with ISO 27001 and ISO 27701 certifications. Additionally, we've specifically assessed the risks raised by the CJEU and determined that those risks are highly unlikely for Articulate because some laws (e.g., the U.S. Electronic Communications Privacy Act) don't regulate Articulate, and other laws that could theoretically apply to Articulate (e.g., Executive Order 12333 and the U.S. Foreign Intelligence Surveillance Act) are unlikely to impact us since we don't provide the services government authorities typically target for broad surveillance (e.g., telecommunication providers, ISPs). We've never received a request for surveillance, and if we did receive such a request, we'd notify the impacted customers unless prohibited by law.

Data Management

Providing you with control over Articulate's collection, retention, and usage of your data is a key component of the GDPR. The following methods describe the controls available to data subjects:

  • Opt-Out by Default
    • Visitors to Articulate websites residing within the EU are opted out of marketing communications by default.
  • Opt-Out via Self-Serve
    • To manage your communication preferences, please visit our email subscription preferences page.
  • Browser Cookie Control
  • Data Subject Rights
    • Learn about the personal data we collect from you by reviewing the How We Collect Personal Data section of our Privacy Notice.
    • Contact [email protected] to exercise your data subject rights of access, correction, restriction of processing, withdrawal of consent, deletion, and portability.

GDPR Inquiries

Please contact us at [email protected] if you have any questions about how we comply with GDPR.

Additional Resources

Privacy Notice
Trust Center
Data Processing Agreement
Complete Text of the GDPR
List of Sub-Processors