Compliant-first data

 Yes. In case of a security incident or breach, we will notify our clients immediately, and in no event later than 72 hours as from when the incident occurred.

Yes, we screen our telephone database against multiple Do Not Call (DNC) registries around the world, including the DNC lists in the UK (TPS and CTPS), US, Australia, New Zealand, Germany, France, Ireland, Canada, Spain, Portugal, Croatia, Sweden and Belgium. This ensures that any phone number obtained from Cognism’s system is safe for outreach.

We are also working to register in other DNC registries around the world. 

Yes. All our employees need to take information security and compliance trainings when onboarding with the company, and these trainings are repeated on an annual basis.

• We are ISO 27001 & ISO 27701 certified
• We are certified SOC2 type II compliant
• Cognism is a member of the Data and Marketing Association

We generally keep the data collected inside the European Economic Area (EEA). If the data is to be transferred outside of the EEA, we transfer the minimum amount of data necessary,  anonymise it where possible and we have agreements in place with those parties which include standard data protection clauses to ensure that appropriate safeguards are in place to protect the personal data in accordance with our Privacy Policy and the European levels of data protection.

We collect, process, and share our data under the lawful basis of legitimate interest, as allowed under Section 6.1(f) GDPR. We have conducted all relevant assessments and have adequate measures in place to ensure we can rely on such lawful basis.

Cognism uses its own database to provide the services. Therefore, data flow is normally from Cognism to our customers.

For our enrichment functionalities however, Cognism will receive limited business contact data from a customer, with the view of providing the specific customer with the most up to date contact data for those business contacts, as available in the Cognism database.  Here, Cognism matches the limited business contact data received from the customer to its database, and to the extent Cognism has any updated contact data for that particular individual, provides this to the customer. Where customers use  our enrichment functionalities, or otherwise sends Cognism any personal data to process, we have incorporated into our general terms of service a data processing agreement, which will apply to any such processing.

Under our services more generally, each party acts as an independent controller of the personal data under the services, and processes the data for their own purposes. This usually means each party is generally responsible for their own compliance with applicable law, including any applicable data privacy laws and/or regulations, as they relate to their use. Cognism stands behind its collection processes and processing, but it is important to note that customers’ processing and subsequent use of the data is usually done outside of Cognism’s control and visibility. Consequently, we would recommend customers seek legal advice prior processing and using the data.

As noted above however, where customers use any of our enrichment functionalities, Cognsim will act as a processor of the limited business contact data that customer will send Cognism, and Cognism’s processing of such business contact data will be in accordance with the data protection agreement incorporated into our general terms and conditions.

When collecting and processing data under the lawful basis of legitimate interest, some data protection laws like the GDPR require that data subjects be informed about the fact that a company- like Cognism- has their data so they can exercise any of their rights provided under such law, including, the right to opt-out of any processing.

Non exhaustively, when a company fails to comply with data privacy laws and regulations like GDPR, a warning may be issued and the company could face fines from the relevant supervisory or data protection authority, which are usually publicised.

Recent fines issued by the ICO (the UK regulator) can be found here. 

Yes. As controllers of the data to be provided by Cognism, customers must ensure they comply with all applicable laws and regulations when using the data provided by Cognism. Customers should seek appropriate legal advice prior to commencing any processing or use of the personal data. Where Customers pass on any personal data to Cognism for processing under the enrichment functionalities, Customers must ensure they have the correct lawful basis to do so, and must pass such personal data on to Cognism lawfully.

The California Consumer Privacy Act (CCPA) is a state-wide data privacy law that regulates how businesses all over the world are allowed to handle the personal information (PI) of California residents.

Cognism's B2B database follows data privacy best practices to build in CCPA compliance.

We do this through multiple means that broadly include (and are not limited to):

• Having in place an externally facing privacy notice in line with the applicable US laws and regulations, including the CCPA. Our US specific privacy policy has a dedicated section directed at California residents.
• Being registered as a data broker with the California Attorney General as required by the CCPA. On the Data Broker Registry website, consumers can find contact information and a website link for Cognism, as well as additional information to help them exercise their CCPA rights;
• Having two dedicated methods for consumers to submit CCPA rights requests, including a US toll-free number;
• Having procedures in place for responding to consumer rights requests, including verifying the identity of anyone who makes a request under the CCPA;
• Allowing consumers to opt-out of the sale of their data via an opt-out form on our website. Cognism respects such opt-outs, and actions these without undue delay.