IdeaScale GDPR Compliance

IdeaScale GDPR Compliance

IdeaScale is committed to working with its customers to help them understand and comply with the General Data Protection Regulation (GDPR). The GDPR is a legal framework that sets guidelines for the collection and processing of personal data of individuals within the European Union (EU). Besides strengthening and standardizing user data privacy across the EU nations, it requires new or additional obligations on all organizations that handle EU citizens’ personal data, regardless of where the organizations themselves are located.

IdeaScale allows its customers to comply with the GDPR by:

  • Investing in its security infrastructure,

  • Supporting international data transfers by maintaining Privacy Shield self-certifications,

  • Providing GDPR Data Processing Addendums (DPAs),

  • Providing tools that allow for data deletion, portability, and management, and

  • Monitoring and reviewing privacy practices.

Protecting its customers’ information and their users’ privacy is extremely important to IdeaScale. IdeaScale uses data centers that undergo annual SOC and/or ISO27001 third-party audits. IdeaScale uses the NIST 800-53 security matrix to guide its own policies, procedures, and controls. These procedures include an incident notification plan that allows IdeaScale to meet GDPR timelines.
To comply with E.U. data protection laws regarding international data transfer mechanisms, IdeaScale self-certifies under the E.U.-U.S. Privacy Shield and the Swiss- U.S. Privacy Shield. These frameworks were developed to establish a way for companies to comply with data protection requirements when transferring personal data from the European Union and Switzerland to the United States.

GDPR Data Processing Addendums
IdeaScale offers its customers a GDPR DPA to meet the privacy and security requirements of customers operating in the E.U. As an administrator, you can review and accept the DPA, by going to Community Settings>>Security>>GDPR. In this panel, you can review and accept the DPA and provide additional contact details if desired.
IdeaScale provides the tools needed for its customers to meet the needs of their users under the GDPR:
Deletion. With features such as the Forget, Ban, and Hide tools, IdeaScale allows customers to respond to their users’ requests to delete or change personal information, such as names and email addresses, or to restrict data processing. This enables Customers to meet their “right to be forgotten” and other obligations under the GDPR. To delete a user’s personal data, an administrator can do the following:

  1. Go to Community Settings>>Member Management>>Members.

  2. Click on the “Manage” dropdown after the email address of the member who made the request to be forgotten and select “Ban Member”.

  3. In the pop-up window:
    •    Select “Forget Member” to delete the selected user’s personal data but keep his or her ideas and comments, or
    •    Select “Forget Member and Submissions” to delete the selected user’s personal data, ideas, and comments.

Portability. Customers can also honor their users’ requests to export personal data using IdeaScale’s export tools. Customer administrators can simply go to Community Settings >> Reports >> Export Data >> Export Member Data to export such data in Excel or CSV formats. For more details, visit

Management. IdeaScale’s customer administrators can easily review the types of personal data they are collecting via their administrative settings panel.

For more details, please visit, and contact IdeaScale’s support staff if you need assistance.

IdeaScale’s security team constantly monitors the IdeaScale system for vulnerabilities and issues that could compromise personal data. The team also reviews notices and alerts from regulatory bodies and makes necessary adjustments when required. Additionally, IdeaScale uses third-party privacy professionals to review policies and procedures, and works with these professionals to improve and update its privacy practices, allowing IdeaScale customers to maintain GDPR compliance.

Termination of Contract

Upon conclusion of contract, customer has 30 days to export data from the application, before it is removed. After 90 days, all backups of data are removed.


Last Updated: August 2, 2023