Privacy Compliance

GDPR

Questions
Answers
Appropriate technical and organisational measures are in place to protect PII
We have implemented all the technical and organisational measures (TOM)
Documented processes are in place to manage subject requests
Yes. we have implemented the Data Subject Access Rights Procedure
Data Processing Agreements are in place with all your sub-processors
Yes. The Data Processing Agreements is in place.
Documented process is in place for the deletion/redaction/anonymisation of PII. Describe/attach your deletion policy.
Yes. The Data Processing Agreements is in place.
Data Privacy Impact Assessments are undertaken where a risk to PII is identified
Yes. we conduct the Data Privacy Impact Assessments on annual basis and there are no high risk involved in handling the PII
A formal data breach notification process is in place
formal data breach notification process is in place.
Does the organisation have security measures in place for data protection?
Customer data security is an essential part of our product, processes, and team culture. Our facilities, processes and systems are reliable, robust, and tested by reputed quality control and data security organizations. We continuously look for opportunities to make improvements in the dynamic technology landscape and give you a highly secure, scalable system to provide a great experience. We have implemented many technical controls to safeguard the customer data. For example - Cloudflare Web application firewall (WAF), AWS Guard Duty threat detection services, Amazon CloudWatch, IDS/IPS etc.
Is client scoped data collected, accessed, transmitted, processed, or retained that can be classified under any international privacy jurisdictions?
We are GDPR compliant. Implemented the Data security and Personally Identifiable Information Policy
Are there policies and processes in place to address privacy inquiries, complaints and disputes?
We have implemented the Data Subject Access Rights Procedure.
If Yes, Does the Vendor also support Surprise Audits by the customer or any Third Paties appointed by the customer
In accordance with Data Protection Laws, we make available to Controller on request in a timely manner such information as is necessary to demonstrate compliance by Processor with its obligations under Data Protection Laws. Upon Controller’s written request and subject to the confidentiality obligations set forth in the Agreement, we will make available to Controller a copy of Nreach the most recent third-party audits or certifications, as applicable. We do not agree for the Surprise audits.
Does Supplier in its written agreements with Suprocessors prohibit Sub Processors from Processing Personal Data for any purpose except to provide services to Supplier?
Yes. It’s a part of the agreement.
How will the Personal Data be accessed? By the customer BY Supplier
We have implemented the GDPR Xoxoday is the data processor.
What are Supplier’s procedures for responding to a data subject request that involves a customer’s Personal Data?
Xoxoday is GDPR Compliant. We have implemented the Data Subject Access Rights Procedure as per the GDPR and make all the data subject rights available as per the data protection laws. This procedure sets out the key features regarding handling or responding to requests for access to personal data made by data subjects, their representatives or other interested parties.
Confirm how Supplier performs audits on its Sub-processors to demonstrate their compliance.
We validate the compliance requirements of the Sub-processor and obtain the Compliance certificates and audit reports such as – ISO 27001:2013, SOC 2 Type II, ISO 27017, ISO 27701, ISO 27018, Cloud Security Alliance Controls etc..
Describe the process in place for the customers to gain access to their personal data as required by the EU regulations
We have implemented the Data Subject Access Rights Procedure to make sure that all the data subjects will have the opportunities to exercise their rights as per the privacy laws. Attached the Xoxoday Data Subject Access Rights Procedure .
Does the Cloud Hosting Provider provide independent audit reports (e.g., Service Operational Control - SOC) for their cloud hosting services?
We provide Software as a Service.(SAAS). We are ISO 27001 certified and GDPR compliant. Attached the document.
Is client scoped data collected, accessed, transmitted, processed, or retained that can be classified under any international privacy jurisdictions?
We are GDPR compliant. And atatched the Data security and Personally Identifiable Information Policy
Are there policies and processes in place to address privacy inquiries, complaints and disputes?
Attached the Data Subject Access Rights Procedure. Please visit here for Privacy policy - https://www.xoxoday.com/privacy-policy
Share the process of secure data disposal at various stages, e.g., once data is archived / not require further, end of the contract.
We are GDPR Complaint and respect the data subjet access rights. We erase or delete the data upon request of the data subject or on the request of the customer upon termination of the contract. We have Data Retention and Disposal Policy. Our data cleaning process goes through an organized purge. Once the data is purged, it's purged from all places. Attached the Data Retention and Disposal Policy.
Data purging policy for the customer related process.
We have Data Retention and Disposal Policy. Our data cleaning process goes through an organized purge. Once the data is purged, it's purged from all places.

CCPA/CPRA

Questions
Answers
What are the regulations around indemnity / liability for data privacy breaches?
We are compliant with EU GDPR and CPRA (California Privacy Rights Act)
The PII protection standards met by the cloud service provider.
We are EU GDPR Compliant and CPRA Certified.
Does a process exist to identify new laws and regulations with IT security implications?(e.g., new state breach notification requirements)? i.e. Monitoring newsletters, Webinars, security or regulatory forums etc
Yes. We comply with all the applicable new laws and regulations. We also have a service provider who helps us with regards to Information security, compliance and certifications etc.. We have identified the upcoming CPRA and implemented the controls and achieved the CPRA Attestation with the help of the external auditor..
Copy link