Privacy & Security FAQ
Looking to understand how GoTo approaches privacy and security? Here are answers to some of our most frequently asked questions:
GoTo maintains robust security and privacy certifications which you can learn more about on our security page here. However they do vary from product to product. If you are looking for a certification tied to a specific product, you can find more information using the filter provided on our product resources page.
Yes. As a global Software-as-a-Service provider, we have many customers and users subject to the GDPR which means that its applicable requirements apply equally to us. To find out more about how GoTo meets GDPR and other privacy requirements, please visit the privacy page.
To paraphrase the formal GDPR text: (a) a Data Controller is the owner of their information and decides how that information should be used; and (b) a Data Processor is a person or entity who processes the personal data of the Data Controller and carries out instructions of the Controller regarding this data.
Generally speaking, our customers will be the Controllers of their Content (as the term is defined in our Terms of Service), including any associated personal information they place or generate in our systems and GoTo will be the Processor on their behalf. In some limited and disclosed instances, such as when we collect data from a customer to create an account, GoTo will be the Controller. Formal definitions from the GDPR full text can be found here.
No. There is nothing in the current GDPR regulation that prevents or suggests this requirement. The GDPR does outline that Data Processors must protect personal data appropriately, regardless of where it is stored. Further, the GDPR does not invalidate or override the EU Model Clauses (which are part of GoTo's GDPR-compliant DPA) which is a valid mechanism to ensure the legal transfer of personal data into and out of the EU.
Customer Content storage locations (and geo-residency functionality) will vary from product to product. To find out more about your specific product, please consult the Sub-processor Disclosures available on the applicable product resources page. We strongly encourage you to review our Technical and Organizational Measures (TOMs), also found on our product resources page to find out more about the specific products features such as data residency.
Note that while GDPR does require certain safeguards and principles be considered when handling personal data, there is no requirement for EEA data or EU data to be stored solely in Europe. Please consult the privacy pages of our Trust Center for further details on how GoTo maintains appropriate personal data transfer mechanisms.
Many of our products offer self-service options for Content deletion. Our global hosted offerings have defined retention periods after which Content and relevant account information are generally removed following account cancellation, termination/expiration, or, for free products, after inactivity. Please check the relevant Technical and Organizational Measures (TOMs) document, found on our product resources page, for specific details for each of our global offerings. To the extent self-service is not offered, please contact our Support team for assistance.
We encourage you to check for self-service deletion capabilities which is the quickest way to ensure your data has been deleted. If your product does not offer self-service capabilities and you have sent a request for account deletion to our Support team, you will receive confirmation once that deletion has occurred. Otherwise, deletion will occur per our standard retention periods. Please check the relevant Technical and Organizational Measures (TOMs) document, found on the product resources page, for more details.
If you are using the current version of our hosted products, yes it is compliant. As a general best practice, checking regularly for updates (or enabling auto-updating, where available) to the extent that there are components or executables on your machine (e.g. LastPass browser extensions) will ensure that you are using the most up-to-date versions of our software.
GoTo's global hosted product offerings have built-in data retention and deletion periods and some products offer self-service deletion capabilities. Please check the product-specific Technical and Organizational Measures (TOMs) document, found on the product resource page, for more details. As always, you may also request content and account deletion at any time.
The DPA incorporates industry standard privacy and regulatory terms to meet comprehensive data privacy requirements for our global customers, including those required by GDPR: (a) under Article 28 (details of data processing, sub-processor disclosures, etc.); (b) to permit lawful transfer under Chapter 5 of the GDPR through execution of EU Standard Contractual Clauses (also known as the EU Model Clauses) and (c) GoTo's technical and organizational measures.
GoTo utilizes multiple co-location facilities to ensure optimal service availability and reliability. For global services utilizing co-location facilities, active-active redundant data centers are typically used within the same geographic region. For specific products, geo-residency functionality may be offered. To learn more, please check the product-specific Technical and Organizational Measures (TOMs), found on the product resources page, for more details.
Please refer to our Data Processing Addendum found on our Legal page for more information on the subject matter duration nature and purpose of processing as well as the type of personal data and categories of data subjects.
NOTE: The above information is provided by GoTo for informational purposes only and is not intended to serve as legal advice. You should contact your attorney to obtain advice with respect to any security, privacy or compliance questions issues or problems.