The California Consumer Privacy Act (CCPA) provides California residents with several rights and require companies to implement structural changes to their privacy programs.

How does CCPA apply to xMatters?

xMatters is considered a Service Provider under CCPA, and xMatters collects and processes the personal information of customers and users for the purpose of providing services. xMatters primary responsibility is to ensure that processing activities are compliant with CCPA and, as always, that to  protect the privacy rights of customers and users.

CCPA readiness

xMatters assessed requirements, practices and operational structure in preparation to CCPA. The Privacy Verification Program uses a robust framework, and xMatters was audited by an independent third-party privacy manager,  to assess and verify compliance. The auditor reviewed gaps in processes, verifying controls, and and all founds were properly addressed and  solutions were approved by the xMatters Privacy Officer.

Review the table below to understand our preparation in detail:

Requirement xMatters Compliance
Collecting Information xMatters has a robust Privacy Verification Program in place that organizes resources and make them available to the Information Assurance team.
Monitoring Information The Information Assurance team continually monitors the status of U.S. privacy regulations as they develop.
Leverage CCPA Readiness An independent, third-party auditor worked in collaboration with the Information Assurance team to create a comprehensive privacy framework and assessment plan to verify CCPA compliance.

This framework is centrally managed by the IA Manager using a Governance, Risk Management, and Compliance (GRC) System, where all necessary controls are associated with the requirements to improve visibility, optimize governance, and assess compliance across the entire privacy framework (which also includes GDPR, for example).

Consumer Rights Request Process xMatters has a Subject Access Requests Procedure in place. This process was reviewed and updated to incorporate the 45-day response timeline to satisfy CCPA.
Track Consumer Requests The Information Assurance team has a central log of all requests and a system to tag internal stakeholders and monitor all requests.
Privacy Notice xMatters Privacy Notice is publicly available on our website and is reviewed by our Legal Counsel and Privacy Officer at least annually and as necessitated by developments and changes in applicable privacy laws and best practices.
Keep an up-to-date data inventory Our centralized GRC system streamlines the development of a mature and comprehensive data inventory and map. Customer information is treated as an asset and is an essential component of our inventory of assets.
Periodic revision of the Data Map Our data map is constantly reviewed and provides the necessary understanding of what data we hold and how it is used throughout our organization. We can efficiently and properly respond to requests for access or deletion of personal information.
Data Minimization and Purpose Limitation Only the minimum necessary information to conduct services is processed by xMatters.
Conduct DPIAs Data Privacy Impact Assessments are conducted periodically, taking into account the principles of data minimization and purpose limitation. These assessments are digitally controlled, and results can be compared for continual improvement.
Manage Risks A central risk management software connects threats to assets and, through a documented Risk Assessment Procedure, xMatters can track, remediate and control risks. Historical records and recent findings are analyzed during Risk Management Meetings.
Vendor Management Our GRC system helps us safely onboard vendors, assess risks, document evidence, monitor performance, and securely offboard vendors.
Maintain an incident response process xMatters Breach Notification Process provides a consistent method to assess, investigate, and notify (if needed) in the event of a breach. We take a proactive approach to incidents; immediate and corrective actions are discussed and reported.
Measure the impact of an incident If a breach occurs, response actions are logged on a nonconformity database and our dynamic workflow streamlines risk mitigation, assessment, and lessons learned documentation for future reference and internal review.
Enable individuals to opt out of the sale of personal information xMatters does not sell personal information.

If you still have questions about xMatters readiness to CCPA, do not hesitate in contacting us at