Data Security and Privacy
“Controller” means the entity which, alone or jointly with others, determines the purposes and means of the Processing of Personal Data.
“Data Privacy Laws” means all applicable regional, national, and international laws, orders, regulations, and regulatory guidance now or in the future relating to information security, privacy and data protection.
“Data Subject” means any identified or identifiable natural person to whom Personal Data relates and as defined by applicable Data Privacy Laws.
“Personal Data” means any information that: (i) identifies or can be used to identify, contact or locate an individual (including, without limitation, by reference to an identifier such as names, signatures, addresses, telephone numbers, e-mail addresses, identification number, location data, online identifier and other unique identifiers); or (ii) can be used to authenticate an individual (including, without limitation, employee identification numbers, government-issued identification numbers, passwords or PINs, financial account numbers, credit report information, biometric data, answers to security questions and other personal identifiers), or (iii) is otherwise protected under applicable Data Privacy Laws including any information and data which constitutes personally identifiable information or personal data under applicable Data Privacy Laws.
“Process” or “Processing” means any operation or set of operations which is performed on Personal Data whether or not by automated means, such as access, collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.
“Processor” means the entity which Processes Personal Data on behalf of the Controller.
“Security Incident” means an actual or suspected unlawful or accidental destruction, loss, unauthorized disclosure of, or access to, Client Confidential Data transmitted, stored or otherwise Processed..
“Service Provider” means the company NextSCM Solutions Pvt. Ltd. or it’s brand name Increff
“Sub-Processor” means a third-party subcontractor engaged by Service Provider as a Service Provider Party which, as part of Service Provider’s role of delivering the Services and Deliverables, will process Personal Data of Client
Service Provider represents and warrants that it complies with ISO/IEC 27001:2013 standards.
Service Provider Personnel
The Service Provider will ensure that access to Personal Data is limited to those Service Provider employees and contractors (“Personnel”) and agents who have a need to know. Service Provider will ensure that its Personnel engaged in the Processing of Personal Data have received appropriate training on their responsibilities and have executed written confidentiality obligations and such obligations survive the termination of that persons’ engagement with the Service Provider.
Service Provider has appointed, where required by applicable Data Privacy Laws, a data protection officer who meets the requirements under such laws for the performance of his or her duties.
The Service Provider may only appoint a Sub-Processor who follows all digital security norms specified in this document.
Service Provider will implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk, including as appropriate:
- anonymization of Personal Data
- measures designed to ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and Services and Deliverables;
- the ability to restore the availability and access to Client Confidential Information in a timely manner in the event of a physical or technical incident;
- a process for regularly testing, assessing and evaluating the effectiveness of technical and organizational measures for ensuring the security of the Processing;
- a process and procedures to monitor and log processing systems for unauthorized changes and other evidence the processing environment has been compromised.
The Service Provider will document and monitor compliance with these measures.
The Service Provider will use strong encryption methodologies to protect Client Confidential Information transferred over public networks, and will implement whole-disk encryption for all Personal Data at rest. Service Provider will fully document and comply with Service Provider’s key management procedures for crypto keys used for the encryption of Client Confidential Information.
The Service Provider will retain all Client Confidential Information in a physically and logically secure environment to protect from unauthorized access, modification, theft, misuse and destruction. The Service Provider will utilize platforms to host Client Confidential Information that are configured to conform to industry standard security requirements and will only use hardened platforms that are continuously monitored for unauthorized changes.
The Service Provider will utilize antivirus programs that are capable of detecting, removing, and protecting against all known types of malicious or unauthorized software with antivirus signature updates at least every one day (24 hours). The Service Provider will implement firewalls designed to ensure that all outbound traffic to Client Systems are restricted to only what is necessary to ensure the proper functioning of the Services and Deliverables. All other unnecessary ports and services will be blocked by firewall rules at the Service Provider network.
The Service Provider will ensure that it is using industry standards in preventing vulnerabilities, including OWASP top 10
Updates and Patches
Service Provider will establish and maintain mechanisms for vulnerability and patch management that are designed to evaluate twice a year application, system, and network device vulnerabilities and apply Service Provider-supplied security fixes and patches in a timely manner, taking a risk-based approach for prioritizing critical patches.
Data Loss Prevention
The Service Provider will maintain a “data loss prevention” (DLP) or “extrusion prevention” solution to protect Client Confidential Information, and will integrate the results of that activity with its program for audit logging and intrusion detection as described below.
Audit Logging; Intrusion Detection
The Service Provider will collect and retain audit logs recording privileged user access activities, authorized and unauthorized access attempts, system exceptions, and information security events, complying with applicable policies and regulations. Audit logs will be reviewed to help facilitate timely detection, investigation by root cause analysis and response to incidents. Physical and logical user access to audit logs will be restricted to authorized Service Provider Parties.
On an annual basis, Service Provider will conduct a independent security assessment or penetration test performed by a recognized and authoritative third-party provider (e.g. Accenture, PwC, KPMG, BSI), Any ‘High’ or ‘Critical’ findings will be remediated in a timely manner.
The Service Provider does not process payments, so the standards followed for payment privacy (including without limitation PCI DSS) may not be applicable.
Disaster Management and Business Continuity
The Service Provider will provide documentation of its formal and secure disaster recovery plan, meeting a standard of good industry standards and redacted for proprietary and confidential information.
Security Incident Notification
If the Service Provider becomes aware of any actual or suspected Security Incident, Service Provider will without undue delay, but in no event later than forty eight (48) hours, after becoming aware of the Security Incident:
- Notify Client of the Security Incident;
- Investigate the Security Incident and provide Client with information about the Security Incident;
- Take reasonable steps to mitigate the effects, to remedy and to minimize any damage resulting from the Security Incident;.
GDPR and Privacy Compliance
Processing of Personal Data
Service Provider will inform Client immediately if it finds violation of any Data Privacy Laws or requirements.
Service Provider will
- Put relevant GDPR recommended mechanism in place like
- Pseudo anonymization of PII data.
- Limit access of PII data to necessary personal only
- Ensure that Personal Data collected in an GDPR compliant country will be Processed only in GDPR compliant regions (with GDPR compliant mechanisms)
- Amend, update, supplement, return or delete any Personal Data as soon as reasonably practicable at Client’s request.
- Promptly notify the Client if it receives a request from a Data Subject for information, access to, correction, amendment, deletion, erasure, portability, or restriction of processing of that person’s Personal Data..