Data Processing Policy
Last Updated, August 2024
EXECUTIVE SUMMARY
The Data Processing Manual for Zceppa aims to establish a robust framework for the processing of personal data within the organization, in line with compliance with ISO 27701:2019 standards. Covering the departments Product Development, Engineering, Sales and Marketing, the manual outlines data processing throughout the lifecycle, incorporating roles, responsibilities, security measures, and continuous improvement mechanisms. Zceppa, as both Data Controllers and Processors, manages data flow involving customer data. Legal bases, including consent, contractual necessity, legal obligations, and legitimate interests, are detailed, and data protection principles such as lawfulness, fairness, transparency, and accountability are emphasized. The manual highlights data security controls, access controls, encryption, incident response plans, and breach notifications. Data subject rights, including access, rectification, erasure, restriction, portability, and objection, are explained. The document covers subcontracting, data transfer, and records of processing activities. Privacy by design and default, training, monitoring, enforcement, data retention, disposal, and periodic review and updates are integral to Zceppa’s commitment to responsible data processing.
PURPOSE
The purpose of this Data Processing Manual is to establish a comprehensive framework for the processing of personal data within our organization. This manual serves as a foundational document outlining the principles, procedures, and controls necessary to ensure the confidentiality, integrity, and availability of personal information, while also adhering to the requirements set forth in ISO 27701:2019, the international standard for privacy information management.
SCOPE
Zceppa data processing manual aims to provide comprehensive guidelines for secure data processing in all departments that include Development, Engineering, Sales and marketing. It covers the entire data lifecycle, ensures compliance with data protection regulations, defines roles and responsibilities, establishes data classifications and quality assurance protocols, outlines security measures, and incorporates continuous improvement mechanisms through audits and updates. The manual serves as a dynamic reference for all personnel involved in data processing within the organization.
DATA PROCESSING OVERVIEW
- Zceppa acts as the data controller for the personal information it processes. The company determines the purposes and means of processing personal data.
- Zceppa controls and processes various types of personal data for legitimate business purposes, including
- Customer data for providing review management services
- Zceppa ensures that all processing activities are conducted based on a lawful basis, which may include the necessity of processing for the performance of contracts, compliance with legal obligations, consent, or legitimate interests.
DATA FLOW DIAGRAM
The diagram given below illustrates the data flow involved in gathering information related to customer data.
LEGAL BASIS OF PROCESSING
Legal Basis for Processing include transparently communicating the purpose of data processing which includes ensuring data processing aligns with contracts, identifying legal obligations and maintaining compliance, and justifying processing activities through Legitimate Interest Assessments.
CONSENT COLLECTION
- Customer consent is acquired during the registration process, and additional consent may be sought for marketing communications to ensure compliance with applicable regulations.
- Consent mechanisms for vendors and partners are integrated into contractual agreements, and explicit consent may be requested for specific processing activities.
CONTRACTUAL NECESSITY
- Zceppa must process data to fulfil obligations specified in agreements with data subjects, particularly for delivering goods or services as outlined in contractual terms.
- Clear identification and documentation of these processing activities are essential for ensuring transparency and compliance with data protection regulations.
LEGAL OBLIGATIONS
- Zceppa operates in accordance with data protection laws such as the General Data Protection Regulation (GDPR) and other relevant regional and international regulations.
- The processing of personal data is guided by key principles, including lawfulness, fairness, transparency, purpose limitation, data minimization, accuracy, storage limitation, integrity, and confidentiality.
- Data processing activities are based on lawful grounds such as consent, contractual necessity, legal obligations, legitimate interests, and, when applicable, vital interests of data subjects.
- Data subjects have rights, including access, rectification, erasure, restriction of processing, data portability, and objection, which are respected and addressed by Zceppa
LEGITIMATE INTERESTS
- Legitimate interests serve as a legal basis for data processing activities that are reasonably expected and have minimal impact on individuals’ privacy.
- Transparency in communicating these legitimate interests is crucial to building trust with data subjects and maintaining ethical data processing practices.
DATA PROTECTION PRINCIPLES
LAWFULNESS, FAIRNESS, AND TRANSPARENCY
- Zceppa is dedicated to processing data lawfully, abiding by all relevant data protection laws and regulations.
- Zceppa practices prioritize fairness, treating all individuals with equity and avoiding any form of discrimination.
- Transparency is a cornerstone of Zceppa’s approach, and we commit to providing clear and accessible information about our data processing activities, purposes, and policies to ensure client’s trust and understanding.
PURPOSE LIMITATION
- Zceppa adheres to the principle of purpose limitation, processing your data only for specific and legitimate purposes communicated to you at the time of collection.
- Periodic reviews are conducted to ensure ongoing alignment with our organizational goals and legal obligations.
DATA MINIMIZATION
- Zceppa prioritizes data minimization by collecting and processing only the information essential for the intended purpose.
- Regular reviews and procedures are in place to identify and delete any data that is no longer necessary or relevant.
ACCURACY
- Zceppa commits to maintaining accurate and up-to-date data.
- Zceppa procedures include regular reviews, validation processes during data entry, and mechanisms for data subjects to update their information.
- Zceppa employs data quality controls to ensure the accuracy of the information we process.
STORAGE LIMITATION
- To safeguard customer privacy, Zceppa adheres to strict storage limitation policies.
- Zceppa commitment is to store only the information essential for our operations.
INTEGRITY AND CONFIDENTIALITY
- The integrity and confidentiality of your data are paramount to us.
- Zceppa utilizes encryption, access controls, and secure transmission protocols. Data is strictly encrypted both in motion as well as at rest .
- Zceppa commitment extends to annual security audits (Vulnerability Assessment and Penetration Testing) ,employee training on data security and continuous efforts to safeguard the confidentiality and integrity of the data we process.
ACCOUNTABILITY
- Zceppa encourages individuals to reach out with any privacy concerns, demonstrating dedication to responsible and transparent data processing.
DATA SECURITY CONTROLS
ACCESS CONTROLS
- Zceppa employs strict access controls to safeguard sensitive data.
- User authentication and authorization mechanisms are in place to ensure that only authorized personnel have access to specific information.
- Regular internal and external reviews are conducted to align access permissions with job roles and responsibilities, enhancing overall data security.
- Furthermore, a privileged user access list is maintained and subject to quarterly review by senior management .
ENCRYPTION
- To enhance data security, Zceppa employs encryption techniques to safeguard information when stored.
- Zceppa adheres to industry best practices, utilizing robust encryption algorithms and ensuring secure key management for comprehensive protection.
- Valid encryption processes shall include:
- Transport Layer Security (TLS) 1.2 or the latest
- IPSec Virtual Private Network (VPN):
- Gateway-To-Gateway Architecture
- Host-To-Gateway Architecture
- Host-To-Host Architecture
INCIDENT RESPONSE PLAN
- Zceppa prioritizes a swift and effective response to potential data security incidents.
- Zceppa has a detailed incident response plan in place, specifying the steps to be taken in the event of a breach.
- Regular drills and updates ensure our readiness to address and mitigate security incidents promptly.
- Any security related incidents within Zceppa must be reported immediately through the established channels after the incident is discovered to the incident response team
- Zceppa has established a point of contact to receive reports of information security events. Zceppa shall ensure that this point of contact is known throughout the organization, is always available, and is able to provide an adequate and timely response users of information services must be required to note and report any observed or suspected security weaknesses in or threats to systems or services
- Any privacy related incidents shall have been reported to our support team , will further respond with the corrective action plan to remediate.
- All workforce members and third-party users shall be made aware of their responsibility to report any security incidents through the appropriate communication channel as soon as possible
- In the event of any security and privacy related incidents the customer can mail to [email protected]
DATA BREACH NOTIFICATION
- In the unfortunate event of a data breach, Zceppa has established clear procedures for notifying relevant parties.
- Zceppa adheres to legal requirements, ensuring timely and transparent communication regarding the breach, its impact, and the measures taken to address and prevent further harm.
- Upon discovering a breach, the affected system or data will be immediately isolated by ring fencing to prevent further unauthorized access. A preliminary investigation would be conducted to determine the nature and scope of the breach, including the type of data compromised and the number of affected records or individuals.
DATA SUBJECT RIGHTS
RIGHT TO ACCESS
- As a data subject, you have the right to request access to your personal data held by Zceppa.
- To exercise this right, please submit a written request to our support team [email protected]
RIGHT TO RECTIFICATION
- If you believe that any of your personal data held by Zceppa is inaccurate or incomplete, please contact our support team [email protected].
- Zceppa will promptly review and correct any inaccuracies, keeping you informed throughout the process.
RIGHT TO ERASURE
- You have the right to request the deletion of your personal data from Zceppa.
- To initiate this process, please submit a written request to our support team .We will assess the request, taking into consideration legal obligations and communicate the outcome to you within 7 business days
RIGHT TO RESTRICTION OF PROCESSING
- If you wish to restrict the processing of your personal data by Zceppa, please contact our support team.
- We will assess the request and communicate any resulting restrictions, including their potential impact, in a timely manner.
RIGHT TO DATA PORTABILITY
- Upon request, Zceppa will provide you with your personal data in a format that is structured, commonly used, and machine-readable.
- To exercise this right, please contact our support team .
RIGHT TO OBJECT
- You have the right to object to certain types of data processing activities conducted by Zceppa.
- If you wish to exercise this right, please submit your objection to our support team.
- We will carefully review each objection and provide a response outlining our decision and any relevant implications.
RECORDS OF PROCESSING ACTIVITIES
- Zceppa involves identifying processing activities with detailed information on their purpose, scope, and the categories of personal data involved, while also specifying the legal basis for processing and obtaining consent.
- The guidelines extend to the identification of data subjects, documenting data recipients and transfer mechanisms, defining retention periods, detailing security measures, outlining procedures for data subject rights, specifying protocols for responding to data breach .
- Emphasis is placed on the crucial need for regular reviews and updates to ensure accuracy and compliance within the organizational privacy policy.
- In addition, the Record Keeping guidelines within the privacy policy underscore the importance of maintaining comprehensive records of processing activities within Zceppa .
- This includes documenting the legal basis for processing, tracking obtained consents and security measures, keeping copies of data sharing agreements, maintaining a comprehensive data breach response record, documenting data subject requests and responses, recording training and awareness initiatives, and conducting periodic audits to ensure ongoing compliance with data protection regulations.
PRIVACY BY DESIGN AND PRIVACY BY DEFAULT
- Zceppa adheres to guidelines focusing on Privacy by Design and Default.
- Zceppa seamlessly integrates data protection principles into the early stages of system and process design, document privacy features, and foster cross-functional collaboration.
- Regular reviews and transparent communication with stakeholders, including data subjects, are emphasized to align with evolving data protection standards.
- Zceppa adopts a holistic approach by incorporating privacy considerations throughout the development stages.
TRAINING AND AWARENESS
- The guidelines for security awareness training encompass assessing employees’ current knowledge, tailoring content to their skills, and providing customized, easily understandable materials.
- Emphasizing regular updates, interactive training, clear communication of policies, and addressing specific areas like phishing and mobile device security are crucial.
- Measuring effectiveness, offering incentives for contributions to security, ensuring accessibility, and considering legal and ethical aspects underscore the ongoing and adaptive nature of fostering a positive security culture within an organization.
- In Zceppa privacy related awareness is being included in the Security Awareness training itself.
- It is ensured that all the employees are subjected to attend the security awareness training and maintain the effectiveness by conducting it every year.
MONITORING AND ENFORCEMENT
- These guidelines for privacy monitoring and enforcement emphasize the importance of clear communication through established privacy policies, regular audits, and comprehensive employee training.
- They stress the principles of data minimization, encryption, and incident response planning to mitigate privacy risks.
- Additionally, the guidelines recommend managing consent, conducting due diligence on third-party vendors, and integrating privacy into product development.
- Regular compliance checks, monitoring tools, and strict access controls are highlighted for ongoing compliance, while transparency, communication, and enforcement measures underscore the organization’s commitment to privacy. Overall, these guidelines form a comprehensive framework for proactive and compliant privacy management within the organization.
DATA RETENTION AND DISPOSAL
- These guidelines for Zceppa’s retention policies and secure data disposal procedures underscore the importance of aligning policies with legal requirements and industry regulations.
- They advocate for the classification of data based on sensitivity, regular assessments tied to business needs, and clear documentation and communication of policies to stakeholders.
- The integration of retention policies into the entire data lifecycle, coupled with periodic reviews and access controls, ensures compliance and safeguards data integrity.
- Adhering to regular disposal schedules and carefully selecting third-party partners further enhances data security, promoting a comprehensive and compliant approach to information management.
REVIEW AND UPDATE
- These guidelines for privacy within Zceppa emphasizes the importance of a structured approach to Periodic Review and Updates to the Manual.
- For Periodic Review, Zceppa has a regular schedule of to review, develop comprehensive criteria involving key stakeholders, and document findings to facilitate continuous improvement of the data processing manual.
- Regarding Updates to the Manual, clear triggers for updates, defined responsibilities, and a timely response mechanism are in place to stay abreast of changes in privacy regulations and technology.
- A communication plan, along with training and awareness initiatives, ensures that relevant stakeholders are informed and aligned with updated procedures.