We're committed to partnering with customers and users to help them understand and comply with the General Data Protection Regulation (GDPR). The GDPR went into effect on May 25, 2018 and sees significant changes to the EU privacy law.
Besides strengthening and standardizing user data privacy across the EU nations, it will require new or additional obligations on all organizations that handle EU citizens’ personal data, regardless of where the organizations themselves are located.
The GDPR’s updated requirements are significant and Piano Software products are in line with required GDPR compliance commitments, either through automated product features or by requesting changes from Piano.
We work to:
Ensure that the appropriate contractual terms are in place with relevant customers;
Continue to support international data transfers by executing EU Standard Contractual Clauses (SCC) through our updated Data Processing Addendum while at the same time accepting GDPR’s application on us;
Build any new features and functionality with the requirements of GDPR in mind and ensure we include features that address Data subject rights wherever possible;
After the May deadline we continue to monitor GDPR related guidance and will make the necessary changes. We also continue to invest heavily toward security infrastructure and security processes;
Have binding corporate rules (BCRs) approved for controller and processors transfers both intragroup as well as against Publishers.
The question of international cross-border transfer of personal data is naturally very important to Piano. Being a US company, we have historically relied on EU-US Privacy Shield and Swiss-US Privacy Shield as well as EU Standard Contractual Clauses (SCC) to lawfully transfer personal data outside EEA. Due to Schrems II judgement of the CJEU (C-311/18) we no longer can rely on EU-US Privacy Shield and Swiss-US Privacy Shield. However, we understand there are number of legal uncertainties surrounding the cross-border transfer of personal data under the GDPR and we want to be fair about these to our customers.
Firstly, in Google v Spain, the CJEU held that EU privacy laws (Directive 95/46/EC) applies directly to Google, Inc. (US company) by virtue of having an establishment in the EU (Google Spain, S.p.A.) in the context of which activities the personal data is processed. We too have an establishment in the EU (subsidiary in Slovakia) which is directly involved in supporting Piano Software, Inc. (US company) in processing personal data on behalf of the Publishers. Commission Decision on EU-U.S.
The abolished Commission’s decision EU-US Privacy Shield also referred to this problem in paragraph no. 15:
“The Principles apply solely to the processing of personal data by the U.S. organisation in as far as processing by such organisations does not fall within the scope of Union legislation. (15) The Privacy Shield does not affect the application of Union legislation governing the processing of personal data in the Member States (16).
(16) This applies also to processing that takes place through the use of equipment situated in the Union but used by an organisation established outside the Union (see Article 4(1)(c) of Directive 95/46/EC). As of 25 May 2018, the General Data Protection Regulation (GDPR) will apply to the processing of personal data (i) in the context of the activities of an establishment of a controller or processor in the Union (even where the processing takes place in the United States), or (ii) of data subjects who are in the Union by a controller or processor not established in the Union where the processing activities are related to (a) the offering of goods or services, irrespective of whether a payment of the data subject is required, to such data subjects in the Union; or (b) the monitoring of their behaviour as far as their behaviour takes place within the Union. See Article 3(1), (2) of Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation) (OJ L 119, 4.5.2016, p. 1).”
However, there is no mention of this extraterritorial application of the GDPR to non-EU companies in Articles 44-50 GDPR where it deals with cross-border transfer of personal data outside EU. Therefore, although it seems the GDPR will apply directly to Piano Software, Inc., non-EU Piano affiliated companies will remain persons from 3rd countries where the additional safeguards need to be adopted (like SCC or BCRs).
The way we decided to deal with the above is as follows:
Piano Software, Inc. being a US company concludes with EU Publishers SCC as part of the Data Processing Agreement where we act as processors and data importers to EU Publishers;
Piano Software, Inc. and all its subsidiaries (Piano Affiliates) concluded Intra-Group Processing Agreement pursuant to the Article 28(3) of the GDPR which also includes SCC.
To sum up, we have tried to ensure both contractually and technically that we comply with the GDPR regardless of whether and how the GDPR applies to us.
In the future, we aim to streamline this process and adopt BCRs instead of SCC since we believe BCRs provide higher safeguards than SCC due to their individual regulatory approval. We are currently in the approval process for BCRs with the Slovak Data Protection Authority acting as our lead data protection authority under Article 56 GDPR (the “Lead DPA”). The reason for this is that our main establishment in the EU is actually in Slovakia, where historically the first subsidiary of Piano Software, Inc. is located (Piano Software, s.r.o., Bratislava, Slovakia). As part of these proceedings there has been so-called “one-stop shop” process (cooperation mechanism under Article 60 GDPR) to confirm the role of our Lead DPA and none of other EU data protection authorities concerned objected. We hope to adopt BCRs by the end of 2020.
Compliance-related tools include the following:
Export Tools. Businesses and organizations may access, import, and export all their Customer Data;
My Account Widget. Help customers respond to user requests to delete personal information, such as names and email addresses;
For all other requests. Piano provides a dedicated team to info provide this information within a timely period to ensure compliance with GDPR. Contact us at privacy@piano.io.
| Purpose | Position | Legal basis |
|---|---|---|
| Audience experience – the core purpose | Data processor | Performance of contract (Art. 6(1)(b) GDPR) and “cookie” consent (Art. 5(3) of e-Privacy directive) |
| Billing & Accounting | Data processor | Compliance with legal obligation (Art. 6(1)(c) GDPR) |
The above overview of purposes of processing is a default (expected) overview by the template data processing agreement (“DPA”) Piano Software, Inc. concludes (as a processor) with the Publisher. As a data processor, it is not our responsibility to determine the purpose and legal basis of processing via Piano Software. However, given the fact that the core functionality and business purpose of Piano Software is generally the same throughout different Publishers, we came up with the above default legal setting so that both us and the Publishers can more efficiently manage compliance with the GDPR in respect to Piano Software.
In practice, how does this work for users? For unregistered users/anonymous users: cookies consent based on setting of the web browser “allow cookies”. We recommend that the relationship between the Publisher and the user (unregistered and registered) is defined by contract performance in the publisher’s Terms and conditions. We expect that as soon as the user lands on Publisher’s site, there are certain terms and conditions in place that govern rights and obligations of both the user and the Publisher when using the site. We recommend that the Publisher’s obligation under these terms and conditions is drafted in a way that using Piano Software (and similar technologies) is part of Publisher’s contract performance. If the registered user changes privacy setting of its web browser to “do not allow cookies”, Piano loses the link of the browser to an individual. As such data is in effect erased as the data is no longer personal data but rather anonymised.
The decision of which legal basis to use for data processing rests with you as the data controller, and requires careful consideration and understanding of the law and the particulars of your operation. Consult with your legal counsel or data protection officer.
We will briefly describe the two options below to get you started.
Individual user consent is the least legally risky option, and the most generally applicable legal basis for the data processing activities. Individual informed consent from your users is a strong legal basis for collecting and processing personal data with the services provided by Piano DMP, Piano Insight, Piano CCE platform.
Piano DMP, Piano Insight, Piano CCE platform services in and of themselves are not particularly more likely to require consent than other offerings in the DMP and personalization space, and customers should assess the entirety of their data processing activities when deciding about the legal basis for their operation.
Piano DMP, Piano Insight, Piano CCE platform supports serving users with individual user consent, but this may require implementation changes on the site where the Piano DMP, Piano Insight, Piano CCE platform cx.js tag is deployed. See below for more details.
When a data processing activity is compellingly justified by a legitimate interest of the data controller and care is taken to consider and protect people’s rights and interests, article 6(1)(f) may be an applicable legal basis for processing of personal data under the GDPR.
This legal basis puts a legal burden on the controller to demonstrate their interest in the processing and require a careful balancing of the legitimate interest and necessity of the processing in achieving that interest, and the individual’s interests, rights and freedoms.
When considering this balance, be aware that the user interest profile generation functionality of the Piano DMP, Piano Insight, Piano CCE platform constitutes a type of personal data processing that may be difficult to justify with legitimate interest as a legal basis.
Despite these hurdles, this is a very attractive option for one simple reason: Not all users are likely to consent to having data about them collected and processed. This must be weighed against the legal risks of non-compliance.
Where Piano DMP, Piano Insight, Piano CCE platform is used for a processing activity and purpose justified by a legitimate interest, the existing cx.js tag may be used without further modification.
To ensure that the Piano DMP, Piano Insight, Piano CCE platform services only processes personal data by consent only, there are broadly speaking two options:
Only serve the site or page to users who have given their consent in advance. This could apply to a site where registration and agreement to terms of service is a prerequisite for access to the service, such as an organizational intranet or a subscriber-only section of a news site. Note that this is likely not an acceptable solution in the majority of cases where a site is accessible to the public and can function even if some personal data processing activities, such as personalised advertisements, are avoided.
Migrate to the consent-aware version of the Piano DMP, Piano Insight, Piano CCE platform tag, which avoids processing personal data for a given purpose unless a script call has been made to declare that the user has consented to that particular processing.
Depending on the site, its audience, and the nature of personal data submitted to the Piano DMP, Piano Insight, Piano CCE platform this choice may require careful consideration of the GDPR’s requirements for a request for consent to be specific about the type of data processing that will be performed and that it be granular, allowing a person to opt in for each distinct purpose.
When the use and processing of personal data is justified by a legitimate interest of the data controller, or when individuals have given consent to data processing before a page is loaded, processing of personal data may happen when the page is loaded with no further input from the individual. In this case the existing mode of operation of the Piano DMP, Piano Insight, Piano CCE platform tag will not infringe on the GDPR.
For sites basing their process in individual informed consent, this would apply when access control and existing agreements ensures that users have already consented to the type of processing performed by Piano DMP, Piano Insight, Piano CCE platform on your behalf. Note that simply having access control and a terms of service agreement click-through may not give sufficient options for users to opt in to specific types of processing. Consult with your legal counsel to determine if this approach is viable.
Piano DMP, Piano Insight, Piano CCE platform supports these specific types of processing purposes that can be opted in to by a user. Each is identified in the Piano DMP, Piano Insight, Piano CCE platform script tag by a short single-quoted name.
‘pv’ - Page view tracking, DMP event tracking and browsing habit collection to understand a user’s interests and profile.
‘recs’ - Personalisation of content recommendations and suggested content based on user interests and browsing habits.
‘segments’ - Audience segmentation - processing of browsing habits and first party data to include users in specific audience segments.
‘ad’ - Targeting advertising based on browsing habits and audience segmentation.
‘device’ - Collection of device information (user agents, other device-specific data).
‘geo’ - Any geolocation data that is collected or derived from other data points, such as IP addresses.
Note that 'recs', 'segments' and 'ad' depend on the first kind of processing to be applicable - without tracking browsing there will be no data available to base personalisation of content on, nor any data to determine which audience segment(s) a person belongs to, or to target advertisements based on.
Personalization of content recommendations is not normally considered targeted advertisement, but depending on customer use cases and the content surfaced using recommendations, this may not be the case.
Audience segmentation is commonly used to target advertising, but not always, and so is kept as a separate consent opt-in for technical reasons, but it may not necessarily be a specific data processing purpose that requires its own opt in - the use case for audience segmentation on your site(s) is the determining factor here - personalizing the user’s experience based on audience segment membership may not necessarily be considered ads targeting. Unless, of course, the nature of the personalized experience appears to be marketing.
Targeted advertising is a clearly flagged separate data processing purpose in the GDPR. Be careful to separate a request for consent to target advertisements from other opt-in options.
| Data subject rights/obligations | Ref. | Audience experience | Billing and accounting | |||||
|---|---|---|---|---|---|---|---|---|
| Information obligation | Art. 13 GDPR | Yes, via Publisher’s privacy policy or similar notice | ||||||
| Right of access | Art. 15 GDPR | Yes, based on request | ||||||
| Right to rectification | Art. 16 GDPR | Yes, under certain conditions | ||||||
| Right to erasure | Art. 17 GDPR | Yes, under certain conditions | ||||||
| Right to restriction | Art. 18 GDPR | Yes, under certain conditions | ||||||
| Right to data portability | Art. 20 GDPR | Yes, just based on request but only in respect of data provided by the user | No | |||||
| Right to object | Art. 21 GDPR | No | No | |||||
| Right not to be subject to a automated individual decision-making | Art. 22 GDPR | Yes | ||||||
| Data protection by design & by default | Art. 25 GDPR | Yes in all cases. This is controller obligation | ||||||
| Appropriate security measures (TOMs) | Art. 32 GDPR | Yes in all cases | ||||||
| Detection and communication of data breach | Art. 33 GDPR | Yes in all cases | ||||||
As a data processor we shall according to the Art. 28(3)(g) GDPR: “taking into account the nature of the processing, assist the controller by appropriate technical and organisational measures, insofar as this is possible, for the fulfilment of the controller's obligation to respond to requests for exercising the data subject's rights laid down in Chapter III”. We ensure this as is explained below:
When applicable, Piano will provide the Data Controller with a My Account widget that allows the user to access their private data that Piano processes.
Piano will provide the Data Controller with a My Account widget that allows the user to correct their private data that Piano processes.
An anonymous data subject will be qualified as erased when they delete any Piano cookies. For data subjects where Piano stores registration information, that information shall be erased where possible.
On a case by case basis, Piano will ensure that data is restricted.
Piano provides a My Account widget where the user can access their data in order to download it. This refers to data actively provided by the data subject on registration forms. In addition, the Data Controller has access to the user profile through the user dashboard.
Piano DMP, Piano Insight, Piano CCE platform tracks page view and other behavioral events which constitute personal data. These events are used to produce statistics, user profiles and content profiles. With these statistics and profiles, we personalize individuals’ experiences with our customers’ content and targeted marketing.
The page view events collected by Piano DMP, Piano Insight, Piano CCE platform are sent from users’ devices by embedding a Piano DMP, Piano Insight, Piano CCE platform tag on customers’ web pages. This tag collects a set of Piano DMP, Piano Insight, Piano CCE platform cookies, device information, and site visit information. While no directly personally identifiable data is collected here, it is possible to include directly identifying information via custom parameters provided by customers’ code. In any case, this data is considered personal due to the pseudonymous identifiers included.
DMP events submitted to the Piano DMP platform may contain arbitrary data, although commonly used data types include gender and age group information, pseudonymised subscriber identifiers, and other first party data relevant to targeting personalised experiences or advertising.
These events, combined with data collected from customers’ web sites, are used to build aggregated user interest profiles and audience segments which in turn are used to serve personalised content, tailor user experiences to the user, or serve targeted advertisements.
Piano DMP, Piano Insight, Piano CCE platform maintains a registry of Data Processing Activities as mandated by the GDPR and reports from this registry are available to our customers to document and audit the data processing activities performed by Piano DMP, Piano Insight, Piano CCE platform on behalf of our customers.
The Piano DMP, Piano Insight, Piano CCE platform tag itself does not request consent directly from the user, as this would lead to a disruptive experience on the site. Rather, the Piano DMP, Piano Insight, Piano CCE platform script exposes a set of new functions to selectively enable functionality for the purposes which a user has opted-in.
The API and behavior changes have been designed to be backwards compatible, such that an unchanged tag continues to work as before. Only by explicitly enabling the consent awareness functionality will the tag avoid processing personal data until consent has been affirmatively given.
Initializing the Piano DMP, Piano Insight, Piano CCE platform tag with Consent requirement awareness is done by declaring an cX as an object with {options: { consent: true }}. Alternatively a function call to requireConsent() can be placed in the call queue, above any other functions.
If there are multiple Piano DMP, Piano Insight, Piano CCE platform tag invocations on the page, we recommend starting all of these invocations with the preamble that enables consent awareness, to avoid having the load order of the tags influence the behavior of the tag.
These are the new functions:
requireConsent(): This has the same function as initializing the cX object with the options field mentioned above, and may be used interchangeably, or if the consent functionality should be enabled only after some processing justified by a legal basis other than consent has taken place.
isConsentRequired(): Returns true if the Piano DMP, Piano Insight, Piano CCE platform tag is set to be consent-aware.
setConsent(types, options): Flags to the Cxense tag that the user has opted-in to particular type(s) of processing, enabling that functionality in the Piano DMP, Piano Insight, Piano CCE platform script. The types of processing a user has opted in to is stored in the browser’s local storage to enable quick resumption of processing in subsequent page views without requiring new setConsent calls. The “types” object may contain fields named ‘pv’, ‘segments’, ‘recs’ and ‘ad’, each with a value of true or false to enable or disable the particular type of operation according to user consent. The options object may contain a ‘runCallQueue’ field, which, if true, will cause cx.js to submit any earlier consent-blocked event data to the Piano DMP, Piano Insight, Piano CCE platform.
hasConsent(type): returns true if the specific consent is registered in local storage.
The Piano DMP, Piano Insight, Piano CCE platform has prepared technology for dealing with Data Subject Rights in the GDPR to ensure that we can support our customers’ obligation to let individuals access and take their data out and to have their data removed. This process and the internal tools developed to support it are designed to ensure that the compliance deadlines in the GDPR can be consistently met.
The specific data subject right functionality we will offer direct integration for is:
Requesting removal of personal data from the Piano DMP, Piano Insight, Piano CCE platform platform. An API to file such a request will be available on api.cxense.com at the /personal/deleterequest/create endpoint
Retrieving a copy of all personal data associated with a device/user identifier from the Piano DMP, Piano Insight, Piano CCE platform, in a machine readable format. This API will be published at api.cxense.com/personal/deleterequest/read
These APIs will be documented on the Piano DMP, Piano Insight, Piano CCE platform API documentation site, and are not covered in further detail here.
We will not offer a separate API for rectification, as existing APIs include functionality for updating externally supplied data.
In addition we support clearing personal identifiers from a device through a new function clearIds(), which can be used to ensure that personal data stored in the Piano DMP, Piano Insight, Piano CCE platform platform can not be retrieved using a device’s cookies after a user has logged out.
Piano carefully addresses GDPR defined security measures by the pseudonymisation and encryption of personal data; maintaining a detailed DRP to ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and services which in turn allows Piano to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident. Piano maintains a process for regularly testing, assessing and evaluating the effectiveness of technical and organisational measures for ensuring the security of the processing.
Piano DMP, Piano Insight, Piano CCE platform technology is most commonly deployed on our customers’ or their partners’ web sites, using the Piano DMP, Piano Insight, Piano CCE platform “cx.js” javascript tag.
In its default state, the Piano DMP, Piano Insight, Piano CCE platform tag will submit pageview data to the Piano DMP, Piano Insight, Piano CCE platform as soon as the page is loaded and immediately submit any DMP data as soon as the script function is invoked on the site. Content recommendation widgets and ads will also be loaded as soon as possible when the call queue is processed or any insertWidget or insertAdSpace calls are made. This constitutes processing of personal data.
As an example a simple consent-aware Piano DMP, Piano Insight, Piano CCE platform tag starts like this:
var cX = window.cX || { options: { consent: true }};
cX.callQueue = cX.callQueue || [];
cX.callQueue.push(['setSiteId', '1141829794503140426']);
cX.callQueue.push(['sendPageViewEvent']);
cX.callQueue.push(['invoke', requestConsent])
If you are a legacy (previous Cxense) client and are now taking part in the Composer 1X rollout, you would need to update your existing consent-aware tags. Please follow instructions here
The requestConsent function is a function to be implemented by the site and should check if a user consent is already in place with the Piano DMP, Piano Insight, Piano CCE platform tag using hasConsent(type). If it is not already set, then display a Consent request dialog, or if the user is logged in, perhaps check with the site backend if the user has already given consent. If a user consents to a type of processing, invoke the setConsent(type, options) function to enable that functionality.
function requestConsent() {
if (!cX.hasConsent('pv') && confirm('Do you give consent?')) {
cX.setConsent({ 'pv': true }, { runCallQueue: true });
}
}
The 'device' and 'geo' flags are only active if the "consent version" is set to "2". You can do this by specifying on initialization:
var cX = window.cX || { options: { consent: true, consentVersion: 2 }};
or by calling cX.requireConsent(2).
You will be able to set consents for 'device' and 'geo' just like other consent flags:
cX.setConsent({ 'device': true, 'geo': true });
Page view events
Page view events and DMP events queued in the callQueue before ‘pv’ consent is in place will not be sent to the Piano DMP, Piano Insight, Piano CCE platform right away. However, if consent is granted, the queued events will be dispatched if the runCallQueue options is included with the setConsent call in the call queue, like this: cX.setConsent({’pv’: true}, { runCallQueue: true }). If 'pv' consent is not granted, the identity will not be used for recording statistics about the performance of content widgets, even if 'recs' consent is granted.
If the tag is opted-into using the 'device' and 'geo' flags:
Without the 'device' consent, user agent and browser information will not be stored in page view events.
Without the 'geo' consent, any geolocation data will be removed and there will be no geolocation lookups based on IP address.
Audience segmentation
If ‘segment’ consent is not in place, the getUserSegmentIds call will return an empty set of segments. Browsing habit data submitted without segment consent will not be included in audience segment generation.
Personalisation
If ‘recs’ consent is not in place, the user's personal data will not be processed for the purposes of serving personalized content. This means that content widgets will not be personalised, but the API will still serve content recommendations based on non-personal data such as the page context and traffic trends. If 'pv' consent is not granted, the identity will not be used for recording statistics about the performance of the content widget.
If the tag is opted-into using 'device' and 'geo' flags:
Without the 'device' consent, no user-agent information will be used for content recommendations or CCE campaigns. Practically, it means that if a widget has a condition that depends on specific user-agent data, it will instead use any defaults that are defined for the widget.
2. Without the 'geo' consent, there will be no geolocation lookups based on IP information. Practically, if a widget depends on making recommendations based on location, it will instead use a fallback.
Targeted advertising
If ‘ad’ consent is not in place, ad space insertion calls will do nothing. Ad spaces will not be inserted.
Piano maintain an incident response plan which governs the communication and process in the case of a data breach. Contractually this is covered between Piano and all publishers, in the MSA.
Fulfilling our privacy and data security commitments is important to us. So we’re glad to help you prepare for all the changes the GDPR brings. This page will be revised to reflect GDPR-related information as it becomes available. If you have any questions about how Piano Software can help you with compliance, we hope you’ll reach out to us.
To support delivery of our Services, Piano Software, Inc. (or one of its Affiliates listed below) may engage and use data processors with access to certain Customer Data (each, a "Subprocessor"). This page provides important information about the identity, location and role of each Subprocessor. Terms used on this page but not defined have the meaning set forth in the Customer Terms of Service or superseding written agreement between Customer and Piano (the "Agreement").
Piano Software currently uses third party Subprocessors to provide infrastructure services, and to help us provide customer support and email notifications. Prior to engaging any third party Subprocessor, Piano Software performs diligence to evaluate their privacy, security and confidentiality practices, and executes an agreement implementing its applicable obligations.
Piano Software may use the following Subprocessors to host Customer Data or provide other infrastructure that helps with delivery of our Services:
| Entity name | Subprocessing activities | Entity country | Products |
|---|---|---|---|
| Amazon Web Services, Inc. | Cloud Service Provider | United States | Composer, VX, ID, ESP |
| Google Inc. | Cloud Service Provider | United States | Composer, VX, ID, ESP |
| Microsoft Azure | Cloud Service Provider | United States | ESP |
| SoftLayer Technologies, Inc. | Data center provider | United States | Piano DMP, Piano Insight, Piano CCE |
| Hetzner Online GmbH | Data center provider | Germany | Piano DMP, Piano Insight, Piano CCE |
| Packet Host, Inc. | Data center provider | United States | Piano DMP, Piano Insight, Piano CCE |
Piano Software may use the following Subprocessors to perform other Service functions:
| Entity name | Subprocessing activities | Entity country | Product |
|---|---|---|---|
| Zendesk, Inc. | Cloud-based Customer Support Services | United States | Composer, VX, ID, ESP, Piano DMP, Piano Insight, Piano CCE |
| MailChimp, Rocket Science Group | Cloud-based Email Notification Services | United States | ESP |
| Google Inc. | Cloud Service Provider | United States | Composer, VX, ID |
| Braintree | Payment Provider | United States | Composer, VX, ID |
| Mode Analytics | Analytics Visualiations | United States | Composer, VX, ID |
| Survey Gizmo (Strategy Services Clients Only) | Survey Collection for Strategic Consulting | United States | Strategic Services Clienst Only |
| Google Ireland, Ltd. | Data backup storage | Ireland | Piano DMP, Piano Insight, Piano CCE |
| Enreach Solutions Oy | Data segmentation provider | Finland | Piano DMP, Piano Insight, Piano CCE |
| Creative Software | Global technical support team | Sri Lanka | Piano DMP, Piano Insight, Piano CCE |
| OOO "Pi-Tech" | Software development and data center operations | Samara, Russia | Piano DMP, Piano Insight, Piano CCE |
Piano Software has offices located around the globe who depending on the service a publisher requires will process that data. These entities are listed below:
| Entity name | Entity country |
|---|---|
| Piano Software, Inc. | United States (based on SCC) |
| Piano Software, s.r.o. | Slovakia (EU) |
| Newzmate Sp. z o.o. | Poland (EU) |
| Piano Software B.V. | Netherlands (EU) |
| Piano Software Norway NUF | Norway (EEA) |
| Piano Co. Ltd. | Japan (adequate third country based on Commission Adequacy Decision ) |
As our business grows and evolves, the Subprocessors we engage may also change. We will endeavor to provide the owner of Customer’s account with notice of any new Subprocessors to the extent required under the Agreement, along with posting such updates here. Please check back frequently for updates.
Archive of GDPR
GDPR – Effective from Dec 1, 2020 GDPR – Effective from Jun 24, 2020 GDPR – Effective from Apr 01, 2019 GDPR – Effective from Feb 15, 2019 GDPR – Effective from May 23, 2018Notifications should be sent to the following:
Piano Software, Inc.
111 S Independence Mall East, Suite 950
Philadelphia, PA 19106
Email: security@piano.io