Privacy Compliance

GDPR

Questions
Answers

Appropriate technical and organisational measures are in place to protect PII

We have implemented all the technical and organisational measures (TOM)

Documented processes are in place to manage subject requests

Yes. we have implemented the Data Subject Access Rights Procedure

Data Processing Agreements are in place with all your sub-processors

Yes. The Data Processing Agreements is in place.

Documented process is in place for the deletion/redaction/anonymisation of PII. Describe/attach your deletion policy.

Yes. The Data Processing Agreements is in place.

Data Privacy Impact Assessments are undertaken where a risk to PII is identified

Yes. we conduct the Data Privacy Impact Assessments on annual basis and there are no high risk involved in handling the PII

A formal data breach notification process is in place

formal data breach notification process is in place.

Does the organisation have security measures in place for data protection?

Customer data security is an essential part of our product, processes, and team culture. Our facilities, processes and systems are reliable, robust, and tested by reputed quality control and data security organizations. We continuously look for opportunities to make improvements in the dynamic technology landscape and give you a highly secure, scalable system to provide a great experience. We have implemented many technical controls to safeguard the customer data. For example - Cloudflare Web application firewall (WAF), AWS Guard Duty threat detection services, Amazon CloudWatch, IDS/IPS etc.

Is client scoped data collected, accessed, transmitted, processed, or retained that can be classified under any international privacy jurisdictions?

We are GDPR compliant. Implemented the Data security and Personally Identifiable Information Policy

Are there policies and processes in place to address privacy inquiries, complaints and disputes?

We have implemented the Data Subject Access Rights Procedure.

If Yes, Does the Vendor also support Surprise Audits by the customer or any Third Paties appointed by the customer

In accordance with Data Protection Laws, we make available to Controller on request in a timely manner such information as is necessary to demonstrate compliance by Processor with its obligations under Data Protection Laws. Upon Controller’s written request and subject to the confidentiality obligations set forth in the Agreement, we will make available to Controller a copy of Nreach the most recent third-party audits or certifications, as applicable. We do not agree for the Surprise audits.

Does Supplier in its written agreements with Suprocessors prohibit Sub Processors from Processing Personal Data for any purpose except to provide services to Supplier?

Yes. It’s a part of the agreement.

How will the Personal Data be accessed? By the customer BY Supplier

We have implemented the GDPR Xoxoday is the data processor.

What are Supplier’s procedures for responding to a data subject request that involves a customer’s Personal Data?

Xoxoday is GDPR Compliant. We have implemented the Data Subject Access Rights Procedure as per the GDPR and make all the data subject rights available as per the data protection laws. This procedure sets out the key features regarding handling or responding to requests for access to personal data made by data subjects, their representatives or other interested parties.

Confirm how Supplier performs audits on its Sub-processors to demonstrate their compliance.

We validate the compliance requirements of the Sub-processor and obtain the Compliance certificates and audit reports such as – ISO 27001:2013, SOC 2 Type II, ISO 27017, ISO 27701, ISO 27018, Cloud Security Alliance Controls etc..

Describe the process in place for the customers to gain access to their personal data as required by the EU regulations

We have implemented the Data Subject Access Rights Procedure to make sure that all the data subjects will have the opportunities to exercise their rights as per the privacy laws. Attached the Xoxoday Data Subject Access Rights Procedure .

Does the Cloud Hosting Provider provide independent audit reports (e.g., Service Operational Control - SOC) for their cloud hosting services?

We provide Software as a Service.(SAAS). We are ISO 27001 certified and GDPR compliant. Attached the document.

Is client scoped data collected, accessed, transmitted, processed, or retained that can be classified under any international privacy jurisdictions?

We are GDPR compliant. And atatched the Data security and Personally Identifiable Information Policy

Are there policies and processes in place to address privacy inquiries, complaints and disputes?

Attached the Data Subject Access Rights Procedure. Please visit here for Privacy policy - https://www.xoxoday.com/privacy-policy

Share the process of secure data disposal at various stages, e.g., once data is archived / not require further, end of the contract.

We are GDPR Complaint and respect the data subjet access rights. We erase or delete the data upon request of the data subject or on the request of the customer upon termination of the contract. We have Data Retention and Disposal Policy. Our data cleaning process goes through an organized purge. Once the data is purged, it's purged from all places. Attached the Data Retention and Disposal Policy.

Data purging policy for the customer related process.

We have Data Retention and Disposal Policy. Our data cleaning process goes through an organized purge. Once the data is purged, it's purged from all places.

Contract shall require supplier to comply with all applicable privacy and data security laws, e.g. EU Data privacy directive, (future GDPR) and preferrably have a specialized resource assigned with clear responsibilities to safeguard data protection and privacy. E2. The solution should address data soverignty issues providing solutions to the customer been compliant with local regulations and laws for all countries the customer has operations.

Xoxoday is Compliant with EU GDPR.

Contract requires an immediate notification to the customer of circumstances that might suggest a breach has occurred, along with cooperation in investigation and remediation.

We are compliant with GDPR. We inform the customer within 48 hours, if there are any data breach as per the compliance requirements.

1) Are you subject to the requirement of appointing a DPO under GDPR art. 37? 2) If yes, have you appointed such a Data Protection Officer, with the qualifications, tasks and position that follows from GDPR art. 37 – art. 39?

At Xoxoday we have appointed the DPO. Please click here to know more about Xoxoday GDPR - https://www.xoxoday.com/gdpr

Describe how the principles of Data Protection by Design and Default, as described in GDPR art. 25, have been or may be implemented in the services that you offer to the customer.

Over 2 millions of customers across the globe trust us with their data security. We back ourselves up with robust data security and privacy practices that form an integral part of our product engineering and service delivery principles. Our comprehensive GDPR program is supported by key privacy principles -- Accountability, Privacy by Design and Default, Data Minimization, Subject Access Rights, among others. Technology and operations related to the business are subject to regular sensitization programs. Please click here to know more about Xoxoday GDPR - https://www.xoxoday.com/gdpr

Describe how you will be able to delete or fully anonymize Personal Data elements or Personal Data relating to specific individuals from the information systems that will be used to deliver the services to the customer, both during the engagement and upon termination. In addition, please describe how deletion or anonymization will cover Personal Data held in any back-up copies or by any (sub) processors.

We have implemented the Data Subject Access Rights procedure (DSAR) 1. Personal data can be deleted based on a formal written request, with justification. 2. Xoxoday would delete the data within 30 days of receiving the request Our data cleaning process goes through an organized purge. Once the data is purged, it's purged from all places. Attahed the Data Subject Access Rights procedure (DSAR)

Does the cloud vendor allow reports from security audits to be submitted to regulatory authorities (i.e. the Data Protection authority)?

Xoxoday is GDPR Compliant and shared the Data Protection Impact Assessment (DPIA) We are not required to submit the report to the Data Protection authority.

Does the cloud provider comply with the data privacy regulations incl. GDPR?

Xoxoday is compliant with GDPR

Does the Cloud provider offer any regulatory compliant data processor agreement? EU Standard Contractual Clauses for the transfer or availability of data outside the EU is regulatory compliant if used correctly. Please note, access to data from abroad is normally considered transfer of data even if the data is stored in country.

We offer EU Standard Contractual Clauses.

Does the contract ensure that Supplier is obliged to support the customer in facilitating exercise of data subjects' rights such as access/correct/erase their data, and (where applicable) notify the customer of any data breaches affecting the customer’s data?

We support end users to Exercise their Rights as per the GDPR compliance requirements.

Does the contract clarify Supplier's responsibilities to notify the customer in the event of any data breach which affects the customer’s data?

We are compliant with GDPR. We inform the customer within 48 hours, if there are any data breaches as per the compliance requirements.

Does the contract ensure that Supplier is obliged to co-operate with regard to the customer’s right to monitor / audit processing operations?

In accordance with Data Protection Laws, we make necessary documents, Audit reports and certifications available to Controllers on request in a timely manner such information as is necessary to demonstrate compliance by Processor with its obligations under Data Protection Laws. Upon Controller’s written request and subject to the confidentiality obligations set forth in the Agreement, Xoxoday will make available to Controller a copy of Nreach then most recent third-party audits or certifications, as applicable.

Does the contract specify the conditions for returning the personal data and destroying the data once the service is concluded?

We adhere to Data Retention and Disposal Policy and make sure that the personal information of the data subject will be deleted upon requests or termination of the contract. Our data cleaning process goes through an organized purge. Once the data is purged, it's purged from all places.

Does the contract include specific safeguards like Privacy Shield arrangement, standard contractual clauses (SCC) or binding corporate rules to regulate transfers of data to non-adequate third countries?

We offer standard contractual clauses (SCC) or binding corporate rules to regulate transfers of data to non-adequate third countries.

How does the cloud provider provide customer data at end of term? (Data portability and methodology to be followed). Transfer technology, file formats, protocols, metadata etc.

We adhere to Data Retention and Disposal Policy and make sure that the personal information of the data subject will be deleted upon requests or termination of the contract. Our data cleaning process goes through an organized purge. Once the data is purged, it's purged from all places.

Are you complaint with Data Privacy standards like GDPR?

Attached the GDPR Data Protection Policy and Data Security Policy

List of subprocessors

AWS - We have deployed our application on AWS Virtual platform cloud. And AWS is GDPR, ISO 27001, SOC 2 certified organization.

What are the Personal Information collected? Also mention the mandatory and optional fields.

We collect names, email IDs and Phone numbers. These are the mandatory information required to use the application platform.

If it involves data of the users in the EU region, does it comply with the GDPR regulations? For example, user data should not leave the EU physical geography?

Yes. We are GDPR Compliant

Information hosted and processed

The application is deployed on AWS virtual platform cloud. We are a data processor as per GDPR and all the information is collected only throgh our application. We use TLS1.2 encryption for Data in transit and AES256 for Data at rest. Additionally, we have an intrusion detection/monitoring application that alerts on unauthorized access.

When would UP be notified?

Notify data controllers within 48 hours of the breach or within stipulated time as agreed with the data controller

Do your sub-processors (vendors) access your customer's information? If YES, please complete our PII Data Sub-processor Template

Yes

Do these sub-processors (vendors) contractually comply with your security standards for data processing?

Yes

(Only applicable if your company/data centers are based in the US) For the provision of services, do you process EU citizens' personal data?

Yes

Have you appointed a Data Protection Officer (DPO)?

Yes. We have appointed DPO

Do you plan on being Privacy Shield certified withing the next 12 months?

No. The EU-U.S. Privacy Shield Framework is no longer a valid mechanism to comply with EU data protection requirements when transferring personal data from the European Union to the United States. Please visit here for more details - https://www.privacyshield.gov/Program-Overview

Describe or attach your Security Incident Response Program?

See Security Incident Reporting & Response Procedure attached We are GDPR Compliant. Our information security team and Customer support team will inform the POC of the customer via email communication with Preliminary Incident Synopsis and Root Cause Analysis report (RCA) including the details of Business Impact, Issue Description, Root Cause, and Corrective Actions.

Do you have formally defined criteria for notifying a client during an incident that might impact the security of their data or systems? What are your SLAs for notification?

Yes. We have formally defined criteria for notifying a client during an incident that might impact the security of their data or systems. We notify within 72 hours as per EU-GDPR

Data Protection Training and Awareness – Indicate what awareness-raising controls are carried out with regards to colleagues

Data Protection Training and Awareness – Indicate what awareness-raising controls are carried out with regards to colleagues We conduct Information security and Data protection awareness training as soon as new employees joined the organization and annually once for the old employees. The training material includes the below concepts – Information Security Objective How to handle and protect PII What is ISO 27001:2013 Confidentiality, Integrity, Availability and Privacy. Business and cyber security PDCA – Continual improvement General guidelines for security Visitor management Security guidelines Guidelines while using Xoxoday provided devices Password guidelines Email related guidelines Social media related guidelines Phishing attack and its types Information storage related guidelines Incident Management Business continuity management

Managing personal data breaches - Indicate whether IT incidents are subject to a documented and tested management procedure

We have implemented Security Incident Reporting & Response Procedure and tested annually. We also have Data Breach Notification Procedure as per the GDPR compliance requirements. We will share the supporting documents with regards to data breach notification and Incident management procedures.

When a person working with the customer data no longer performs that role, are their permissions to the customer data revoked?

Yes. We provide these rights to the data subject as per GDPR

Service provider shall include commitment for response time in the event of security incident in line with the customer requirements

We inform our customer in 48 hours if in case any security breaches as per the GDPR regulation.

Describe your security model, including network, data, and application security; data center security; application and system support; upgrades and maintenance; and personnel access rights.

"We have implemented policies and procedures as per ISMS and GDPR requirements. We also conduct periodical Internal and external Audit by the third party Auditor. We have deployed our application on Cloud Virtual platform for maximum security. We use Bitdefender End point security software to prevent from malware and protect the data. In addition to that we also have AWS Guard Duty threat detection service that continuously monitors for malicious activity and unauthorized behaviour. We conduct periodical Vulnerability assessment and Penetration Testing from the Inductry approved authorized vendor to make sure that all the vulnerabilities are closed and having secured applications. We use logical data isolation with the help of company specific encryption keys. Data in non production environment is not updated with the production data. We generate separate test data Data at transit - TLS1.2 encryption, Data at rest - AES256 As per the Information security policy and Data protection policy only the authorised individual have an access to the data through internal approving and ticketing system. "

Has the retention period of the collected PII data decided?

Yes. Attached the data retension and disposal policy.

Does the application have the feasibility to cater to data subject access requests for erasure, restriction and data portability?

Yes. we are GDPR compliant. We have procedure in place to provide services to data subject.

Does PII shared with any third party vendor? If yes, Are the contracts with the third parties incorporated with the required privacy clauses?

We do not share the PII with any third parties.

Share the process of secure data disposal at various stages, e.g., once data is archived / not require further, end of the contract.

We are GDPR Complaint and respect the data subjet access rights. We erase or delete the data upon request of the data subject or on the request of the customer upon termination of the contract. We have Data Retention and Disposal Policy. Our data cleaning process goes through an organized purge. Once the data is purged, it's purged from all places. Attached the Data Retention and Disposal Policy.

Do you ensure that the data processing is restricted to as required by the signed TCS contract?

We restrict the processing of data as per the contract signed.

Do you have personal data breach management process defined and followed?

We are GDPR compliant. we have implemented the Data Breach Notification Procedure. Our information security team and Customer support team will inform the customer via email communication with Preliminary Incident Synopsis and Root Cause Analysis report (RCA) including the details of Business Impact, Issue Description, Root Cause, and Corrective Actions.

Do you have processes to identify data subject requests and direct them to TCS where TCS is the Data Controller and support TCS in the execution of these requests?

We have provided the features to withdraw consent or exercise the right for the end users. Attached the Data subject access rights procedures

Does this application have any personal data touch points? (Collect / Store / Process / Transfer)

Yes. We collect the data through our application application. As per the GDPR we are the data processor.

Does this application have personal information of EU citizens as well?

No. Since it’s a SAAS product we are having EU customers who are using our application application.

Whose personal information is being collected? (ex. Customer, Vendor, Employee, Visitor etc.)

Employees.

Does the application perform any automatic decision making (arriving at a decision solely on the basis of processing of PII automatically) or profiling on the PII captured?

No. We collect the data through this application and store it. We do not use or transfer or share the PII

Is a privacy notice displayed to the Data Subject?

Yes. Its posted on our website and they can exercise their rights as per the law.

Is consent taken and recorded from the Data Subject?

Yes. We do take consent from the data subjects.

Do you have a defined retention period for personal data categories selected above ? Please mention the agreed retention period.

We Dispose the data Upon the expiry of the data retention as per the agreements, or when the data subject exercises their right to have their personal data erased, the personal data shall be deleted.

Q10 : Is explicit consent taken for sending communication related to Marketing / Advertisement?

We do not use personal information for Marketing or Advertisement.

If Yes, do you provide the Data Subject the option to Opt-out or Unsubscribe?

NA. We do not use personal information for Marketing or Advertisement.

Is the application managed or maintained by any external third-party? (Third party having access to the personal data elements selected above)

No. But we have deployed our application on AWS cloud virtual platform for maximum security.

Do you consider yourself the data owner or data processor?

we are the data processor.

Do you meet international privacy requirements?(GDPR, NDB Scheme, PDPA)

We are GDPR compliant.

How long will our data be retained for? Does the service provider have a data retention and disposal policy?

Yes. We are GDPR Compliant and we have a data retention and disposal policy. We assure secure data disposal when storage is decommissioned or when the contract comes to an end. We also provide rights to the users to request for data deletion. GDPR Policy - https://www.xoxoday.com/gdpr

What arrangements are in place for return of data to corporate upon contract conclusion or termination?

We will be deleting the customer data upon termination of the contracts.

What arrangements are in place for deletion of data upon contract conclusion or termination?

Our data cleansing process goes through an organized purge. Once the data is purged, it's purged from all places or completely wiped out.

Please reconfirm or confirm the following: The company will notify Nova Professional Services of an incident or data breach within 24 hours. The company agrees to keep Nova Professional Services fully informed of incident response and investigation.

We are GDPR Compliant. And we would be notifying Nova Professional Services of an incident or data breach within 72 hours. We will make sure that we will be fully informed of incident response and investigation.

Have you identified all legal/regulatory requirements that your company is supposed to adhere to? Please list the key ones. How do you ensure compliance to the same? Please describe

We are ISo 27001;2013 certified and GDPR compliant. We also conduct internal review, Audit and external Audit from the third party auditors to make sure that we are complying with the requirements.

What are the communication channels and SLAs defined for notifying Infosys of any information security breach directly related to Infosys data or that may have a potential impact on Infosys?

we Notify data controllers within 48 hours of the breach or within stipulated time as agreed with the data controller throgh email.

Do you have a process to manage any request arising from Infosys end on data subject rights, towards access, rectify, erase or restrict processing, to the extent such request extends to processing of personal data as part of your service.

Yes. We provide service to the data subject as per the GDP Compliance requirements. They can rectify, erase or restrict processing of their personal data.

Is only required data is displayed and transmitted by the application?

Xooxday is GDPR Compliant. We collect the data which are only required. We collect the PII - Name, Email ID and Phone#.

CCPA/CPRA

Questions
Answers

What are the regulations around indemnity / liability for data privacy breaches?

We are compliant with EU GDPR and CPRA (California Privacy Rights Act)

The PII protection standards met by the cloud service provider.

We are EU GDPR Compliant and CPRA Certified.

Does a process exist to identify new laws and regulations with IT security implications?(e.g., new state breach notification requirements)? i.e. Monitoring newsletters, Webinars, security or regulatory forums etc

Yes. We comply with all the applicable new laws and regulations. We also have a service provider who helps us with regards to Information security, compliance and certifications etc.. We have identified the upcoming CPRA and implemented the controls and achieved the CPRA Attestation with the help of the external auditor..

Last updated