Keeping our customers’ information safe and secure is one of the highest priorities for Deltek. We have implemented and continually maintain strong security and privacy protections that reflect industry best practices, including relevant requirements under applicable data protection regulations. Deltek’s services are backed by technical and administrative safeguards and dedicated security, operational and privacy teams. As we work to enhance and develop our products and services, we have processes in place to incorporate security and privacy from the early stages of development.
Information & Frequently Asked Questions
Regulation (EU) 2016/679 of the European Parliament and of the Council of April 27, 2016, better known as the General Data Protection Regulation (GDPR), is designed to enable persons present in the European Union (EU) to better control their personal data. The GDPR identifies two primary parties in scope of its requirements – controllers and processors. Controllers determine the “purpose and means of the processing of personal data.” Processors process personal data “on behalf of the controller.” The GDPR became effective on May 25, 2018.
In the context of the GDPR, Deltek takes on the role of processor in its relationship with its customers. As a result of this role, Deltek has certain general responsibilities as outlined in the GDPR. Keeping customers’ information, including personal data, safe and secure is among our highest priorities and most important responsibilities. Deltek works to implement and maintain strong security and privacy protections that reflect best practices as it relates to the GDPR.
As of January 1, 2021, the United Kingdom (UK) will be treated as a “third country” outside the European Union (EU)/European Economic Area (EEA) and will be required to satisfy the same data transfer requirements under the EU General Data Protection Regulation (GDPR) as other non-EU/EEA and non-adequate jurisdictions. The use of the European Commission approved Standard Contractual Clauses is expected to be considered a viable data transfer mechanism for the exchange of personal data by and among EU/EEA states and the UK. This determination is based on the GDPR requirement that all Member States implement a “local” version of the GDPR. The UK implemented the Data Protection Act 2018 to fulfill that requirement before it initiated Brexit proceedings while it was still an EU Member State. The obligations under the Data Protection Act 2018 match the requirements under the GDPR, so Deltek will apply the same rules regarding data transfers and security safeguards to data transferred to/from the UK as it does for data transfers subject to the GDPR.
For all of our EU/EEA-based customers, Deltek enters into a Data Processing Agreement in accordance with Article 28 processor requirements, such as our General Privacy Terms; through this agreement, Deltek ensures that the European Commission approved Standard Contractual Clauses are incorporated, as well as a disclosure of technical and organizational safeguards. Our General Privacy Terms, released at the end of 2019, contemplated this potential change in status for the UK and incorporated our UK entity, Deltek GB Limited, as a signatory to the SCCs at such time as it is no longer considered a Member State of the EU. We do not anticipate concerns pertaining to how our data is hosted our data center locations continue to remain in EU countries, Ireland and Germany, which keeps them outside the scope of Brexit.
Deltek recommends that customers consult the latest guidance, including the “Brexit Readiness Checklist” published by the European Commission, to ensure that any business operations that need to be addressed given the changing relationship with the EU and the UK are considered. Deltek continues to monitor the guidance issued by the European Commission and European Data Protection Board, updating our contractual obligations and business operations in accordance with the applicable requirements.
The California Consumer Privacy Act (CCPA) was signed into law on June 28, 2018 and went into effect on January 1, 2020. The CCPA has a tiered applicability based on specific criteria, first to businesses, then to service providers, and lastly to third parties. It also created an array of new consumer privacy rights and governs the sale and sharing of consumers’ personal information.
As with the GDPR, Deltek processes personal information through its products on behalf of its customers, some of whom may be subject to the CCPA. Our customers disclose their consumers’ personal information for the business purpose pursuant to a written contract or agreement entered into with Deltek. In the context of the CCPA, Deltek takes on the role of a service provider in relation to its customers who are governed by the CCPA – as noted in Exhibit 1 to our General Privacy Terms. Deltek is well situated to meet its obligations as a service provider and implemented and maintains processes to ensure the security and privacy features of its products provide the capabilities to enable customers to comply with their obligations under CCPA.
The Court of Justice of the European Union (“CJEU”) issued a judgment in Case C-311/18 - Data Protection Commissioner v Facebook Ireland Ltd and Maximillian Schrems, commonly referred to publicly as “Schrems II”, on July 16, 2020 declaring that the EU-US Privacy Shield Framework (“Privacy Shield”) is no longer a valid cross-border data transfer mechanism for personal data transferring from the EU to the US.
However, despite the invalidation of the Privacy Shield, the CJEU noted that personal data transfers from the EU to the US or elsewhere in the world could still take place subject to standard data protection clauses adopted by the European Commission (the “Standard Contractual Clauses”) as a valid cross-border data transfer mechanism. In its judgment, the CJEU stated that it is up to the data exporter and the data importer to assess the level of data protection as part of their contractual agreement and ensure the proper level of protection was afforded to personal data transfers.
We incorporate and rely upon the Standard Contractual Clauses as our approved cross-border data transfer mechanism for any personal data transfers from our EU/EEA-based users to the global network of Deltek affiliates, including Deltek, Inc. in the US. For our cloud-based products, we have primary and secondary hosting locations based on region (i.e., EU-based customers have primary and secondary data storage locations in the EU) so transfers of personal data to the US typically do not occur for regular cloud data storage and are intended for customer care or engineering support cases following the requirements of the data processing addendum between Deltek and the customer.
On November 12, 2020, the Commission published revised draft Standard Contractual Clauses for public consultation. These proposed new Standard Contractual Clauses anticipate the need for the data importer and data exporter to carefully assess the nature and circumstances of the data transfers that will be undertaken and ensure a sufficient level of data protection is in place. According to the Commission, the latter assessment may incorporate an additional development from the Schrems II decision – consideration of “supplementary measures” that may be taken by the data importer to protect personal data in the receiving jurisdiction. The Commission’s implementing decision draft confirmed that there will be a 12- month transition period from the adoption of the new Standard Contractual Clauses by the Commission, during which time businesses may continue to rely on the existing Standard Contractual Clause while they implement or convert to the new version in their contracts.
Upon release of the Commission-approved new Standard Contractual Clauses, Deltek will undertake to transition all existing customers to the new version and will replace the version currently included in the Deltek General Privacy Terms to ensure our cross border transfers continue to operate based upon an approved mechanism. Additionally, Deltek is refining the description of its security measures in the General Privacy Terms in order to address the “supplementary measures” and will provide more detail regarding our administrative, technical, and organizational safeguards that protect our customers’ personal data. These updates will be incorporated in the General Privacy Terms in the near future as well.
Deltek takes the security of our Customers’ data very seriously and has established and maintains a robust privacy and data security framework that is outlined in our General Privacy Terms. As this landscape evolves, we will continue to examine and refine our operations in a manner that continues to align with industry best practices and regulatory guidance and brings comfort to our customers that we remain your trusted partner. If you have any questions or would like to discuss the matter and any specific concerns you have further, please feel free to reach out to email@example.com. We’re happy to help.
Deltek conducts regular audits against the SOC standards, discussed in more detail on our compliance page. We can provide copies of the SOC Reports upon request where appropriate. In addition, Deltek assesses certain products on a regular basis against the National Institute of Standards and Technologies’ Special Publication 800-171. For additional information on these assessments, please visit our compliance page. If you have any specific questions regarding Deltek’s compliance with any legal requirements, please contact firstname.lastname@example.org.
Deltek and its affiliates are located around the world. For more information, please visit our locations page.
Deltek has a robust security program and implements and maintains appropriate technical and organizational measures to ensure that data is secured, taking into account the state of the art technology, the costs of implementation, and the nature, scope, context and purposes of processing, as well as the risk of varying likelihood and severity of potential impact to the rights and freedoms of individuals. Visit our security page for detailed information.
Under the GDPR, Articles 37-39 discuss the designation, position, and tasks of a data protection officer. Deltek’s business practices do not require us to appoint a data protection officer as outlined under the GDPR. However, our Legal Department is responsible for overseeing Deltek’s privacy and data protection program, advising the business with regard to the impact of relevant laws and regulations on our processing operations, and serving as the primary point of contact for inquiries by individuals and supervisory or regulatory authorities. Questions may be submitted electronically to email@example.com or via mail to:
Attn: Legal Department - Privacy
2291 Wood Oak Drive
Herndon, VA 20171
If you are a customer, please consult your agreement with Deltek, which outlines what Deltek’s activities are in the scope of our provision of service or your purchase of our products. You can also contact your customer care representative.
Deltek is building out additional resources, such as our Privacy and Data Security Reference document, so make sure to check this page regularly for the latest information.
If you would like to adjust your preferences for email communications, unsubscribe from certain types of communications or opt-out of all email communications, please visit our Email Preference Center. If you would like to re-subscribe, you can always opt back in through the same process.
Deltek takes claims of copyright infringement seriously and will respond to notices of alleged copyright infringement that comply with applicable law. If you believe any materials accessible on or from any Deltek websites (the "Websites") infringe on your copyright, you may request removal of those materials (or access to them) from the Websites by submitting written notification to Deltek’s copyright agent designated below. In accordance with the Online Copyright Infringement Liability Limitation Act of the Digital Millennium Copyright Act (17 U.S.C. § 512) ("DMCA"), the written notice (the "DMCA Notice") must include substantially the following:
- Your physical or electronic signature;
- Identification of the copyrighted work you believe to have been infringed or, if the claim involves multiple works on the website, a representative list of such works;
- Identification of the material you believe to be infringing in a sufficiently precise manner to allow Deltek to locate that material;
- Adequate information by which Deltek can contact you (including name, postal address, telephone number, and, if available, email address);
- A statement that you have a good faith belief that use of the copyrighted material is not authorized by the copyright owner, its agent, or the law;
- A statement that the information in the written notice is accurate; and
- A statement, under penalty of perjury, that you are authorized to act on behalf of the copyright owner.
Deltek’s designated copyright agent to receive DMCA Notices is:
Deltek - Office of the General Counsel
Attn: Compliance Counsel
2291 Wood Oak Drive
Herndon, Virginia 20171
If you fail to comply with all of the requirements of Section 512(c)(3) of the DMCA, the DMCA Notice may not be effective. Please be aware that if you knowingly materially misrepresent that material or activity on the Website is infringing your copyright, you may be held liable for damages (including costs and attorneys' fees) under Section 512(f) of the DMCA.