Granicus Trust Centre

At Granicus, we take privacy and data protection seriously. We are committed to complying with all applicable laws and regulations regarding the collection, use, and protection of personal data.

Government

Data Protection Laws

Granicus complies with all applicable data protection laws, including:

  • General Data Protection Regulation (GDPR) – We comply with the data protection and privacy requirements outlined in the GDPR for individuals in the European Economic Area.
  • California Consumer Privacy Act (CCPA) – For California residents, we adhere to the privacy rights and obligations in the CCPA.
  • Other US state privacy laws – In addition to federal laws, we comply with state privacy laws in the US states where we operate.
  • Granicus is HIPAA (Health Insurance Portability and Accountability Act) compliant, ensuring that PHI (Patient Healthcare Information) is processed and stored, in line with the Titles defined within HIPAA, specifically, Title II. We can supply a Business Associate Agreement (BAA) on request.

International Data Transfers

When Granicus transfers personal data outside the European Economic Area, we utilize legitimising mechanisms like Standard Contractual Clauses to lawfully conduct those transfers under the GDPR. We have intra-group agreements and processor contracts in place for transfers among Granicus entities and external vendors.

As described in our Data Privacy Framework certification, we comply with the EU–US Data Privacy Frameworks (DPF) and the UK Extension to the EU–US DPF as set forth by the US Department of Commerce regarding the collection, use and retention of personal information from the EEA and the UK, respectively. Granicus has certified that it adheres to the DPF Principles. To learn more about the DPF, and to view Granicus’s certification, please visit the DPF website.

Subprocessors

We conduct due diligence when engaging subprocessors and service providers that may process personal data on our behalf. We have contractual clauses in place to maintain GDPR compliant transfers and processing activities with vendors.

Record Keeping

Granicus maintains data retention schedules and record keeping practices in compliance with the GDPR, CCPA, and other regulations. We keep records of data processing activities including: categories of data collected, purpose of processing, third-party disclosures, appropriate security measures, data retention schedules, and more.

Privacy By Design

We employ a privacy by design approach by implementing appropriate technical and organisational measures at the time we develop products or services that involve processing personal data. This helps uphold privacy and compliance requirements from the start of any project.

Data Protection Impact Assessments

When new types of processing pose a high risk to individuals’ privacy rights, Granicus conducts Data Protection Impact Assessments to identify, assess, and mitigate those privacy risks.

Information Security

We implement technical and organisational security measures to protect personal data and keep it secure. Granicus regularly evaluates and tests the effectiveness of these safeguards to ensure a level of security appropriate for the risk posed to data subjects.

Audit and Monitoring

Granicus engages in regular self-audits and compliance monitoring to maintain our privacy and data protection practices. We take steps to continually identify and address any gaps or areas of improvement in our compliance programs.

Key topics
Data Protection Laws International Data Transfers Subprocessors Record Keeping Privacy By Design Data Protection Impact Assessments Information Security Audit and Monitoring
Trust center links
Granicus security Granicus cookie policy Privacy policy Legal contracts Terms of use Anti-slavery and human trafficking statement How to report security questions or vulnerabilities Business associate agreement
BEGIN THE JOURNEY OF DIGITAL TRANSFORMATION

Ready to deliver exceptional outcomes?

Book a demo