What is GDPR?

The European Union has implemented new regulations regarding the transfer and protection of EU personal data. The EU General Data Protection Regulation (GDPR) (2016/679) is a regulation by which the European Parliament, the Council of the European Union, and the European Commission have strengthened and unified data protection for all individuals within the European Union (EU), including addressing the export of personal data outside the EU. The primary objectives of the GDPR are to protect citizens' personal data and simplify the regulatory environment for international business by unifying the regulation within the EU.

Chrome River's Policy

For over 10 years, Chrome River has been committed to protecting the privacy and security of customer information, including processes and safeguards relevant to personal data. Chrome River has implemented a very robust set of policies, procedures, and protocols in order to ensure that our customers' data remain safe and confidential, including using industry leading 256-bit encryption to secure all client data, both at rest and in transit, using two-factor authentication, and more. Chrome River has demonstrated compliance with rigorous third-party security frameworks and standards including ISO 27001:2013, PCI DSS Level 1 and SSAE18 SOC 1 Type II. We will continue to seek additional certifications and accreditations that are important to our customers.

Another way we protect our clients, is by entering into Data Processing Agreements with our sub-processors, by including Model Clauses in our Services agreements. These agreements permit our clients to continue to transfer data to Chrome River without disruption and binds our sub-processors to data processing best practices. Chrome River welcomes the robust requirements for data protection, security, and compliance that the EU GDPR brings.

Chrome River has put processes in place to ensure GDPR compliance and to meet our obligations to our customers and employees. We have appointed a Data Protection Officer to oversee compliance, conducted a full Data Protection Impact Assessment (DPIA), and tuned our current incident response and breach notification policy and process to align with the requirements of the GDPR. We have also implemented business processes to deal with privacy-related requests outside the Chrome River platform and to ensure any requests from your employees directed to us, are made known to you in a timely manner, if applicable.

Lawful Basis for Processing

The GDPR defines 6 lawful bases for processing:

  1. Consent: an individual has given clear consent for the processing of their personal data for a specific purpose.
  2. Contract: processing is necessary for a contract that a company has with an individual, or because they have asked a company to take specific steps before entering into a contract.
  3. Legal obligation: the processing is necessary for a company to comply with the law (not including contractual obligations).
  4. Vital interests: the processing is necessary to protect someone’s life.
  5. Public task: the processing is necessary for a company to perform a task in the public interest or for a company’s official functions, and the task or function has a clear basis in law.
  6. Legitimate interests: the processing is necessary for a company’s legitimate interests or the legitimate interests of a third party unless there is a good reason to protect the individual’s personal data which overrides those legitimate interests.

Chrome River processes all data based on Legitimate Interests.

Chrome River Products and Services

Chrome River collects limited Corporate and Personal Data. The data we collect can be categorized as:

  • data that we control for purposes of Corporate Business to Business marketing efforts,
  • data we may collect from your browsing on our public website, and
  • data collected  as part of your Company’s utilization of our software services. 

Chrome River does not collect “Personal Data” from Data Subjects in the course of offering our application software. We only obtain your Company’s consent to collection and use of your Company’s confidential data. This confidential data is of paramount importance to us, and we go to great lengths to protect it, however, this data is not to be confused with “Personal Data” of Data Subjects as contemplated under the GDPR. Thus, Chrome River makes the general Privacy commitments as stated in our Privacy Policy as well as those more specific to GDPR. We are committed to the confidentiality of our customer’s information. In addition, we are independently audited on an annual basis.

We believe a very important piece of our continued compliance with privacy best practices, as well as compliance with the GDPR, is to ensure that we hold our vendors and sub-processors accountable for their security and privacy commitments. Chrome River has a robust Third-Party Vendor Management program, and we frequently assess all third parties for continued compliance with their security, privacy and confidentiality commitments.

Cookies: As mentioned in our overarching Privacy Policy, our Website uses a technology called "cookies". For more information about cookies, please click here: Cookies. Cookies are small, often encrypted text files, located in browser directories. They are used by web developers to help users navigate their websites efficiently and perform certain functions. You may set your browser to notify you when you receive a cookie or to not accept certain cookies. However, if you decide not to accept cookies from our Website, certain features may not function as designed. You may also remove cookies. To learn how to do so, please click here: Clear Cookies

Do-Not-Track: There are different ways you can prevent tracking of your online activity. One of them is setting a preference in your browser that alerts websites you visit that you do not want them to collect certain information about you. This is referred to as a Do-Not-Track (“DNT”) signal.

Chrome River’s website may not recognize or react in response to DNT signals from Web browsers as, currently, there is no universally accepted standard for what a company should do when a DNT signal is detected. At such time as a standard is established, we will assess how to best respond to the signals. For more information, please click here: DNT Signals

Notice to End Users

Where our Services are made available to you through an organization (e.g. your employer), that organization is the administrator of the Services and is responsible for the accounts and/or Service sites over which it has control. If this is the case, please direct your data privacy questions to your administrator, as your use of the Services is subject to your organization's policies. We are not responsible for the privacy or security practices of an administrator's organization, which may be different than this policy. 

Administrators are able to:

  • require you to reset your account password;
  • restrict, suspend or terminate your access to the Services and your account access;
  • access information in and about your account;
  • access or retain information stored as part of your account;

In some cases, administrators can also:

  • change the email address associated with your account;
  • change your information, including profile information;
  • restrict your ability to edit, restrict, modify or delete information.

Even if the Services are not currently administered to you by an organization, if you use an email address provided by an organization (such as your work email address) to access the Services, then the owner of the domain associated with your email address (e.g. your employer) may assert administrative control over your account and use of the Services at a later date. 

Please contact your organization or refer to your administrator’s organizational policies for more information.

Employment with Chrome River


If you reside in the European Economic Area and are interested in employment with Chrome River, Inc., you will need to provide certain information (cover letter, resume, references, eligibility, or other employment-related information).  We use this information for the purpose of processing and responding to your application for current and future career opportunities. In this respect, you would be considered a Data Subject and the information you provide to us would represent Personal Data. 

Our Website includes a “Careers” link.  All applications must originate from this website. Any entity that processes data on behalf of Chrome Riverwill be fully GDPR compliant. You will need to provide your Consent for us to contact you as part of your application. You have the right not to provide Consent, but we will be unable to process your application and consider you for employment if you do not provide it. While we will obtain your Consent, we process and manage your data based on legitimate interests.

A limited number of employees of Chrome River will also have access to your data once you apply for a position. The recipients of your personal data will be select employees of Chrome River such as Human Resources, the hiring leader, individuals with whom you will need to interview, etc. All information is shared according to the principle of least privilege. These employees have all undergone GDPR-related training. A limited number of third-party providers, under contract with Chrome River, may also have access to your Personal Data. We ensure that any such provider has data protection levels equivalent to those set forth in this privacy notice, at a minimum.

If you are selected as a final candidate for a position, we will enter into the appropriate contract, agreement, or other documentation as appropriate for your country of residence. All documentation and actions, including those requiring additional Consent,  will reflect full compliance with GDPR.


As part of becoming an employee of Chrome River, Inc. you will be provided with an Employee Privacy Notice outlining your rights and remedies. At that time, you will also be provided with any and all documentation and information related to your status as both a Data Subject under the GDPR and an employee of Chrome River, Inc.

Subject Access Requests

A subject access request is a written request for personal information/ personal data held about you by us. You have the right to see what personal information we hold about you. You are entitled to be given a description of the information, what we use it for, who we might pass it on to, and any information we might have about the source of the information. However, this right is subject to certain exemptions or restrictions that are set out in the GDPR.

Data Protection Officer and Subject Access Requests

To make a Subject Access Request, email privacy@chromeriver.com or write. 

The GDPR requires that we provide you with the following information:

Company Name: Chrome River, Inc.

5757 Wilshire Blvd.
Suite 270
Los Angeles, CA 90036 

SVP, Legal, Contracts, and Procurement in Admin: Melanie Morgan 

Finally, you have the right to lodge a complaint to the Information Commissioners’ Office (“ICO”) if you believe that we have not complied with the requirements of the GDPR with regard to your personal data. The ICO encourages individuals to first report their concern to the organization controlling or processing your data. For more information, please refer to ICO/ Raising a Concern.

Share this