If you're managing customer data, understanding HighLevel's Data Processing Agreement (DPA) is essential for compliance and security. Here's what you need to know:
- Purpose: Defines roles between data controllers (you) and processors (HighLevel) under laws like GDPR.
-
Key Features:
- Data Security: Encryption, access controls, automated backups.
- International Transfers: Standard Contractual Clauses (SCCs) for EU, UK, and Swiss data.
- Breach Protocol: Rapid detection, customer notification, and recovery steps.
- Your Role: Obtain consent, follow legal standards, and maintain proper documentation.
HighLevel ensures lawful data handling while you focus on your operations. Read on for a detailed breakdown of terms, security practices, and compliance measures.
Main Terms and Coverage
Key Terms Explained
HighLevel's DPA lays out essential terms that form the foundation of its data processing relationship:
| Term | Definition |
|---|---|
| Controller | The customer who decides why and how personal data is processed |
| Processor | HighLevel, acting on the customer's behalf to handle data based on instructions |
| Customer Personal Data | Information about identifiable individuals within the customer's data, safeguarded under applicable laws |
| Processing | Any action involving personal data, such as collecting, storing, or analyzing it |
| Personal Data Breach | A security issue that results in accidental or unlawful destruction, loss, or unauthorized access to data |
These definitions set the stage for outlining the scope and rules of HighLevel's data processing activities.
Data Processing Coverage
The DPA describes the specific ways HighLevel processes customer data, ensuring all actions align with documented customer instructions unless otherwise required by law .
Core Processing Activities:
- Collecting and storing customer data
- Recording and managing personal details
- Handling contact information for marketing efforts
- Supporting service delivery and marketing tasks
Geographic Scope:
- Compliance with GDPR and related European regulations
- Adherence to CCPA for California residents
- Meeting global data protection standards
Usage Limitations: HighLevel strictly follows customer instructions and legal requirements when processing data:
"HighLevel will Process Personal Data as necessary to provide the Service pursuant to the Agreement, as further specified in an order form, and as further instructed by Customer in Customer's use of the Service."
To safeguard customer data, HighLevel employs encryption, role-based access controls, and automated backups, as discussed earlier .
Data Protection Requirements
HighLevel's Data Processor Duties
HighLevel takes its role as a data processor seriously, following strict guidelines to safeguard customer data. These efforts are built on its well-established data protection practices. The platform uses a range of technical and organizational measures, including:
| Security Area | Implementation Details |
|---|---|
| System Resilience | Protection for endpoint APIs, uptime monitoring, and user-based authentication |
| Access Control | Encrypted signed tokens, role-based authorization, and password safeguards |
| Physical Security | Managed services hosted in secure AWS and GoogleCloud facilities |
Key responsibilities HighLevel handles as a processor include:
- Processing data strictly in line with customer instructions, unless otherwise required by law
- Ensuring all personnel sign confidentiality agreements
- Notifying customers promptly in the event of a data breach
- Using event logging tools like GoogleCloud Ops and AWS CloudWatch for monitoring
While HighLevel provides a secure framework as a processor, customers also need to meet their responsibilities as data controllers.
Customer Data Controller Duties
To align with HighLevel's secure processing measures, customers acting as data controllers must follow specific practices to ensure lawful data handling. These responsibilities work hand-in-hand with HighLevel's security protocols. Key requirements include:
-
Consent Management
Customers must establish mechanisms to notify data subjects and obtain explicit consent. -
Legal Compliance
Data collection processes must adhere to relevant Data Protection Laws. -
Documentation and Accountability
Customers are responsible for maintaining records of:- Consent obtained from data subjects
- Data collection procedures
- Authorization for data transfers
- Updates to privacy notices
HighLevel aids these efforts by providing tools like data download options, customizable data retention settings, and controls for managing access to former employees' data.
"Customer will ensure that it has all necessary appropriate consents and notices in place to enable lawful transfer of Customer Personal Data to HighLevel, and the lawful collection of the same by the Customer using the HighLevel Services for the duration and purposes of the Agreement and DPA, and shall indemnify HighLevel against all loss and damage (including fines) arising from a failure to do so."
International Data Transfer Rules
Standard Contract Clauses
HighLevel ensures compliance with international data transfer rules by using Standard Contractual Clauses (SCCs) as outlined in the European Commission's Decision (EU) 2021/914 . The platform adjusts its approach based on specific regional regulations:
| Region | Implementation Approach |
|---|---|
| European Union | SCCs aligned with EU standards |
| United Kingdom | SCCs modified with a UK Addendum; conflicts resolved according to Sections 10 and 11 |
| Switzerland | SCCs tailored to Swiss law and Federal Data Protection Commissioner requirements |
In addition to applying SCCs, HighLevel strengthens data security with extra safeguards.
Extra Protection Measures
HighLevel avoids transferring European Data to locations or recipients that fail to meet appropriate data protection standards unless additional compliance steps are taken . These measures work alongside SCCs to address any gaps in protection:
- Adequacy Assessments: Before a transfer, HighLevel evaluates whether the recipient country provides sufficient data protection.
- Alternative Mechanisms: If standard methods fall short, HighLevel uses other frameworks like binding corporate rules or technical safeguards.
- Remediation Protocol: Customers can report compliance concerns, prompting a resolution period where both parties collaborate to fix any issues.
sbb-itb-f031672
How to implement effective data processing agreements
Security and Breach Protocols
HighLevel takes data protection seriously, implementing multiple layers of security to safeguard customer information. The platform relies on trusted cloud hosting providers like Google Cloud Platform and Amazon Web Services .
Here’s a quick breakdown of its security measures:
| Security Layer | Details |
|---|---|
| Network Security | Includes filtering layers, logical firewalls, and security groups |
| Data Encryption | Follows industry-standard encryption protocols |
| Access Control | Uses a role-based (RBAC) model with strict employee access restrictions |
| System Reliability | Ensures reliability with multi-zone distribution |
| Application Security | Incorporates web application firewalls and active monitoring tools |
To ensure data separation in its multi-tenant environment, HighLevel assigns unique customer IDs. Development processes include regular vulnerability scans and annual penetration tests . These measures form the backbone of HighLevel's approach to handling potential breaches.
Data Breach Response Steps
HighLevel has a clear and structured protocol for addressing data breaches. When a breach involving personal data is detected, the platform takes immediate action and informs affected customers without delay .
The breach response process includes:
-
Detection and Assessment
Automated monitoring systems are in place to identify breaches quickly. Security teams then assess the scope and severity of the incident . -
Customer Notification
HighLevel promptly notifies customers of breaches involving their data. This helps customers comply with regulations, such as reporting qualifying breaches to authorities like the ICO within a 72-hour window . -
Mitigation and Recovery
To reduce data loss, the platform uses reliable backups and integrity protocols. Customers can also recover deleted data - such as contacts, opportunities, and custom fields - through the recycle bin feature, available for up to 30 days .
For added protection, customers are encouraged to export minimal data regularly, maintain logs, and refer to Annex B of the DPA for detailed security practices .
HighLevel's Legal Team collaborates with engineering and product teams to adapt its privacy measures, staying ahead of emerging threats while maintaining compliance with relevant standards .
Conclusion
Main Points for Marketers
HighLevel's Data Processing Agreement (DPA) provides clear guidelines for managing data responsibly. Last updated in October 2024 , it highlights key areas of responsibility and security measures that marketers must follow.
Here are some key areas to focus on:
| Responsibility Area | Requirements |
|---|---|
| Data Collection | Ensure proper consents are obtained before transferring data to HighLevel |
| Processing Scope | Process data strictly according to documented customer instructions |
| Security Measures | Implement recommended encryption settings |
| Data Recovery | Use automated cloud backups on a regular basis |
| International Transfers | Follow Standard Contractual Clauses for transferring European data |
These practices are essential for maintaining secure and compliant marketing operations.
HL Max Resources
HL Max offers a range of educational tools to help agencies make the most of HighLevel's security features. These include guidance on proper data handling, automation compliance, and data retention settings. For agencies working with international clients, these resources are especially helpful for ensuring data protection while leveraging HighLevel’s tools for lead generation and client management.
Related Blog Posts
- Scaling Your Agency with HighLevel: Proven Strategies for Streamlined Client Management
- Data-Driven Marketing: Using HighLevel and AI Insights to Refine Your Campaigns
- Mastering Integrations: Connecting Your AI Tech Stack to HighLevel for Unprecedented Efficiency
- Streamline Your Dental Practice’s Marketing: How HighLevel Agencies Drive New Patient Appointments
