Call Toll Free: 888-623-2374

Request InformationSupport


With your privacy policy and data protection at the forefront of all our decisions, we have made these updates to comply with the General Data Protection Regulation and to continue to meet and exceed privacy guidelines, standards, and regulations regarding data privacy laws.

What does GDPR mean for you?

Enforceable May 25, 2018, the General Data Protection Regulation (GDPR) is a new requirement for the European Union (EU) which was designed to update the existing Data Protection Directive. This new legal framework goes into effect for any organization which collects and processes personal data of citizens of the EU, regardless of where they are currently based.

PunchOut2Go is committed to protecting its partner’s data and the individuals they represent, and this improvement will continue to strengthen and standardize user data privacy across the EU nations. Our services and policies are designed meet and exceed the guidelines, standards, and regulations around data protection and use.

While the GDPR applies to all EU Member States, PunchOut2Go is dedicated to providing the best protection and service across its global footprint, and this document describes how PunchOut2Go approaches GDPR and complies to our customers.

GDPR at PunchOut2Go

As a data gateway platform, PunchOut2Go behaves as a “processor” under GDPR. This means that we process data on behalf of a “controller”, who is responsible for decisions about the use of that data. Within GDPR, both organizations have responsibilities and obligations. This relates both to the contracted relationship between controller and processor, as well as that between the controller and their end user/partner.

As the processor, we have a direct obligation to you, our customer, to process and use the data only for the purposes that we have been contracted for. Along that same lines, PunchOut2Go expects its customers to handle the data accessible through our system with the same compliance, based on their relationship with their users and partners.

Part of our service to you in relation to GDPR is to support your compliance to your customers. This comes in the form of our processes and ability to help comply with GDPR’s “Rights of the Data Subject” as it relates to the data we collect. Simply submit a GDPR request to or submit a GDPR ticket at

Below are five key GDPR principles and how we exercise them in our commitment to you.

1. Lawful Basis for Processing

This foundational principle in GDPR ensures your data is processed lawfully, fairly, and transparently. PunchOut2Go executes data based on our contracted relationship with you, our customer. Within the lawful basis of processing we only use the data as it is necessary to perform the service we are contracted to do. We only engage with data that we have received from either side of the transaction. Our customer, the “controller”, in execution of the contract, can make requests on that data, such as retention rates, that are applicable to your needs.

2. Individual Rights

GDPR introduces concepts related to an individual’s rights to his/her “personal information”. This comes in the form of ideas like: “Right to be informed”, “Right to rectification”, and “Right to erasure”. As part of these rights, a controller needs to be able to respond to a request where the individual exercises their rights.

A controller can relay a GDPR request to PunchOut2Go by phone or through one of our GDPR request channels (listed above). PunchOut2Go will review the request and support the controller in the response, as it relates to the data on our systems. Individuals that we interact with directly also have the right make such requests on their own behalf through the channels provided above.

3. Accountability and Transparency

An additional cornerstone to GDPR principles is accountability and transparency.

PunchOut2Go adheres to common industry standards such as PCI and ISO for security and controls to safeguard customer data. We follow a comprehensive set of policies and procedures that govern the use and handling of data. By implementing “data protection by design and default”, our core handling of data is with fair, lawful and purposeful action. We are aligning with the Privacy Shield framework and have implemented an independent third party dispute resolution service. We also provide dedicated channels for any data privacy inquiries and requests. Additional and more specific information is available in our Data Protection Agreement (DPA).

4. Cross-Border Data Flows

As part of GDPR’s Data Transparency, this covers general principles for international data transfers and applicable disclosures.

PunchOut2Go’s services are currently based in the United States. As data is processed, it is submitted from the data’s origin country to the U.S., and then is transmitted to the data’s destination country (which may or may not be the same as the origin).

5. Sub-Processors

Just as our customers rely on us for their B2B integrations and transactions, we too rely on others to help us run our business and perform our services. PunchOut2Go maintains up-to-date service agreements with these organizations.

Organization Use, Service Provided Geography
Google, Google Apps Corporate Email, Office and Storage US
QuickBooks Accounting, Billing US
Salesforce, Pardot CRM & Marketing US
Google Analytics Website Analytics US
Google AdWords Advertising US
Olark Online Chat US
MailChimp Marketing Emails, Service Notifications US
SingleHop Application Datacenter US
AWS Application Datacenter US, EU
Google Transactional Emails US, EU
AWS Transactional Emails US, EU
Seeburger VAN Transactions US, EU
Teamwork Project Management US
Freshdesk Support Ticketing US


If you have any questions, please contact our Data Protection Officer, EU representative, and Data Protection Team by emailing us at