Many companies are focused on May 25 because that’s the date the European Union’s General Data Protection Regulation (GDPR) comes into effect. Smooch has been preparing for over a year, and we are ready. Not only are we a compliant data processor, our software platform includes features that will help you comply with your controller obligations.

ICYMI, here’s what the GDPR is

The GDPR is the EU’s new data privacy law. Its goal is to give Europeans more control over their personal data and hold companies accountable.

Most aspects of the GDPR are not new. Individuals still have the right to access and correct their personal information. Companies are still obligated to provide adequate notice and choice.

There are, however, some new data rights that companies need to be prepared for. In some cases, individuals have the right to delete, object to or restrict the processing of their personal data, and the right to port it to another business. There are also strict guidelines for how companies need to get their customers’ consent to use their data, and how this data needs to be protected.

When the GDPR takes effect on May 25, it will be the most comprehensive data privacy law in the world, and it will impact how businesses collect and handle personal data.

Smooch’s commitment to data protection and the GDPR

As a provider of messaging services, data privacy is vital to Smooch, which is why we built our platform to the highest standards of privacy and security.

We’ve designed our platform, as well as our internal Privacy Program, to meet the requirements of European, Canadian and US privacy laws. Our customers are located around the world, so we design for a global standard.

We also recognize that protecting your data requires an enterprise-grade security program. Whether it’s granular access restriction or encrypting data in motion and at rest, you can have full confidence in how your company data, as well as the personal data of your users, is being processed, transferred and stored.

Smooch is ready for the GDPR

Because we could not be successful without our customers’ trust, we have been thinking about privacy and security since day one. To prepare for the GDPR, we expanded our existing privacy program, which was already compliant with Canadian privacy law (PIPEDA) as well as the EU-US Privacy Shield.

Here’s why we are ready:

  • Our Chief Privacy Officer works with our engineers, sales, technology, and security teams to oversee our Privacy Program. She actively monitors the latest guidance coming from regulators to make sure we’re up to date and using best practices in protecting data.
  • Privacy by Design is a core part of our software development process. Everyone from the engineering team to the CEO are trained on Privacy by Design.
  • Our platform includes features that help our customers easily respond to an individual’s request for access, correction, erasure, restriction and portability.
  • We hold our third-party service providers to the highest standards. We use EU Standard Contractual Clauses/Model Clauses with all third parties who process personal data.
  • We clearly outline our commitments in our Privacy Policy, Privacy Statement for Service Data and our Data Processing Agreement (DPA). This makes it easy to understand the ways we both follow industry best practices, and exceed the minimum for legal compliance.
  • Our corporate Data Privacy Policy governs our Privacy Program. We train all employees with access to personal data annually on the Privacy Policy and Privacy by Design.
  • As a Canadian company, the GDPR’s Adequacy provision allows companies to transfer data to Smooch for processing. We went a step further, and self-certified to the E.U.-U.S. and Swiss-U.S. Privacy Shield Frameworks.
  • Our robust Information Security Program is audited by an independent third party: our SOC 2 Type 1 certification process is under way.
  • Our Incident Response Plan and Data Breach Policy are based on the definitions and timelines required to comply with the GDPR. Our team is trained on how to put these plans and policies into action if needed.
  • Finally, we are happy to announce a new EU instance of our platform. GDPR does not require data localization but some customers have reasons to keep their data in Europe. Now their data can be hosted by Smooch entirely in the EU.

A conversation platform for GDPR compliance

Our omnichannel conversation platform is architectured to make it simpler for you to comply with GDPR requirements.

People who communicate using the platform have rights under the GDPR. It is your responsibility to communicate these rights to them and be prepared for their requests to exercise those rights. We have built features that make it simple and fast to do so.

The first thing you need to do when a user submits a request is to identify the data you have about them. The Smooch platform makes that easy by using unified customer profiles where channel identities, channel supplied metadata, application and other custom metadata, and conversation history are stored.

You can respond to the request to access, correct, or delete personal data through our Get App User, Update App User and Delete User Profile APIs. User message content can be extracted and provided to the individual, or you can Delete Messages and Delete Attachments.

More specifically, here’s what we have in place in our platform to help you be GDPR compliant:

Access control

Smooch authenticates callers to its API using JSON Web Tokens (JWTs) that allow access to be scoped to several different levels and set to expire at a specific date and time. Access to Smooch data through JWTs can be limited to access to an individual user’s conversation history and metadata, access to a single business account (app) and all of the user data contained within it, access to a group of business accounts (i.e. parent company and divisions) as well as global access for all business accounts provisioned on the software provider’s system.

Data deletion

Smooch gives you full control over app, user and message deletion. You can easily delete a single user profile along with the conversation history attached to it and you can also delete single messages. Smooch also supports the deletion of an app. This means you can delete a customer (a business) and immediately delete all associated data of that business' users.

Data access and portability

Customers can easily export data about users, including metadata and conversation history as required by GDPR, to another system. The feature exports data in a commonly used machine readable format (JSON), which can then be imported into another system. The Get App User API allows you to retrieve all of the metadata (including channel-specific metadata) Smooch stores on a user. The Get Messages API retrieves all the messages exchanged between your software and a user, across any channel the user has used to communicate. If you want to make direct calls to a messaging channel API, you can also use the Get App User Channel Entities API to retrieve the channel-specific identifiers that can be used to make these direct calls. If your software takes advantage of Smooch’s built-in business system integrations, you can use the Get App User Business System IDs to find the business system entity (i.e. ticket ID, Slack channel, etc.) associated with the user.

Security of customer and user data

The Smooch platform encrypts all data both in transit and at rest. All communication to and from Smooch, as well as between Smooch’s various infrastructure components, is secured by SSL/TLS transport over public networks. Access to the Smooch production system is restricted by an explicit need-to-know basis, utilizes least privilege, is frequently audited and monitored, and is controlled by our Production and Security teams. Employees accessing the production system are required to use two-factor authentication.

Audit and logs

All generated logs are transferred and stored in a secured and encrypted location. In the event of suspected or confirmed access to data that is unauthorized, Smooch can provide audit logs to help you investigate, respond to, and remediate the issue as soon as possible.


We understand your concerns about the GDPR — we’ve been there! Keeping your data safe and secure is our top priority, and we’re committed to maintaining the highest standards.

Please feel free to contact us if you have any questions about Smooch’s Privacy and Security commitments or practices. You may contact us at