As the global “work from anywhere” company, GoTo provides products that simplify how people connect with each other and the world around them. With users in nearly every country around the world, we maintain a global data privacy program designed to secure and protect the data entrusted to us by our customers, users, and end-users.
Quick Reference Guide
Global Data Privacy Program
GoTo’s data privacy program is designed to respond to today’s applicable privacy rules and regulations and takes into account many of the world’s major data protection regimes, including, but not limited to:
- Australia’s Privacy Act (1988)
- Brazil’s General Data Protection Law (LGPD)
- California Consumer Privacy Act (CCPA)
- General Data Protection Regulation (GDPR)
- United Kingdom’s Data Protection Act (2018)
TRUSTe Enterprise Privacy & Data Governance Practices Certification
GoTo has obtained the TRUSTe Enterprise Privacy & Data Governance Practices Certification to further demonstrate our ongoing commitment to data protection. To view our certification status please click here. To learn more, please visit our blog post.
APEC CBPR and PRP Certifications
Data Processing Addendum
In addition to maintaining Terms of Service and Privacy Policies designed to support and adapt to changing regulatory requirements and industry standard practices, GoTo is pleased to offer a comprehensive global Data Processing Addendum (“DPA”), available here (in multiple languages), which is designed to meet the requirements of applicable data privacy laws and regulations, including the CCPA, GDPR, and LGPD. Key features of our DPA include:
We are dedicated to ensuring that our services continue to comply with the applicable provisions of the CCPA (and the CPRA, once in effect), and that our privacy and security measures are meeting or exceeding industry standard practices. To account for CCPA, our global DPA includes: (a) definitions which are mapped to CCPA; (b) applicable access and deletion rights; and (c) warranties that GoTo will not sell our users’ ‘personal information.’
Our DPA incorporates several GDPR-focused data privacy protections, including: (a) data processing details, sub-processor disclosures, etc. as required under Article 28; (b) the revised 2021 Standard Contractual Clauses (the “SCCs”) to permit lawful transfer of ‘personal data’ under Chapter 5; and (c) the incorporation by reference of GoTo's technical and organizational measures documentation.
GoTo has taken steps designed to ensure that our Brazilian customers can benefit and use our products in compliance with the LGPD. These steps include provisions in our DPA that: (a) address GoTo’s compliance with LGPD; (b) support lawful transfers of personal data to/from Brazil; and (c) ensure that our users enjoy the same privacy benefits as our other global users.
Standard Contractual Clauses
The SCCs are standardized contractual terms, recognized and adopted by the European Commission, drafted to help ensure that any personal data leaving the EEA will be transferred in compliance with EU data-protection law. GoTo’s DPA offers customers the latest SCCs, issued by the European Commission on June 4, 2021, that make specific guarantees around transfers of personal data for in-scope GoTo services as can be found here. Execution of the SCCs helps ensure that GoTo customers can freely move data from the EEA to the rest of the world.
International Data Transfers and Supplemental Measures
GoTo has designed its privacy and security programs to ensure an appropriate level of data protection and has outlined the supplemental measures and safeguards for transfers of personal data outside of the European Union, European Economic Area, and the United Kingdom in this FAQ document (also available in German).
Privacy Controls, Procedures, and Disclosures
To help ensure sufficient service availability, uptime, and redundancy to provide our global user base with the best possible experience, GoTo uses a combination of geographically distributed physical co-location facilities and cloud hosting providers that perform replication in near-real-time.
Each product makes use of different infrastructures. Therefore, product-specific data centers are identified in the applicable Sub-processor Disclosure located in the Product Resources section of our Trust and Privacy Center at https://www.goto.com/company/trust.
Data Retention, Deletion, Export, and Access Controls
GoTo's product offerings feature comprehensive technical privacy controls and capabilities which include data retention, deletion, export (into a machine-readable format), and access functionality. Please consult the product-specific technical and organizational measures as found in the Technical and Organizational Measures "TOMs" documentation available in the Trust and Privacy Center for more details. For best results, please filter by service or suite at the top of the Product Resources page.
Technical and Organizational Measures
GoTo’s technical and organizational security measures are designed to prevent the unauthorized access to personal data, and to ensure the ongoing confidentiality, integrity and availability of GoTo’s products and services. Detailed information regarding GoTo’s encryption capabilities and other security measures can be found in the Trust & Privacy Center’s Product Resources page. For best results, please filter by service or suite at the top of the Product Resources page.
GoTo engages with first and third-party sub-processors to provide and operate our services. Please consult the Trust & Privacy Center’s Product Resources page to review service or suite-specific hosting and processing locations, including applicable affiliate and third-party sub-processor disclosures. For best results, please filter by service or suite at the top of the Product Resources page.
GoTo maintains a comprehensive Government Request Policy and will only provide customer information if a government request is supported by applicable law. While detailed information about how GoTo handles government requests may be found in the policy linked above, it is GoTo’s position that absent a valid warrant, subpoena, court order, or equivalent legal process, GoTo will not disclose customer information. In addition, GoTo may seek to narrow requests that we believe are overly broad in scope, request additional context if the nature of the investigation is unclear, or push back on the request for other reasons.
Individual Rights Management Portal
The Individual Rights Management Portal is your destination for managing GoTo-related data subject requests and finding answers to common privacy and security questions. Use the portal to submit a data subject access request, review the locations, types, and purposes of data processing, exercise certain other data protection rights, and learn about GoTo’s privacy and security practices.