This document outlines current information security and personal data protection practices at Stape Inc. The privacy and security of our clients’ data are among our priorities.
We are implementing a comprehensive data governance system, which aims at:
● adhering to information security practices and controls appropriate to risks envisaged as a result of the processing to reduce the risk of a data breach;
● achieving compliance with applicable data protection laws, namely the General Data Protection Regulation and the UK Data Protection Act 2018 (GDPR);
● supporting our clients with their compliance obligations as data controllers;
● ongoing monitoring and review of our practices and documentation.
We aim to adhere to industry best practices in the field of information security. Below is the outline of the controls in place at Stape that address core requirements (GDPR Art.5.1, Art.28.3 Art.32.1) with direct impact on the security of processing:
● Art. 32.1.a) Encryption All the communication is transferred through an encrypted channel using TLS encryption. A primary use case of TLS is encrypting the communication between web pages and servers.
● Art. 32.1.b) Confidentiality, integrity and availability Confidentiality is achieved through an access control restriction. Access to user data is provided on a “need-to-have” basis, available only to team members for whom access is required to perform their duties. Actions such as access, rectification, or deletion are logged in the system to provide traceability and accountability and all team members are required to sign a Non-Disclosure Agreement (NDA).
Integrity is maintained by the use of Network firewall. Regular back-up schemes are implemented to ensure data availability;
● Art. 32.1.d) Regular assessment
The company implemented a process for regularly testing, assessing and evaluating the effectiveness of technical and organisational measures implemented.
● Art.5.1.c) and Art.28.3.g) Data minimisation and destruction The permanent deletion of data upon the end of data retention periods and termination of the relationships with clients.
We also take into account local data protection frameworks applicable to the activities of our clients, such as LGPD or CCPA, and are ready to assist them in their compliance;
Where needed, we are ready to sign a Data Protection Agreement (DPA) with the clients that binds us as a data processor to process data following the client’s instructions and due data protection safeguards. A sample of the document can be found by the link.
To achieve uniform protection of client data, we are offering to conclude an international transfer mechanism with Stape, namely the Standard Contractual Clauses (SCC) as approved by the European Commission.
In the scope of our compliance assessment we also envisage the possibility of restructuring the geography of our data processing to store and process our client’s data in accordance with its region.
Clients’ data stored on our servers have limited retention periods.
Upon termination of the relationships, we ensure that the personal data is destroyed from our systems, as well as from the systems of our subcontractors and vendors.
We pick only those third-party providers that provide sufficient guarantees of information protection. Our due diligence assesses the following items:
We are continuously working on improving our data protection efforts.
To help our clients comply with data protection requirements, we are ready to assist our clients with the following technical and organisational measures:
1. Assistance with managing personal data and handling requests from the data subjects or supervisory authorities. Where requested by the clients, we are ready to provide a copy of, rectify, or delete personal data processed on their behalf.
2. Creation of records of processing activities performed on behalf of our clients.
3. Assistance with Privacy Impact Assessments. As the use of innovative technologies for personal data processing may require taking a prior risk assessment, we will be glad to assist our client with conducting Privacy Risk Assessments (PIA) or Data Protection Impact Assessments (DPIA). The conditions of assistance are to be discussed additionally and outlined in the DPA.
4. Availability for data protection audits. Where necessary, the clients may examine our data protection practices to receive proof of our data protection measures.
We aim that our privacy and security practices be consistent and systematic. As our organization and external environment continues to evolve, we regularly monitor and review our practices to ensure that the data is protected at all times.
If you would like to receive more information on our personal data protection practices, please contact our firstname.lastname@example.org.