GDPR Compliance

Last updated: April 18, 2019

The General Data Protection Regulation (“GDPR”) seeks to strengthen, harmonize, and modernize EU data protection law and enhance individual rights and freedoms, consistent with the European understanding of privacy as a fundamental human right. The GDPR regulates, among other things, how individuals and organizations may obtain, use, store, share, and eliminate personal data. It will have a significant impact on businesses around the world.

Conga's commitment to the rights and freedoms of individuals under GDPR

Conga is excited about the GDPR and the strong data privacy and security principles that it emphasizes, many of which Conga instituted long before the GDPR was enacted. At Conga, we believe the GDPR is an important milestone in the data privacy landscape, and we are committed to maintaining compliance with the GDPR and to supporting the rights and freedoms of individuals and their control over their personal data.

What has Conga done to ensure compliance with GDPR?

Conga’s GDPR preparation started more than a year ago, when we assembled an internal cross-functional team and began reviewing (and updating where necessary) our policies, processes, procedures, data systems, and documentation to ensure our capability to meet our obligations both where we act as a data controller on our behalf and when we act as a data processor for the information our customers process when using Conga services. While much of our preparation happened behind the scenes, we also worked on many initiatives that are visible to our customers. We have, among other things:

Implemented a governance structure and assigned responsibility for data privacy to a specific individual

While, the scope and nature of processing provided by Conga’s service(s) do not meet the criteria necessary to mandate a Data Protection Officer (“DPO”) be appointed, Conga did create a role dedicated to managing its Privacy Program, vice president of privacy and compliance in 2018. This role’s specific mandate is to continue to foster and expand our culture of data protection by design and by default, conduct enterprise privacy risk assessments, engage leaders across the Conga enterprise to provide privacy guidance; communicate accountability for privacy practices, and management of the program in its entirety. This role regularly reports on the health of the privacy program to executive leadership.

Revised privacy notices for transparency

We have published a revised Privacy Statement to our website and provided clear instruction when we collect information, how we use it, when we share it, and for how long we retain information. Additionally, we’ve noted the lawful bases we use to process information and provided data subjects with information on their rights and how to exercise those rights.

Contractual commitments and data processing agreements

We’ve revised our Master Services Agreement (MSA) and our Data Processing Addendum/Agreement (DPA) to include clauses expected due to the GDPR such as; assistance complying with data subject rights requests (when applicable), supervisory authority breach notice obligations, data protection impact assessments and audits, and the return or destruction of data unless otherwise required by law. Please find Conga’s DPA at the following link for your execution, if necessary: Upon request, we will review and consult with our Customer’s business-specific needs around the DPA. Please send an email to [email protected] to request a copy of Conga’s DPA or with any other DPA related questions.

Processing according to data controller instructions

Any data that a customer and its users submit to Conga’s Services will only be processed in accordance with the customer’s instructions, as described in our current as well as our GDPR-updated data processing agreements. When you entrust your data and processing with the Conga services, you remain the sole owner of all data stored or processed within our services.

Data return and deletion

In most Conga Services, customers control the ability to delete data according to their data retention and destruction policies. At the termination of any customer engagement, we support a customer’s instruction to return or destroy all data.

Personnel confidentiality commitments & privacy training

At Conga, staff must regularly (not less than annually) complete information security training. We have supplemented this regular training with GDPR specific and general privacy awareness training content. In addition to these training requirements, Conga conducts ongoing awareness communications on a variety of topics, including, phishing, information security, and privacy. Furthermore, all Conga employees are required to sign a confidentiality agreement that survives beyond the employment relationship.

Use of subprocessors

Conga and our affiliate companies sometimes utilize third-party suppliers to assist us with supplying Conga services to our customers. The Conga team has reviewed existing suppliers who may have access to the infrastructure where personal data is processed, or the personal data itself, and have updated current contracts with stronger provisions where necessary. Additionally, we have enhanced our third-party risk management programs to address specific GDPR concerns and requirements going forward, such as the inclusion of specific clauses in contractual obligations and strengthening our due diligence processes to account for more stringent expectations. To find more information on Conga’s Subprocessors, please refer to our Subprocessor’s list.

International data transfers

The European Commission and the GDPR recognize several mechanisms to facilitate the lawful transfer of personal data outside the European Economic Area (EEA) including Standard Contractual Clauses/Model Clauses, adequacy decisions and the EU-U.S. and Swiss-U.S. Privacy Shield frameworks. Conga has self-certified to both the EU-U.S. Privacy Shield and Swiss-U.S. Privacy Shield regimes and lawfully transfers EU/EEA personal data to the U.S. pursuant to our Privacy Shield Certification or Data Protection Agreements (incorporating the Standard Contractual Clauses/Model Clauses) as applicable.

Records of data processing activities

Conga’s Privacy Office has procured applications to assist in the management of our privacy program and implemented systems and processes to maintain records of data processing, data inventories and data flows suitable to demonstrate compliance with our obligations under Article 30 of the GDPR.

Embedding data privacy into operations

We have reviewed and updated our policies and Information Security Risk Assessments to include expanded personal data definitions and new privacy program requirements. We are and will continue to look at ways of improving our systems and procedures to better comply with data protection and privacy best practices.

Security and compliance

Conga employs dedicated privacy, security, and compliance staff to ensure the protection of company and customer data. Our security team maintains a close watch on the entire lifecycle of our services from secure development practices to safe operational practices. While the security landscape is rapidly evolving; the Conga security team maintains close relationships with recognized security researchers to ensure we are sustaining the best in class security.

Assessments and certifications covering Conga Services below:


Conga Collaborate
  • EU – U.S. and Swiss U.S. Privacy Shield Self Certification
  • SOC 2, type II Security, Availability, and Confidentiality for the period February 1, 2018 to January 31, 2019
Conga Composer
  • EU – U.S. and Swiss U.S. Privacy Shield Self Certification
  • SOC 2, type II Security, Availability, and Confidentiality for the period February 1, 2018 to January 31, 2019
  • HITRUST Self-Assessment February, 2019
Conga Contracts
  • EU – U.S. and Swiss U.S. Privacy Shield Self Certification
  • SOC 2, type II Security, Availability and Confidentiality for the period February 1, 2018 to January 31, 2019
Conga Contracts for Salesforce
  • EU – U.S. and Swiss U.S. Privacy Shield Self Certification
  • SOC 2, type II Security, Availability, and Confidentiality for the period February 1, 2018 to January 31, 2019
Conga Sign
  • EU – U.S. and Swiss U.S. Privacy Shield Self Certification
  • SOC 2, type II Security, Availability, and Confidentiality for the period February 1, 2018 to January 31, 2019

GDPR Certifications


More information

If you have specific questions about the GDPR and your use of Conga services, you can contact our Privacy Office at:

AppExtremes, LLC dba Conga
P.O. Box 7839
Broomfield, CO 80021
[email protected]