Dropcontact Data Privacy & Security Overview

How does Dropcontact approach data security and privacy?

Data security and privacy are core principles at Dropcontact. Our services are designed to comply with applicable data protection regulations, including the General Data Protection Regulation (GDPR), and are governed by documented security policies, contractual safeguards, and independent audits. Dropcontact applies privacy by design and by default, ensuring that security and data protection are embedded throughout the lifecycle of our services.

How to demonstrate Dropcontact’s compliance?

Dropcontact is the only B2B contact data enrichment solution to have been audited by the CNIL, France’s data protection authority, widely regarded as one of the most stringent worldwide. The audit included full access to Dropcontact’s servers, stored data, and source code. 

Key legal documents:

What is Dropcontact’s role under GDPR?

Depending on the context, Dropcontact acts as:

  • A data processor (subcontractor) when processing personal data on behalf of its customers as part of its enrichment, correction, and data quality services, in accordance with the Dropcontact Data Processing Agreement (DPA).
  • A data controller for limited personal data related to its own clients, prospects, suppliers, and website users, as described in the Dropcontact Privacy Policy.

Why is Dropcontact GDPR-compliant by design? 

The emails and data provided by Dropcontact are processed in full compliance with the General Data Protection Regulation (GDPR).

Unlike most solutions on the market, Dropcontact does not use or store any contact database, whether purchased, scraped, or contributed by users. Our proprietary algorithms generate results in real time using only first name, last name, and company name as input. The result is generated dynamically, and we don’t retain or reuse any contact data after processing. We don’t sell leads: instead, we enrich the contact data you already have.

All processing is done on European servers, and no personal data is stored. This ensures maximum compliance, transparency, and security while also keeping the information fresh, accurate, and achieving a high data enrichment rate.

What types of data does Dropcontact process?

Dropcontact processes professional (B2B) contact data only. Categories of personal data processed include:

  • First and last names
  • Company names
  • Job titles and professional roles
  • Business-related contact details, such as professional email addresses and LinkedIn profile URLs

Dropcontact does not process sensitive personal data as defined under Article 9 of the GDPR.

For what purposes is data processed?

Personal data is processed solely for the performance of the contracted services, including:

  • Cleaning, correcting, and standardizing contact data
  • Enriching professional contact information
  • Synchronizing and updating contact details
  • Detecting and merging duplicates

Processing is carried out strictly in accordance with the documented instructions of the data controller.

How does Dropcontact secure personal data?

Our service’s overall security is governed by our Information Security Policy, which encompasses access management for IT infrastructure, encryption key management, system and software updates, security network configurations, and incident management.

Dropcontact implements appropriate technical and organizational security measures, including:

  • Secure development lifecycle with code reviews and peer validation
  • Strong authentication policies, including password requirements (NIST SP 800-63) and two-factor authentication (2FA)
  • Access control and role-based segregation
  • Encryption of data in transit using SSL/TLS protocols
  • Logging and monitoring of system and access activity
  • Ongoing security awareness and staff training

These measures are designed to preserve the confidentiality, integrity, and availability of personal data.

Does Dropcontact undergo independent security audits?

Yes. Dropcontact undergoes an annual external security audit: CASA Validation Report. The audit includes:

  • Penetration testing
  • Review of security processes
  • Verification of security documentation

Audit documentation may be made available upon request and subject to confidentiality obligations.

Where is data hosted?

Personal data processed by Dropcontact is hosted on servers located within the European Union. Dropcontact relies on infrastructure providers with servers in the EU.

Are sub-processors used?

Yes. Dropcontact uses a limited number of authorized sub-processors, all contractually bound to provide appropriate security and data protection guarantees. Currently authorized sub-processors include:

  • Amazon Web Services (AWS)
  • Scaleway
  • OVH

Customers are informed in advance of any planned changes to sub-processors and have the right to object within the timeframe defined in the DPA.

How does Dropcontact handle data breaches?

In the event of a personal data breach, Dropcontact:

  • Notifies the data controller without undue delay and no later than 72 hours after becoming aware of the breach
  • Provides the information necessary to enable the data controller to meet its regulatory notification obligations

This process is defined in the Dropcontact DPA.

Is Dropcontact ISO 27001 or SOC 2 certified?

Dropcontact is not currently certified under ISO/IEC 27001 or SOC 2. However, Dropcontact undergoes an annual independent security audit: CASA Validation Report. This audit covers:

  • Penetration testing
  • Review of security and access control processes
  • Validation of security documentation and operational practices

In addition, Dropcontact relies exclusively on Amazon Web Services (AWS) as its infrastructure provider. AWS is fully compliant with internationally recognized security standards, including ISO/IEC 27001 and SOC 2 (Type II). No other third-party infrastructure providers are involved in the delivery of the service. Dropcontact’s security program is designed in alignment with industry best practices reflected in these standards, and its security posture is continuously reviewed and improved through regular audits and internal controls.

How are data subjects’ rights handled?

Dropcontact assists data controllers, where applicable, in responding to requests to exercise data subjects’ rights, including:

  • Right of access
  • Right to rectification
  • Right to erasure
  • Right to restriction of processing
  • Right to data portability
  • Right to object

Requests received directly by Dropcontact are forwarded to the relevant data controller without delay.

Who can be contacted for data protection or security questions?

For data protection and privacy-related inquiries, Dropcontact can be contacted at: data@dropcontact.io

Does this article answer your question? Thanks for your feedback! Unfortunately, we were unable to register your return. Would you please try again?