Trust Center

We value the privacy and security of our clients’ data and the data we collect on their behalf. Our commitment to maintaining your trust extends beyond the letter of compliance to how we interact daily with clients and our continued commitment to transparency and integrity across the organization.

We are acutely aware of how B2B marketers must navigate a complex regulatory environment when handling data and fostering strong relationships with clients and partners. At BlueWhale, we strive to help marketers build credibility and a positive brand reputation in their target markets while minimizing risk.

Certifications

BlueWhale Research holds the following certifications, validating the integrity of our cybersecurity and data privacy processes.

ISO 27001 Information Security

ISO 27001 defines requirements that an information security management system (ISMS) must meet. Certification with this internationally recognized standard confirms that BlueWhale’s information security management program is comprehensive and follows best industry practices in risk management, cyber-resilience, and operational excellence.

Additionally, the certification demonstrates BlueWhale’s continued commitment to information security at every level and ensures that data and information security has been addressed, implemented, and properly controlled.

ISO 27701 Data Privacy

ISO 27701 requires the creation of a privacy information management system (PIMS) that provides guidance for controllers and processors. Certification with this internationally recognized standard confirms that BlueWhale’s privacy information management program is comprehensive and follows industry best practices in the protection and control of personally identifiable information.

Additionally, the certification demonstrates BlueWhale’s continued commitment to privacy at every level and ensures that data and information privacy has been addressed, implemented, and properly controlled.

Compliance

BlueWhale maintains compliance with the following international regulatory standards to safeguard your business and build lasting trust with your customers.

CCPA and CPRA

The California Consumer Privacy Act (CCPA) gives Californian consumers more control over their personal information collected by businesses, including the right to know how their personal information is being used and the right to delete or opt-out of sharing their information.

The California Privacy Rights Act (CPRA) builds upon the CCPA by enhancing consumer privacy rights and imposing stricter regulations on businesses’ data handling practices.

GDPR

The General Data Protection Regulation (GDPR) dictates how businesses handle the personal information of data subjects who interact with them. GDPR emphasizes individual privacy rights and data protection for organizations that operate within the European Union.

CAN-SPAM

The CAN-SPAM Act requires businesses to operate transparently and provide opt-out options in email marketing.

CASL

Canada’s Anti-Spam Legislation (CASL) regulates commercial electronic messages sent to Canadian recipients, requiring explicit opt-in consent and accurate identification of senders.

PIPEDA

The Personal Information Protection and Electronic Documents Act (PIPEDA) regulates the collection, use, and disclosure of personal information in Canada.

FAQs

What is BlueWhale’s stance on AI?

BlueWhale is committed to innovation across our solutions and organization to help advance B2B engagement for our clients. We believe that artificial intelligence can and will aid our processes. We do not believe that it will replace the connections we enable our clients to have with buyers or our employees. When combined with our specialized IP and unique ability to gather first-party insights, AI has the potential to help our clients reach the right buyers earlier and more precisely than ever before.

As we responsibly incorporate AI across our solutions, BlueWhale will maintain our commitment to transparency, effective data verification, and rigorous data protection and compliance. This means having a strict AI use policy and carefully assessing and mitigating the risk of all new integrations that use AI and Machine Learning.

What is BlueWhale’s policy for retaining and removing data?

BlueWhale retains processed data (leads and consent records) only as long as specified in the contract with the controller, and only for purposes of redundancy as this data is delivered to the controller. The default interval for retention is 195 days past the end of the campaign. Longer or shorter intervals may be specified by the controller per campaign.

How does BlueWhale ensure data is stored securely?

BlueWhale uses encrypted, offline storage for retention of backup data. Live data is stored in encrypted databases on private network segments. Encryption keys are managed by BlueWhale staff and our partners, all of whom are under confidentiality and indemnification agreements.

Does BlueWhale have business continuity and incident response plans?

Yes, as required by ISO 27001, BlueWhale has both a detailed business continuity plan and policy, and a detailed incident response plan. These include best practice steps such as notification of data breaches to clients and relevant law enforcement authorities when and where required.

Business continuity and incident response plans are reviewed regularly and are rehearsed and drilled.

Are BlueWhale employees trained on information security?

Yes, BlueWhale has a qualified information security and privacy compliance team and maintains a robust security awareness training program which all employees are required to complete with quarterly updates.

What is BlueWhale’s policy regarding confidentiality? How do you ensure BlueWhale employees adhere to the Code of Conduct?

BlueWhale has a strict policy regarding the handling of confidential information, whether processed on behalf of our clients or our own employees and contractors. All employees are required to read this policy, and to sign off on the Code of Conduct which specifically references disclosures of confidential information. This is also the subject of annual training. The Code of Conduct is strictly enforced and all employees are enabled to report violations at any level.

How does BlueWhale assess risk of third-party vendors and suppliers?

Through a rigorous risk assessment policy, BlueWhale considers the security posture, certification status, and incident history of all its contractors, suppliers, and vendors. No vendor is onboarded without a risk assessment and preference is given to those vendors holding current certifications such as SOC2 or ISO 27001. All vendors processing data as subcontractors are required to sign a Data Protection Addendum that imposes the same level of rigor and security procedures as those BlueWhale follows.

Request BlueWhale’s CyberGRX Assessment