Request Vendor Updates

On May 25, 2018, a new landmark privacy regulation called the General Data Protection Regulation (GDPR) takes effect in the European Union (EU). The GDPR expands the privacy rights granted to EU individuals, and it places many new obligations on organizations that handle EU personal data, no matter where an organization is located. This page contains important information on UL EHSS’s GDPR process and resources to help our clients comply with the regulation.


What is GDPR?

A new comprehensive data protection regulation in the EU that updates existing laws to strengthen the protection of personal data in light of rapid technological developments, increased globalization, and more complex international flows of personal data. It replaces the patchwork of national data protection laws currently in place with a single set of rules, directly enforceable in each EU member state.

Click here to view the full FAQ 

What is UL EHSS doing to meet GDPR requirements?

Our team has worked across all departments to ensure your data is protected. Our software solutions comply with GDPR and include a way for clients to honor any GDPR “right to be forgotten” requests received.  We protect all data with the security controls outlined in our Infrastructure and Security Overview and undergo annual SOC 2 Type II and/or ISO 27001 security audits.

We also make available a pre-signed Data Processing Addendum clients can execute to get the GDPR-required contractual terms in place with us. Simply print, counter-sign and return to us at Our US offices are Privacy Shield certified, allowing lawful transfer of EU personal data to our servers in the US.

Our Privacy Shield certification is available here. Our PURE Sustainability, PURE Supply Chain, and PURE Safety (legacy cr360) solutions are hosted from our data centers in the United Kingdom and maintain ISO 27001 certification. In preparation for Brexit, clients can also execute our pre-signed model clause data transfer agreement allowing lawful transfer of EU personal data to the United Kingdom. Simply fill out the highlighted portions throughout, print, counter-sign and return to us at

For solutions hosting personal data of EU residents, the GDPR requires that we make available a list of our vendors that may receive EU personal data as part of our services.  Note that PURE Health (SYSTOC) is not used in Europe and is not in scope.

PURE Sustainability, PURE Supply Chain & PURE Safety (legacy cr360):

  • Mindtree Limited –  India
  • MEGA Automation, Ltd. – Hong Kong

PURE Safety Learning Management (LMS)

  • Mindtree Limited – India
  • Iron Mountain – USA

PURE Health (OHM)

  • Mindtree Limited – India
  • Iron Mountain – USA

If you would like to receive an alert when the list changes for your solution area, please submit the form on this page and we will send an alert when there is an update.

Where can I learn more about GDPR?

Additional information about the GDPR is available on the official GDPR website of the EU.