We’ve migrated our documentation to a new site, which means some URLs have changed.
Subscriptions

Compliance

Piano Compliance

Piano stays updated on any changes to industry and government regulations regarding data security. We ensure that we are compliant with data regulations at all times. Our compliances are listed below.

Payment Card Industry Data Security Standard (PCI DSS)

What does it mean?

The Payment Card Industry Data Security Standard (PCI DSS) is a written standard, created by the major credit card companies, and maintained by the Payment Card Industry Security Standards Council (PCI SSC). The PCI DSS contains technical requirements that protect and secure payment card data during processing, handling, storage, and transmission. All businesses that handle payment card data, no matter their size or processing methods, must follow these requirements and be PCI compliant. The type of compliance is dependent on the method of data processing. A merchant who handles actual credit cards will be subject to different regulations than a merchant who only processes them online.

PCI defines that service providers like Piano, who do not manage card data on behalf of a merchant, still need to be PCI compliant, because there is the possibility that an incident or an intrusion into Piano’s platform may allow for the malicious collection of credit card information. Piano therefore is required to be assessed using the Service Provider assessment as defined by the PCI council.

Piano being PCI compliant does not imply that other merchants are PCI compliant. Every merchant is required to handle PCI compliance by themselves.

How do we comply?

As a requirement for PCI Compliance, an external firm runs quarterly vulnerability scans on our system to ensure that we have not introduced any issues through the software development process. The links to view our current PCI status for our various sites are provided below:

dashboard.piano.io    dashboard.tinypass.com

api.piano.io    api.tinypass.com

buy.piano.io    buy.tinypass.com

id.piano.io    id.tinypass.com

Certification

Piano has passed the PCI DSS onsite audit and was issued with Attestation of Compliance for onsite assessments of service providers, which is valid from 9th March 2021.

Piano will provide the Attestation of Compliance (AOC) on request. Please send all request to security@piano.io.

ISO/IEC 27001:2022

What does it mean?

Information Security is a priority within Piano Software as a modern, forward-thinking business. Piano recognizes the need to ensure that its business operates smoothly and without interruption for the benefit of its customers, shareholders and other stakeholders.

In order to provide such a level of continuous operation, Piano has implemented an Information Security Management System (ISMS) in line with the International Standard for Information Security, ISO/IEC 27001:2022.

The operation of this ISMS has many benefits for the business, including:

  • Protection of revenue streams and company profitability.

  • Ensuring the proper delivery of services to customers including, confidentiality, integrity, and availability.

  • Maintenance and enhancement of company values.

  • Compliance with all legal and regulatory requirements.

An ISMS Manual is available in both paper and electronic form and will be communicated within the organization, and to all relevant stakeholders and interested third parties.

Commitment to the delivery of information security extends through all levels of the organization, and will be demonstrated through the information security policy, and the provision of appropriate resources to establish and develop the Information Security Management System.

How do we comply?

Piano ensures compliance with ISO/IEC 27001:2022 by performing periodical internal and external compliance audits and reviews. The compliance of specific controls is evaluated on a frequent basis and coordinated throughout the whole organization.

Certification

Piano is ISO/IEC 27001:2022 certified. The certification demonstrates Piano’s ongoing commitment to quality assurance through the execution of superior operational processes and ensures that the highest level of information security policies, procedures, and risk management are in place.

The certification was issued on 16th April 2020 and was renewed on 29th November 2026 with the certification registration no. 10017614 ISMS22. The certificate is valid till 15th April 2029. The Scope of the certification is: "The Information Security Management System (ISMS) maintaining the Confidentiality, Integrity, Availability and Privacy of the operation, management and control of Piano Software’s Cloud Based Services, including management direction, oversight and control over internal and outsourced development services

The certification is available upon request at security@piano.io.

General Data Protection Regulation (GDPR)

Effective as of January 29, 2021.

The GDPR is a regulation by which the European Parliament, the Council of the European Union, and the European Commission intend to strengthen and unify data protection for all individuals within the EU. It came into effect beginning on May 25th, 2018. Piano is fully compliant with GDPR standards.

We're committed to partnering with customers and users to help them understand and comply with the General Data Protection Regulation (GDPR). The GDPR went into effect on May 25, 2018 and sees significant changes to the EU privacy law.

Introduction

Besides strengthening and standardizing user data privacy across the EU nations, it will require new or additional obligations on all organizations that handle EU citizens’ personal data, regardless of where the organizations themselves are located.

Preparing for the GDPR

The GDPR’s updated requirements are significant and Piano Software products are in line with required GDPR compliance commitments, either through automated product features or by requesting changes from Piano.

We work to:

    • Ensure that the appropriate contractual terms are in place with relevant customers;

    • Continue to support international data transfers by executing EU Standard Contractual Clauses (SCC) through our updated Data Processing Addendum while at the same time accepting GDPR’s application on us;

    • Build any new features and functionality with the requirements of GDPR in mind and ensure we include features that address Data subject rights wherever possible;

    • After the May deadline we continue to monitor GDPR related guidance and will make the necessary changes. We also continue to invest heavily toward security infrastructure and security processes;

International data transfers: SCC, BCRs and GDPR

The question of international cross-border transfer of personal data is naturally very important to Piano. Being a US company, we have historically relied on EU-US Privacy Shield and Swiss-US Privacy Shield as well as EU Standard Contractual Clauses (SCC) to lawfully transfer personal data outside EEA. Due to Schrems II judgement of the CJEU (C-311/18) we no longer can rely on EU-US Privacy Shield and Swiss-US Privacy Shield. However, we understand there are number of legal uncertainties surrounding the cross-border transfer of personal data under the GDPR and we want to be fair about these to our customers.

Firstly, in Google v Spain, the CJEU held that EU privacy laws (Directive 95/46/EC) applies directly to Google, Inc. (US company) by virtue of having an establishment in the EU (Google Spain, S.p.A.) in the context of which activities the personal data is processed. We too have an establishment in the EU (subsidiary in Slovakia) which is directly involved in supporting Piano Software, Inc. (US company) in processing personal data on behalf of the Publishers. Commission Decision on EU-U.S.

The abolished Commission’s decision EU-US Privacy Shield also referred to this problem in paragraph no. 15:

“The Principles apply solely to the processing of personal data by the U.S. organisation in as far as processing by such organisations does not fall within the scope of Union legislation. (15) The Privacy Shield does not affect the application of Union legislation governing the processing of personal data in the Member States (16).

(16) This applies also to processing that takes place through the use of equipment situated in the Union but used by an organisation established outside the Union (see Article 4(1)(c) of Directive 95/46/EC). As of 25 May 2018, the General Data Protection Regulation (GDPR) will apply to the processing of personal data (i) in the context of the activities of an establishment of a controller or processor in the Union (even where the processing takes place in the United States), or (ii) of data subjects who are in the Union by a controller or processor not established in the Union where the processing activities are related to (a) the offering of goods or services, irrespective of whether a payment of the data subject is required, to such data subjects in the Union; or (b) the monitoring of their behaviour as far as their behaviour takes place within the Union. See Article 3(1), (2) of Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation) (OJ L 119, 4.5.2016, p. 1).”

However, there is no mention of this extraterritorial application of the GDPR to non-EU companies in Articles 44-50 GDPR where it deals with cross-border transfer of personal data outside EU. Therefore, although it seems the GDPR will apply directly to Piano Software, Inc., non-EU Piano affiliated companies will remain persons from 3rd countries where the additional safeguards need to be adopted (like SCC or BCRs).

The way we decided to deal with the above is as follows:

    • Piano Software, Inc. being a US company concludes with EU Publishers SCC as part of the Data Processing Agreement where we act as processors and data importers to EU Publishers;

    • Piano Software, Inc. and all its subsidiaries (Piano Affiliates) concluded Intra-Group Processing Agreement pursuant to the Article 28(3) of the GDPR which also includes SCC.

To sum up, we have tried to ensure both contractually and technically that we comply with the GDPR regardless of whether and how the GDPR applies to us.

In late 2022, the BCR (processor and controller) of Piano Group have been approved by the European Data Protection Board.

This means that the processing of personal data across our affiliates meet with GDPR requirements and that, while our commitments to exclusive processing and storage inside the EU remain unchanged, this achievement allows us to transfer, where applicable, personal data outside the EU in a compliant way.

For all the details, please visit our website here.

Data portable solutions and data management tools

Compliance-related tools include the following:

    • Export Tools. Businesses and organizations may access, import, and export all their Customer Data;

    • My Account Widget. Help customers respond to user requests to delete personal information, such as names and email addresses;

    • For all other requests. Piano provides a dedicated team to info provide this information within a timely period to ensure compliance with GDPR. Contact us at privacy@piano.io.

Purposes of processing - Identity Management, Piano Management + Billing, Piano Composer, Piano ESP

PURPOSE

POSITION

LEGAL BASIS

Audience experience – the core purpose

Data processor

Performance of contract (Art. 6(1)(b) GDPR) and “cookie” consent (Art. 5(3) of e-Privacy directive)

Billing & Accounting

Data processor

Compliance with legal obligation (Art. 6(1)(c) GDPR)

The above overview of purposes of processing is a default (expected) overview by the template data processing agreement (“DPA”) Piano Software, Inc. concludes (as a processor) with the Publisher. As a data processor, it is not our responsibility to determine the purpose and legal basis of processing via Piano Software. However, given the fact that the core functionality and business purpose of Piano Software is generally the same throughout different Publishers, we came up with the above default legal setting so that both us and the Publishers can more efficiently manage compliance with the GDPR in respect to Piano Software.

Publisher Purposes

In practice, how does this work for users? For unregistered users/anonymous users: cookies consent based on setting of the web browser “allow cookies”. We recommend that the relationship between the Publisher and the user (unregistered and registered) is defined by contract performance in the publisher’s Terms and conditions. We expect that as soon as the user lands on Publisher’s site, there are certain terms and conditions in place that govern rights and obligations of both the user and the Publisher when using the site. We recommend that the Publisher’s obligation under these terms and conditions is drafted in a way that using Piano Software (and similar technologies) is part of Publisher’s contract performance. If the registered user changes privacy setting of its web browser to “do not allow cookies”, Piano loses the link of the browser to an individual. As such data is in effect erased as the data is no longer personal data but rather anonymised.

Purposes of processing - Piano Audience, Piano Insight, Piano CCE platform users

The decision of which legal basis to use for data processing rests with you as the data controller, and requires careful consideration and understanding of the law and the particulars of your operation. Consult with your legal counsel or data protection officer.

We will briefly describe the two options below to get you started.

Individual user consent is the least legally risky option, and the most generally applicable legal basis for the data processing activities. Individual informed consent from your users is a strong legal basis for collecting and processing personal data with the services provided by Piano Audience, Piano Insight, Piano CCE platform.

Piano Audience, Piano Insight, Piano CCE platform services in and of themselves are not particularly more likely to require consent than other offerings in Audience and personalization space, and customers should assess the entirety of their data processing activities when deciding about the legal basis for their operation.

Piano Audience, Piano Insight, Piano CCE platform supports serving users with individual user consent, but this may require implementation changes on the site where the Piano Audience, Piano Insight, Piano CCE platform cx.js tag is deployed. See below for more details.

Legitimate interest

When a data processing activity is compellingly justified by a legitimate interest of the data controller and care is taken to consider and protect people’s rights and interests, article 6(1)(f) may be an applicable legal basis for processing of personal data under the GDPR.

This legal basis puts a legal burden on the controller to demonstrate their interest in the processing and require a careful balancing of the legitimate interest and necessity of the processing in achieving that interest, and the individual’s interests, rights and freedoms.

When considering this balance, be aware that the user interest profile generation functionality of the Piano Audience, Piano Insight, Piano CCE platform constitutes a type of personal data processing that may be difficult to justify with legitimate interest as a legal basis.

Despite these hurdles, this is a very attractive option for one simple reason: Not all users are likely to consent to having data about them collected and processed. This must be weighed against the legal risks of non-compliance.

Where Piano Audience, Piano Insight, Piano CCE platform is used for a processing activity and purpose justified by a legitimate interest, the existing cx.js tag may be used without further modification.

To ensure that the Piano Audience, Piano Insight, Piano CCE platform services only processes personal data by consent only, there are broadly speaking two options:

    • Only serve the site or page to users who have given their consent in advance. This could apply to a site where registration and agreement to terms of service is a prerequisite for access to the service, such as an organizational intranet or a subscriber-only section of a news site. Note that this is likely not an acceptable solution in the majority of cases where a site is accessible to the public and can function even if some personal data processing activities, such as personalised advertisements, are avoided.

    • Migrate to the consent-aware version of the Piano Audience, Piano Insight, Piano CCE platform tag, which avoids processing personal data for a given purpose unless a script call has been made to declare that the user has consented to that particular processing.

Depending on the site, its audience, and the nature of personal data submitted to the Piano Audience, Piano Insight, Piano CCE platform this choice may require careful consideration of the GDPR’s requirements for a request for consent to be specific about the type of data processing that will be performed and that it be granular, allowing a person to opt in for each distinct purpose.

When the use and processing of personal data is justified by a legitimate interest of the data controller, or when individuals have given consent to data processing before a page is loaded, processing of personal data may happen when the page is loaded with no further input from the individual. In this case the existing mode of operation of the Piano Audience, Piano Insight, Piano CCE platform tag will not infringe on the GDPR.

For sites basing their process in individual informed consent, this would apply when access control and existing agreements ensures that users have already consented to the type of processing performed by Piano Audience, Piano Insight, Piano CCE platform on your behalf. Note that simply having access control and a terms of service agreement click-through may not give sufficient options for users to opt in to specific types of processing. Consult with your legal counsel to determine if this approach is viable.

Piano Audience, Piano Insight, Piano CCE platform supports these specific types of processing purposes that can be opted in to by a user. Each is identified in the Piano Audience, Piano Insight, Piano CCE platform script tag by a short single-quoted name.

    • ‘pv’ - Page view tracking, event tracking and browsing habit collection to understand a user’s interests and profile.

    • ‘recs’ - Personalisation of content recommendations and suggested content based on user interests and browsing habits.

    • ‘segments’ - Audience segmentation - processing of browsing habits and first party data to include users in specific audience segments.

    • ‘ad’ - Targeting advertising based on browsing habits and audience segmentation.

    • ‘device’ - Collection of device information (user agents, other device-specific data).

    • ‘geo’ - Any geolocation data that is collected or derived from other data points, such as IP addresses.

Note that 'recs', 'segments' and 'ad' depend on the first kind of processing to be applicable - without tracking browsing there will be no data available to base personalisation of content on, nor any data to determine which audience segment(s) a person belongs to, or to target advertisements based on.

Personalization of content recommendations is not normally considered targeted advertisement, but depending on customer use cases and the content surfaced using recommendations, this may not be the case.

Audience segmentation is commonly used to target advertising, but not always, and so is kept as a separate consent opt-in for technical reasons, but it may not necessarily be a specific data processing purpose that requires its own opt in - the use case for audience segmentation on your site(s) is the determining factor here - personalizing the user’s experience based on audience segment membership may not necessarily be considered ads targeting. Unless, of course, the nature of the personalized experience appears to be marketing.

Targeted advertising is a clearly flagged separate data processing purpose in the GDPR. Be careful to separate a request for consent to target advertisements from other opt-in options.

Piano purposes of processing and data subject rights

DATA SUBJECT
RIGHTS/OBLIGATIONS

REF.

AUDIENCE EXPERIENCE

BILLING AND ACCOUNTING

Information obligation

Art. 13 GDPR

Yes, via Publisher’s privacy policy or similar notice

Right of access

Art. 15 GDPR

Yes, based on request

Right to rectification

Art. 16 GDPR

Yes, under certain conditions

Right to erasure

Art. 17 GDPR

Yes, under certain conditions

Right to restriction

Art. 18 GDPR

Yes, under certain conditions

Right to data portability

Art. 20 GDPR

Yes, just based on request but only in respect of data provided by the user

No

Right to object

Art. 21 GDPR

No

No

Right not to be subject to a automated individual decision-making

Art. 22 GDPR

Yes

Data protection by design & by default

Art. 25 GDPR

Yes in all cases. This is controller obligation

Appropriate security measures (TOMs)

Art. 32 GDPR

Yes in all cases

Detection and communication of data breach

Art. 33 GDPR

Yes in all cases

As a data processor we shall according to the Art. 28(3)(g) GDPR: “taking into account the nature of the processing, assist the controller by appropriate technical and organisational measures, insofar as this is possible, for the fulfilment of the controller's obligation to respond to requests for exercising the data subject's rights laid down in Chapter III”. We ensure this as is explained below:

Right of access

When applicable, Piano will provide the Data Controller with a My Account widget that allows the user to access their private data that Piano processes.

Right of rectification

Piano will provide the Data Controller with a My Account widget that allows the user to correct their private data that Piano processes.

Right of erasure

An anonymous data subject will be qualified as erased when they delete any Piano cookies. For data subjects where Piano stores registration information, that information shall be erased where possible.

Right of restriction

On a case by case basis, Piano will ensure that data is restricted.

Right to data portability

Piano provides a My Account widget where the user can access their data in order to download it. This refers to data actively provided by the data subject on registration forms. In addition, the Data Controller has access to the user profile through the user dashboard.

Piano Audience, Piano Insight, Piano CCE platform users

Piano Audience, Piano Insight, Piano CCE platform tracks page view and other behavioral events which constitute personal data. These events are used to produce statistics, user profiles and content profiles. With these statistics and profiles, we personalize individuals’ experiences with our customers’ content and targeted marketing.

The page view events collected by Piano Audience, Piano Insight, Piano CCE platform are sent from users’ devices by embedding a Piano Audience, Piano Insight, Piano CCE platform tag on customers’ web pages. This tag collects a set of Piano Audience, Piano Insight, Piano CCE platform cookies, device information, and site visit information. While no directly personally identifiable data is collected here, it is possible to include directly identifying information via custom parameters provided by customers’ code. In any case, this data is considered personal due to the pseudonymous identifiers included.

Events submitted to the Piano Audience platform may contain arbitrary data, although commonly used data types include gender and age group information, pseudonymised subscriber identifiers, and other first party data relevant to targeting personalised experiences or advertising.

These events, combined with data collected from customers’ web sites, are used to build aggregated user interest profiles and audience segments which in turn are used to serve personalised content, tailor user experiences to the user, or serve targeted advertisements.

Piano Audience, Piano Insight, Piano CCE platform maintains a registry of Data Processing Activities as mandated by the GDPR and reports from this registry are available to our customers to document and audit the data processing activities performed by Piano Audience, Piano Insight, Piano CCE platform on behalf of our customers.

Practical application of user opt in

The Piano Audience, Piano Insight, Piano CCE platform tag itself does not request consent directly from the user, as this would lead to a disruptive experience on the site. Rather, Piano Audience, Piano Insight, Piano CCE platform script exposes a set of new functions to selectively enable functionality for the purposes which a user has opted-in.

The API and behavior changes have been designed to be backwards compatible, such that an unchanged tag continues to work as before. Only by explicitly enabling the consent awareness functionality will the tag avoid processing personal data until consent has been affirmatively given.

Initializing Piano Audience, Piano Insight, Piano CCE platform tag with Consent requirement awareness is done by declaring an cX as an object with {options: { consent: true }}. Alternatively a function call to requireConsent() can be placed in the call queue, above any other functions.

If there are multiple Piano Audience, Piano Insight, Piano CCE platform tag invocations on the page, we recommend starting all of these invocations with the preamble that enables consent awareness, to avoid having the load order of the tags influence the behavior of the tag.

These are the new functions:

    • requireConsent(): This has the same function as initializing the cX object with the options field mentioned above, and may be used interchangeably, or if the consent functionality should be enabled only after some processing justified by a legal basis other than consent has taken place.

    • isConsentRequired(): Returns true if the Piano Audience, Piano Insight, Piano CCE platform tag is set to be consent-aware.

    • setConsent(types, options): Flags to the Cxense tag that the user has opted-in to particular type(s) of processing, enabling that functionality in the Piano Audience, Piano Insight, Piano CCE platform script. The types of processing a user has opted in to is stored in the browser’s local storage to enable quick resumption of processing in subsequent page views without requiring new setConsent calls. The “types” object may contain fields named ‘pv’, ‘segments’, ‘recs’ and ‘ad’, each with a value of true or false to enable or disable the particular type of operation according to user consent. The options object may contain a ‘runCallQueue’ field, which, if true, will cause cx.js to submit any earlier consent-blocked event data to the Piano Audience, Piano Insight, Piano CCE platform.

    • hasConsent(type): returns true if the specific consent is registered in local storage.

Easy compliance with data subject rights

Piano Audience, Piano Insight, Piano CCE platform has prepared technology for dealing with Data Subject Rights in the GDPR to ensure that we can support our customers’ obligation to let individuals access and take their data out and to have their data removed. This process and the internal tools developed to support it are designed to ensure that the compliance deadlines in the GDPR can be consistently met.

The specific data subject right functionality we will offer direct integration for is:

    • Requesting removal of personal data from Piano Audience, Piano Insight, Piano CCE platform platform. An API to file such a request will be available on api.cxense.com at the /personal/deleterequest/create endpoint

    • Retrieving a copy of all personal data associated with a device/user identifier from Piano Audience, Piano Insight, Piano CCE platform, in a machine readable format. This API will be published at api.cxense.com/personal/deleterequest/read

These APIs will be documented on Piano Audience, Piano Insight, Piano CCE platform API documentation site, and are not covered in further detail here.

We will not offer a separate API for rectification, as existing APIs include functionality for updating externally supplied data.

In addition we support clearing personal identifiers from a device through a new function clearIds(), which can be used to ensure that personal data stored in Piano Audience, Piano Insight, Piano CCE platform platform can not be retrieved using a device’s cookies after a user has logged out.

Security measures

Piano carefully addresses GDPR defined security measures by the pseudonymisation and encryption of personal data; maintaining a detailed DRP to ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and services which in turn allows Piano to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident. Piano maintains a process for regularly testing, assessing and evaluating the effectiveness of technical and organisational measures for ensuring the security of the processing.

Piano Audience, Piano Insight, Piano CCE platform users

Piano Audience, Piano Insight, Piano CCE platform technology is most commonly deployed on our customers’ or their partners’ web sites, using Piano Audience, Piano Insight, Piano CCE platform “cx.js” javascript tag.

In its default state, Piano Audience, Piano Insight, Piano CCE platform tag will submit pageview data to Piano Audience, Piano Insight, Piano CCE platform as soon as the page is loaded and immediately submit any data as soon as the script function is invoked on the site. Content recommendation widgets and ads will also be loaded as soon as possible when the call queue is processed or any insertWidget or insertAdSpace calls are made. This constitutes processing of personal data.

As an example a simple consent-aware Piano Audience, Piano Insight, Piano CCE platform tag starts like this:

var cX = window.cX || { options: { consent: true }};
cX.callQueue = cX.callQueue || [];
cX.callQueue.push(['setSiteId', '1141829794503140426']);
cX.callQueue.push(['sendPageViewEvent']);
cX.callQueue.push(['invoke', requestConsent])

If you are a legacy (previous Cxense) client and are now taking part in the Composer 1X rollout, you would need to update your existing consent-aware tags. Please follow instructions here

The requestConsent function is a function to be implemented by the site and should check if a user consent is already in place with Piano Audience, Piano Insight, Piano CCE platform tag using hasConsent(type). If it is not already set, then display a Consent request dialog, or if the user is logged in, perhaps check with the site backend if the user has already given consent. If a user consents to a type of processing, invoke the setConsent(type, options) function to enable that functionality.

function requestConsent() {
if (!cX.hasConsent('pv') && confirm('Do you give consent?')) {
cX.setConsent({ 'pv': true }, { runCallQueue: true });
}
}

The 'device' and 'geo' flags are only active if the "consent version" is set to "2". You can do this by specifying on initialization:

var cX = window.cX || { options: { consent: true, consentVersion: 2 }};

or by calling cX.requireConsent(2).

You will be able to set consents for 'device' and 'geo' just like other consent flags:

cX.setConsent({ 'device': true, 'geo': true });

Page view events

Page view events and performance events queued in the callQueue before ‘pv’ consent is in place will not be sent to Piano Audience, Piano Insight, Piano CCE platform right away. However, if consent is granted, the queued events will be dispatched if the runCallQueue options is included with the setConsent call in the call queue, like this: cX.setConsent({’pv’: true}, { runCallQueue: true }). If 'pv' consent is not granted, the identity will not be used for recording statistics about the performance of content widgets, even if 'recs' consent is granted.

If the tag is opted-into using the 'device' and 'geo' flags:

    • Without the 'device' consent, user agent and browser information will not be stored in page view events.

    • Without the 'geo' consent, any geolocation data will be removed and there will be no geolocation lookups based on IP address.

Audience segmentation

If ‘segment’ consent is not in place, the getUserSegmentIds call will return an empty set of segments. Browsing habit data submitted without segment consent will not be included in audience segment generation.

Personalisation

If ‘recs’ consent is not in place, the user's personal data will not be processed for the purposes of serving personalized content. This means that content widgets will not be personalised, but the API will still serve content recommendations based on non-personal data such as the page context and traffic trends. If 'pv' consent is not granted, the identity will not be used for recording statistics about the performance of the content widget.

If the tag is opted-into using 'device' and 'geo' flags:

    • Without the 'device' consent, no user-agent information will be used for content recommendations or CCE campaigns. Practically, it means that if a widget has a condition that depends on specific user-agent data, it will instead use any defaults that are defined for the widget.

    • Without the 'geo' consent, there will be no geolocation lookups based on IP information. Practically, if a widget depends on making recommendations based on location, it will instead use a fallback.

Targeted advertising

If ‘ad’ consent is not in place, ad space insertion calls will do nothing. Ad spaces will not be inserted.

Data breaches

Piano maintain an incident response plan which governs the communication and process in the case of a data breach. Contractually this is covered between Piano and all publishers, in the MSA.

Stay updated

Fulfilling our privacy and data security commitments is important to us. So we’re glad to help you prepare for all the changes the GDPR brings. This page will be revised to reflect GDPR-related information as it becomes available. If you have any questions about how Piano Software can help you with compliance, we hope you’ll reach out to us.

Subprocessors

To support delivery of our Services, Piano Software, Inc. (or one of its Affiliates listed below) may engage and use data processors with access to certain Customer Data (each, a "Subprocessor"). This page provides important information about the identity, location and role of each Subprocessor. Terms used on this page but not defined have the meaning set forth in the Customer Terms of Service or superseding written agreement between Customer and Piano (the "Agreement").

Third Parties

Piano Software currently uses third party Subprocessors to provide infrastructure services, and to help us provide customer support and email notifications. Prior to engaging any third party Subprocessor, Piano Software performs diligence to evaluate their privacy, security and confidentiality practices, and executes an agreement implementing its applicable obligations.

Infrastructure Subprocessors

Piano Software may use the following Subprocessors to host Customer Data or provide other infrastructure that helps with delivery of our Services:

ENTITY NAME

SUBPROCESSING ACTIVITIES

ENTITY COUNTRY

PRODUCTS

Amazon Web Services, Inc.

Cloud Service Provider

United States

Composer, Management + Billing, ID, ESP

Google Inc.

Cloud Service Provider

United States

Composer, Management + Billing, ID, ESP

Microsoft Azure

Cloud Service Provider

United States

ESP

SoftLayer Technologies, Inc.

Data center provider

United States

Piano Audience, Piano Insight, Piano CCE

Hetzner Online GmbH

Data center provider

Germany

Piano Audience, Piano Insight, Piano CCE

Packet Host, Inc.

Data center provider

United States

Piano Audience, Piano Insight, Piano CCE

Other subprocessors

Piano Software may use the following Subprocessors to perform other Service functions:

ENTITY NAME

SUBPROCESSING ACTIVITIES

ENTITY COUNTRY

PRODUCTS

Zendesk, Inc.

Cloud-based Customer Support Services

United States

Composer, Management + Billing, ID, ESP, Piano Audience, Piano Insight, Piano CCE

MailChimp, Rocket Science Group

Cloud-based Email Notification Services

United States

ESP

Google Inc.

Cloud Service Provider

United States

Composer, Management + Billing, ID

Braintree

Payment Provider

United States

Composer, Management + Billing, ID

Mode Analytics

Analytics Visualiations

United States

Composer, Management + Billing, ID

Survey Gizmo (Strategy Services Clients Only)

Survey Collection for Strategic Consulting

United States

Strategic Services Clienst Only

Google Ireland, Ltd.

Data backup storage

Ireland

Piano Audience, Piano Insight, Piano CCE

Enreach Solutions Oy

Data segmentation provider

Finland

Piano Audience, Piano Insight, Piano CCE

Creative Software

Global technical support team

Sri Lanka

Piano Audience, Piano Insight, Piano CCE

OOO "Pi-Tech"

Software development and data center operations

United States

Piano Audience, Piano Insight, Piano CCE

Piano affiliates

Piano Software has offices located around the globe who depending on the service a publisher requires will process that data. These entities are listed below:

ENTITY NAME

ENTITY COUNTRY

Piano Software, Inc.

United States (based on SCC)

Piano Software, s.r.o.

Slovakia (EU)

Newzmate Sp. z o.o.

Poland (EU)

Piano Software B.V.

Netherlands (EU)

Piano Software Norway NUF

Norway (EEA)

Piano Japan Co. Ltd

Japan (adequate third country based on

Commission Adequacy Decision

)

Updates

As our business grows and evolves, the Subprocessors we engage may also change. We will endeavor to provide the owner of Customer’s account with notice of any new Subprocessors to the extent required under the Agreement, along with posting such updates here. Please check back frequently for updates.

Archive of GDPR

GDPR – Effective from Dec 1, 2020
GDPR – Effective from Jun 24, 2020
GDPR – Effective from Apr 01, 2019
GDPR – Effective from Feb 15, 2019
GDPR – Effective from May 23, 2018

Notifications should be sent to the following:

Piano Software, Inc.

Attn: Stuart Ashford

111 S Independence Mall East, Suite 950

Philadelphia, PA 19106

Email: security@piano.io

California Consumer Privacy Act (CCPA)

The California Consumer Privacy Act (CCPA) is a California state law that enhances privacy rights and consumer protections for California residents. The CCPA regulates what businesses can do with the personal information they collect and is considered landmark legislation on data protection because of its strict guidelines.

Under the CCPA, California residents have the following rights:

  1. To know what personal information is being collected about them.

  2. To access personal information that has been collected about them.

  3. To request the deletion of their personal information, subject to certain restrictions.

  4. To prevent the sharing or sale of their personal information to third parties.

  5. Sue or join class-action suits against erring businesses.

  6. Receive equal service and price even if they exercise privacy rights.

NOTE: Consent is not required for data collection.

The CCPA covers only businesses and any for-profit entities that conduct business in California, collect personal data of California residents, and satisfy at least one of the following conditions:

  1. Generates more than US$25 million in gross revenues

  2. Possesses personal information of more than 50,000 California consumers, households, or devices

  3. Generates more than 50% of annual revenues from selling the personal information of California residents

Under the legislation, covered businesses should:

  1. Comply with consumer requests for transparency about their personal information

  2. Provide adequate disclosures when asked

  3. Delete relevant data (subject to certain restrictions) upon consumer request

  4. Adhere to guidelines when it comes to how much data can be collected and for how long

  5. Comply with consumer requests to stop sharing their personal information with third parties

  6. Provide the same level and quality of service even to consumers who opt to exercise their privacy rights

  7. Ensure that any data sharing with third-parties meet all restrictions

What is the definition of Personal Information under CCPA?

Personal information means information that identifies, relates to, describes, is capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household. Personal information includes, but is not limited to, the following:

  • Identifiers such as a real name, alias, postal address, unique personal identifier, online identifier Internet Protocol address, email address, account name, social security number, driver’s license number, passport number, or other similar identifiers.

  • Commercial information, including records of personal property, products or services purchased, obtained, or considered, or other purchasing or consuming histories or tendencies.

  • Biometric information.

  • Internet or other electronic network activity information, including, but not limited to, browsing history, search history, and information regarding a consumer’s interaction with an Internet Web site, application, or advertisement.

  • Geolocation data.

  • Audio, electronic, visual, thermal, olfactory, or similar information.

    • Professional or employment-related information.

  • Education information, defined as information that is not publicly available personally identifiable information as defined in the Family Educational Rights and Privacy Act (20 U.S.C. section 1232g, 34 C.F.R. Part 99).

  • Inferences drawn from any of the information identified in this subdivision to create a profile about a consumer reflecting the consumer’s preferences, characteristics, psychological trends, preferences, predispositions, behavior, attitudes, intelligence, abilities, and aptitudes.

From the list above, Piano collects following data:

  • Identifiers such as a real name, alias, postal address, unique personal identifier, online identifier Internet Protocol address, email address, account name, social security number, driver’s license number, passport number, or other similar identifiers.

  • Commercial information, including records of personal property, products or services purchased, obtained, or considered, or other purchasing or consuming histories or tendencies.

  • Internet or other electronic network activity information, including, but not limited to, browsing history, search history, and information regarding a consumer’s interaction with an Internet Web site, application, or advertisement.

  • Geolocation data.

How will Piano support a client with data subject requests?

Piano Software as an organization does not have to comply with CCPA as we are a service provider and do not sell data.

However, Piano products are used by clients who may be obliged to follow CCPA. Our expectation is that we need to provide support to clients who have data subject requests.

Data Subject Right

Description of compliance

To know what is collected

The following is a description of the data that Piano collects

  • Categories of personal data

    1. Internal

    2. External

    3. Financial

    4. Tracking

  • Sources where we collect data

    1. Pageview data

    2. Login/Registration form

    3. JavaScript

  • Purpose for the collection of the data

    1. To be defined by the Client

  • Categories of sub processors where we share the data

    1. Amazon

    2. Google

    3. Mode

  • Specific personal info collected

    1. First Name

    2. Last Name

    3. Email

    4. Pageview Data

To access personal information that has been collected about them

Piano provides the “My account” widget which provides the user profile to the user. If required, a request to

security@piano.io

will result in a csv file of the user data for the particular UID. Such requests will be handled when received from the client.

To request the deletion of their personal information, subject to certain restrictions.

Deletion requests can be handled by clients via API as described

here

.

Deletion is not necessary in the following cases

  1. Performing according to a contract of service – e.g. the user is a subscriber

  2. If the data is somehow connected to security incidents or fraud

  3. Support requests for debugging and repairing

  4. Exercise free speech

  5. Comply with legal obligation

  6. If the provider is using the data in the context in which the consumer provided the data

To prevent the sharing or sale of their personal information to third parties.

Piano does not sell personal information to 3rd parties. We use sub processors to store and process data for business purposes of providing service to clients. These sub processors include Amazon, Google and Mode Analytics.

Piano provides consent box functionality on registration for clients to use to setup the necessary consents required from end users

Sue or join class-action suits against erring businesses.

Piano will not try to interact with the data subject with regard to legal proceedings.

Receive equal service and price even if they exercise privacy rights.

The Client will ensure that the data subject is treated fairly

TCF Compliance

What does it mean?

Transparency and Consent Framework (TCF) created by IAB Europe helps publishers comply with the EU General Data Protection Regulation and ePrivacy Directive (Cookie Law). It aims to provide publishers ‘’a common language with which to communicate consumer consent for the delivery of relevant online advertising and content.’’

On 21st August 2019, a second version of Transparency and Consent Framework TCF v2.0 was introduced. There were 3 main upgrades performed in the second version:

  • Better transparency to consumers with updated TCF v2.0 purposes and features, to better understand how their data is used;

  • Enhanced consumer controls making it easy for consumers to grant, refuse, or revoke their consent, and to object to data processing not based on consent;

  • More publisher controls through the ability to specify the purposes for which they allow each of their partners to process personal data collected on their properties

How do we comply?

As of June 30, 2020 Piano Audience product supports the full set of consents as suggested by the IAB TCF2.0 guidelines. Similar to Piano’s approach for the preceding TCF1.1 framework, this solution will require that appropriate consents be pushed to Audience via API calls on any update of a user’s consent.

In support of original GDPR requirements, Piano introduced 4 consent classes that govern the actions permissible. These classes, listed below, correspond to the enabling or disabling of specific JS functions that pertain to that consent:

  • pv: The Pageview consent. When this is false or not set, Piano captures no data on any pageviews or events executed by a user. This means that any of their onsite behavior cannot be tracked.

  • ad: The advertising consent. When this is false or not set, Piano does not insert any ad spaces on page, and does not synchronize the user’s identifier with any 3rd party platforms.

  • segment: The Segmentation consent. When this is false or not set, Piano does not surface any segments to which a user belongs. The data and events generated by the user are available for reporting, but the user could not be identified as belonging to any given segment.

  • recs: The Recommendations consent. When this is false or not set, Piano will not provide any content recommendations personalized to the user.

In support of TCF2.0, Piano has introduced new consent classes that similarly control the functionality inherent in Piano’s tech stack to ensure that all consents are upheld.

The below are new classes added to support updates to the TCF:

  • device: The Device consent. When this is false or not set, Piano will scrub any characteristics used to identify a user based on their browser, such as IP address, browser type, OS, etc.

  • geo: The Geolocation consent. When this is false or not set, Piano will not store any geolocation information obtained through pageview metadata, and any users who do not consent will not be included in segments generated on criteria of geolocation. This includes even high-level geolocation identification such as timezone detection.

Between these 6 consent classes, all necessary functionality can be appropriately disabled in response to a user’s TCF2.0 consents.

Health Insurance Portability and Accountability Act (HIPAA) Compliance

What does it mean?

The Health Insurance Portability and Accountability Act of 1996 (HIPAA) is a federal law that required the creation of national standards to protect sensitive patient health information from being disclosed without the patient’s consent or knowledge. The US Department of Health and Human Services (HHS) issued the HIPAA Privacy Rule to implement the requirements of HIPAA. The HIPAA Security Rule protects a subset of information covered by the Privacy Rule.

The Privacy Rule standards address the use and disclosure of individuals’ health information (known as protected health information or PHI) by entities subject to the Privacy Rule. These individuals and organizations are called “covered entities.”

The following types of individuals and organizations are subject to the Privacy Rule and considered covered entities:

  1. Healthcare providers: Every healthcare provider, regardless of size of practice, who electronically transmits health information in connection with certain transactions. These transactions include:

    • Claims

    • Benefit eligibility inquiries

    • Referral authorization requests

    • Other transactions for which HHS has established standards under the HIPAA Transactions Rule.

  2. Health plans which include: 

    • Health, dental, vision, and prescription drug insurers

    • Health maintenance organizations (HMOs)

    • Medicare, Medicaid, Medicare+Choice, and Medicare supplement insurers

    • Long-term care insurers (excluding nursing home fixed-indemnity policies)

    • Employer-sponsored group health plans

    • Government- and church-sponsored health plans

    • Multi-employer health plans

      Exception: A group health plan with fewer than 50 participants that is administered solely by the employer that established and maintains the plan is not a covered entity.

  3. Healthcare clearinghouses: Entities that process nonstandard information they receive from another entity into a standard (i.e., standard format or data content), or vice versa. In most instances, healthcare clearinghouses will receive individually identifiable health information only when they are providing these processing services to a health plan or healthcare provider as a business associate.

  4. Business associates: A person or organization (other than a member of a covered entity’s workforce) using or disclosing individually identifiable health information to perform or provide functions, activities, or services for a covered entity.These functions, activities, or services include:

    • Claims processing

    • Data analysis

    • Utilization review

    • Billing

While the HIPAA Privacy Rule safeguards PHI, the Security Rule protects a subset of information covered by the Privacy Rule. This subset is all individually identifiable health information a covered entity creates, receives, maintains, or transmits in electronic form. This information is called electronic protected health information, or ePHI. The Security Rule does not apply to PHI transmitted orally or in writing.

To comply with the HIPAA Security Rule, all covered entities must:

  • Ensure the confidentiality, integrity, and availability of all ePHI

  • Detect and safeguard against anticipated threats to the security of the information

  • Protect against anticipated impermissible uses or disclosures that are not allowed by the rule

  • Certify compliance by their workforce

Covered entities should rely on professional ethics and best judgment when considering requests for these permissive uses and disclosures. The HHS Office for Civil Rights enforces HIPAA rules, and all complaints should be reported to that office. HIPAA violations may result in civil monetary or criminal penalties.

Piano falls under the Business associates group of ‘covered entities’ when a client collects, processes PHI and/or ePHI data and transfers that data to Piano.

How do we comply?

Piano has implemented Administrative, Technical and Physical controls to protect PHI and ePHI data. These controls are specified in the Piano Software Group Health Plan.

Administrative controls ensure protection of PHI and ePHI information in compliance with security standards. Such standards are discussed and selected based on the executive management decisions. Piano Software established an Information security management system according to ISO 27001 and is complimented by PCI DSS standards.

Piano Software is committed to protecting its information and that of its clients. To accomplish this Piano Software has established an Information Security Management System (ISMS) in accordance with ISO/IEC 27001:2022 as well as contractual agreements and regulatory requirements. This ISMS applies to Piano Software’s cloud-based service software development, support and operations for the management of risk associated with a secure client data environment, whether the data is at rest or in transmission. Controls covering the security of Client data are defined within Master services agreements (MSA) with Clients as well as Data processing agreements that are part of the MSA. Piano Software established Group data protection policy, Intragroup data processing agreements, Binding corporate Rules and Platform privacy policy. 

Physical controls ensure confidentiality, integrity and availability of PHI and ePHI data stored in physical premises. Access to facilities must be physically restricted with access granted to those employees, contingent workers and vendors who have legitimate business responsibilities within the facility. Piano Software does not store or collect PHI or ePHI data at its office premises. Piano Software uses mainly AWS Managed services infrastructure as well as Snowflake. Physical controls implemented by these providers are reviewed on an annual basis by the Information security team.

Piano Software’s Information security policy covers all areas and implemented technical controls from ISO 27001:2022 Annex A including segregation of duties, human resource security, asset management, access control requirements, cryptographic controls, physical security, operations security, network security, secure development lifecycle, supplier relationship policy, incident management, business continuity and disaster recovery and compliance with legislation and requirements.

Certification

On July 10th 2023 we received Type 1 HIPAA/ HITECH Attestation of Compliance. 

The health information security program governing the Analytical and Piano Subscriptions Software System (Piano Analytics, Piano Composer, Piano Management + Billing, Identity Management, Piano ESP) complied with applicable requirements of HIPAA and HITECH. The criteria we used in making this assertion were that:

  • Management determined the applicable controls (the “controls”) included in the health information security program

  • The controls documented complied with the standard and implementation guidance for safeguards as defined by the HIPAA Security Rule including the following:

    • Administrative Safeguards

    • Physical Safeguards

    • Technical Safeguards

    • Organizational Requirements

    • Breach Notification

  • The controls were suitably designed and implemented as of November 22, 2022, to provide reasonable assurance that the applicable HIPAA and HITECH requirements are met.

For more information please get in touch at security@piano.io.

Artificial Intelligence

Use of Artificial Intelligence in our SaaS Products

At Piano, we are willing to leverage Artificial Intelligence (AI) to enhance the functionality and efficiency of our Software-as-a-Service (SaaS) products. In doing so, we prioritize transparency, accountability, and compliance with all applicable regulations, including the European AI Act.

Transparency Commitments:

  1. Clear Communication: We ensure that our users are fully informed about the AI functionalities integrated into our SaaS products. This includes a clear identification when AI is used, as well as providing clear, accessible information on how AI is used, the benefits it brings, and any potential implications for user data and interactions.

  2. Data Usage and Privacy: We are committed to protect user privacy and data security. Our AI features are designed to process data, when applicable, in compliance with the General Data Protection Regulation (GDPR) and other relevant privacy laws. Customers are informed about what data is used in line with the use of AI inside the products, and if personal data is used inside AI models, this meet the requirements signed within the Data Processing Agreement.

  3. Bias Mitigation: The relevant team is actively working to identify and mitigate any biases in how we use AI models to ensure the quality of the outputs and the fair use of data. Our development processes include testing and validation before the release of the AI feature.

  4. Accountability and Oversight: Our AI features are subject to an “Ethics-checklist” by design, so we can evaluate and ensure the operations fit to our internal compliance guidelines. Recommendations of improvement are shared with the dedicated stakeholders, and an escalation process exist if the recommendations are not implemented. The digital ethics team monitors the use of AI with the product stakeholders regularly.

  5. Customer Control: We try to inform our customers as soon as possible when a new Piano AI feature will be released, so they can perform their internal assessment. As described above, all use of AI should meet by default the relevant regulations (AI Act, GDPR, …). Customers can request to deactivate most of AI features for their entire organization.

  6. European AI Act: We are fully committed to complying with the European AI Act. This includes adhering to the requirements for high-risk AI features, ensuring transparency in our AI applications, and maintaining comprehensive documentation and records of our AI features operations and decision-making processes.

Ongoing Improvement:

We continuously review and update our AI features and practices to reflect the latest technological advancements, regulatory requirements, and best practices in AI ethics and transparency.

For more information about our AI policies and practices, or if you have any questions or concerns, please contact us at privacy@piano.io.

Piano AI Features Overview

Product

AI Feature

Documentation

Analytics

Piano AI - Query

analytics-docs.piano.io/en/analytics/v1/ai-in-data-query#AI-Query

Axon - Anomaly Detection and forecast

analytics-docs.piano.io/fr/analytics/v1/axon-analyst-anomaly-detection-prediction

Piano AI - Reveal

analytics-docs.piano.io/en/analytics/v1/piano-ai-reveal

Piano Subscriptions (Composer, ID, Management + Billing)

Likelihood to Cancel

docs.piano.io/ltc-likelihood-to-cancel

Likelihood to Subscribe

docs.piano.io/lts-likelihood-to-subscribe/

Content Likely to Convert

docs.piano.io/content-likely-to-convert/

Likelihood to Return

docs.piano.io/likelihood-to-return/

Likelihood to Register

docs.piano.io/likelihood-to-register/

Content Recommendations

docs.piano.io/piano-content-overview/

Dynamic Paywall

docs.piano.io/pianos-dynamic-paywall/

Audience (DMP, CDP)

Segments Description

docs.piano.io/contextual-segments/

All

Content Profiles

analytics-docs.piano.io/en/analytics/v1/introduction-to-content-profiles

Tutor

docs.piano.io/tutor

Piano Analytics offers a MCP (Model Context Protocol). The related documentation is available here.

Last updated: