GDPR Compliance

It is now 6 weeks before the new GDPR regulations come into force and I have yet to see anything from InfusionSoft about their official compliance. They will have to have Privacy Shield and however many times I ask them I am not getting a definitive answer.
Does anyone else know what is going on. I have spoken to experts in the field of GDPR and they say that at the moment InfusionSoft are NOT compliant and it is our responsibility to make sure that the suppliers we use are.

So unless they can perform a miracle in 6 weeks can I assume that we will be forced to stop using their database?


Some of what is needed has been addressed and IS has an official statement here:

I believe, however, as IS is simply a tool, that it is incumbent upon the user of the tool to be sure to use it in a way that is congruent with GDPR. In other words, when emails are, and are not allowed to be sent, can already be controlled within IS and it is up to the user to properly manage that within campaign builder. Similarly, setting up webforms for optin with a checkbox is up to the user to ensure they are compliant as Infusionsoft is used by many around the world that are not required to use the restrictions of GDPR and therefor the option to use or not use that as a feature remains open but not restrictive to those that don’t have that requirement. Most of GDPR is about you ensuring you’re compliant. On the side of Infusionsoft, they have security in place for the storage of data securely, so it is up to the user to ensure they only collect information in a GDPR compliant way.

Thank you john, We are aware of what our obligations are regarding GDPR but because IS stores all our data in the US, it has to comply to GDPR and prove that they store the data securely, most companies in US have a Privacy Shield certification to prove that they are adhering to certain criteria, IS haven’t got one yet and are trying to get customers to sign a EU Model Contract as an easier way to get compliance. i wanted to know if IS were trying to get the privacy Shield because we have been advised not to use companies without the Privacy Shield. We would not be compliant if they weren’t!

Gottcha, @Bridget_Greenwood,

@Lyle_Lamb, I know you’re not directly involved with the GDPR matter but who would Bridget be able to direct questions to that would know the specifics she is asking about?

Hi Bridget,

Part of this is making sure our own lists and how we use them is compliant. Part of that is that we need to be able to show when and how someone opted into our database and disclose how we are using their data - those have to do with our processes around using Infusionsoft and our own company polices and procedures.

infusionsoft is adding more around a contact being able to opt out and ask to be forgotten, which addresses part of their compliance.

Does that help at all? Happy to share more about what we are doing with clients if helpful to you. We mainly work with B2B on email marketing (not so much ecom), so that’s where I’m coming from.

Thanks Cindy, I am happy with what we are doing to be compliant, I am more concerned with IS and their storage of our data, that is where the breach may easily happen, especially when they say in their addendum that they can move the data to anywhere in the world without our permission.

They have also not guaranteed that they will inform us of a breach within the 72 hours that is needed under GDPR, they state that they will inform us as soon as… Their Addendum is very ‘loose’. I am not convinced that we are safe with IS as it is now. I have had expert advise and they agree with me.

To feel secure with IS they need to have Privacy Shield but they are not going to apply for that…

We are now 15 days from GDPR and as yet I have not had any assurances from IS, however many times I ask…

@Bridget_Greenwood, have you taken a look at

Yes I have looked at everything including their EU model contract. As far as I can see they are not compliant yet…I am waiting for their new addendum to be issued. as they have stated

"How can Infusionsoft guarantee I will be able to use my account after the GDPR comes into effect?

We will offer a new Data Processing Addendum, that will replace our prior DPA. The new DPA isn’t dramatically different from our old DPA, but it does address all of the GDPR-specific concepts. For reference, the old DPA is available here:

The new DPA will govern the terms by which we, as a data processor, processes data on behalf of you, our customers, (who are typically data controllers) in accordance with Article 28 of the GDPR."

2 days to go and according to my understanding Infusionsoft is still NOT compliant and as a result nor are we.
Moreover, Infusionsoft did not implement strategies to make GDPR user friendly for us. Say a user withdraws consent using a form or a button, there’s no automatic way to stop that user from receiving emails in existing campaigns, we are supposed to opt out the user manually.

Honestly, manual intervention is not what I had signed up for…

I wrote to Joseph, infusionsoft’s Data Protection officer, but have not received an answer yet.

I’m worried


I’ve JUST received this pop up when I signed into Infusionsoft. Not sure if this helps!