Data Protection and Security Policy
This sets out i-nexus’ Data Protection and Security Policy.
1. Introduction
i-nexus is committed to preserving the confidentiality and integrity of all information it holds and processes and to operating its business in compliance with the requirements of relevant Data Protection Laws and Regulations.
We recognize the importance of Personal Data and of respecting the privacy rights of individuals. This Data Protection & Security Policy (“Policy”) sets out the principles which we apply to our Processing of Personal Data and use of Confidential Information and our commitment to safeguard one of the most valuable assets which belong to our Customers.
This Policy supplements the i-nexus data processing addendum and describes i-nexus’ approach to ensuring the privacy and security of the Customer Data, including the technical and organizational measures adopted by i-nexus which are applicable to the i-nexus products and Services.
Any questions about this Policy should be raised with the Data Officer whose details are at the end of this Policy.
2. Definitions
The following key words and phrases are used within this Policy:
“Confidential Information” | means all confidential information disclosed by the Customer to i-nexus whether orally or in writing, that is designated as confidential or that reasonably should be understood to be confidential given the nature of the information (including Personal Data); |
---|---|
“Customer Data” or “Data” | means all electronic data or information submitted by or on behalf of the Customer including data submitted through an API and, where the context so admits, the content and or form/appearance of any document templates created by Customer in the course of using the Services; |
“Data Controller” | means the entity which determines the purposes and means of the Processing of Personal Data; |
“Data Processor” | means the entity which Processes Personal Data on behalf of the Controller; |
“Data Protection Laws and Regulations” | means all laws and regulations, including laws and regulations of the European Union, the European Economic Area and their member states and the United Kingdom, applicable to the Processing of Personal Data as part of the Services; |
“Data Subject” | means the identified or identifiable person to whom Personal Data relates; |
“GDPR” | means the Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation); |
“Personal Data” | means any information relating to an identified or identifiable natural person where such data is Customer Data. An identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person; |
“Processing” | means any operation or set of operations which is performed upon Personal Data, whether or not by automatic means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction; |
“Services” | means: (i) access to the relevant i-nexus solutions provided via Customer’s login link at the i-nexus website or another designated web site or IP address; and/or (ii) ancillary online or offline products and services provided or licensed to Customer by i-nexus. |
3. Data Protection and Security
Under the Data Protection Laws and Regulations, Personal Data must be processed in accordance with certain data protection principles, under which Personal Data must:
- be processed fairly and lawfully and in a transparent manner;
- be obtained and processed only for one or more specified, explicit, and lawful purposes;
- be adequate, relevant and not excessive in relation to the purpose;
- be accurate and, where necessary, kept up to date;
- be kept for no longer than is necessary for the purpose;
- be processed in accordance with the rights of Data Subjects and in a manner, that ensures appropriate security, integrity and confidentiality of the Personal.
i-nexus ensures it employs appropriate technical and organizational measures to adhere to these principles.
3.1 Nature and Purpose of Processing
The purposes for which we use your information and the legal basis under the Data Protection Laws and Regulations on which we rely to do this are explained below.
Where you have provided CONSENT
We may use and process your Personal Data where you have consented for us to do so for the following purposes:
- contact you via email or text with marketing information about our Services if you (i) register for an account with us online and indicate that you would like to receive such marketing from us; (ii) sign up to our newsletter, emails/ texts via our website or other medium where available; or (iii) when you refresh your marketing preferences when responding to a request from us to do so.
You may withdraw your consent for us to use your information in any of these ways at any time by using the unsubscribe automated link included at the bottom of i-nexus marketing emails. Alternately please send an email to info@i-nexus.com, putting OPTOUT in the title.
Where there is a LEGITIMATE INTEREST
We may use and process your Personal Data where it is necessary for us to pursue our legitimate interests as a business, or that of a third party, for the following purposes:
- for marketing activities (other than where we rely on your consent to contact you by email or text with information about our products and services or share your details with third parties to do the same, as explained above);
- for analysis to inform our marketing strategy, and to enhance and personalise your customer experience (including to improve the recommendations we make to you on our website);
- to correspond or communicate with you;
- to verify the accuracy of data that we hold about you and create a better understanding of you as a Customer;
for network and information security in order for us to take steps to protect your information against loss or damage, theft or unauthorised access; - for prevention of fraud and other criminal activities;
- to comply with a request from you in connection with the exercise of your rights (for example where you have asked us not to contact you for marketing purposes, we will keep a record of this on our suppression lists in order to be able to comply with your request);
- to assess and improve our service to customers through recordings of any calls with our contact centres;
- for the management of queries, complaints, or claims;
- for the establishment and defence of our legal rights;
- to administer the Website.
Where there is a LEGAL REQUIREMENT
We will use your Personal Data to comply with our legal obligations: (i) to assist a public authority or criminal investigation body; (ii) to identify you when you contact us; (iii) to send you any required information if you are a shareholder, and/or (iv) to verify the accuracy of data we hold about you.
Where it is required to complete a CONTRACT
i-nexus will Process Personal Data as necessary to perform the i-nexus services and as further instructed by the Customer in its use of the Services, as a Data Controller. This shall include automated processing of Personal Data to evaluate and analyze certain personal aspects relating to the Data Subject, in particular to analyze or predict aspects concerning that Data Subject’s personal preference, interests, behaviour and location.
3.2 Categories of Data Subjects
Customer may submit Personal Data to the i-nexus services, the extent of which is determined and controlled by Customer in its sole discretion, and which may include, but is not limited to Personal Data relating to the following categories of data subjects:
- Prospects, customers, business partners and vendors of Customer (who are natural persons);
- Employees or contact persons of Customer’s prospects, customers, business partners and vendors;
- Employees, agents, advisors, freelancers of Customer (who are natural persons);
- Customer’s users authorized by Customer to use the Services.
3.3 Type of Personal Data
Customer may submit, or allow collection of, Personal Data in the use of the Services, the extent of which is determined and controlled by Customer in its sole discretion, and which may include, but is not limited to the following categories of Personal Data:
- First and last name;
- Title;
- Position;
- Employer;
- Contact information (company, email, phone, physical business address);
- ID data;
- Behavioral and profile data;
- Personal preferences;
- Connection data;
- Location data.
3.4 Data Segregation
The Services are operated in a multitenant architecture that is designed to segregate and restrict Customer Data storage and access based on business needs. The architecture provides an effective logical data separation for different Customers via Customer-specific unique IDs and allows the use of customer and user role based access privileges. Additional data segregation is ensured by providing separate environments for different functions, especially for testing and production.
3.5 Security Controls
i-nexus has implemented procedures designed to ensure that Customer Data is processed only as instructed by the Customer, throughout the entire chain of processing activities by i-nexus and its sub-processors. Additionally, the Services undergo security assessments by internal personnel and third parties, which include infrastructure vulnerability assessments and application security assessments.
i-nexus adopts a number of security controls, which include:
- Unique user identifiers to allow Customers to assign unique credentials for their users and assign and manage associated permissions and entitlements;
- Controls to ensure initial passwords must be reset on first use;
- Controls to limit password re-use;
- Password length and complexity requirements;
- Customers have the option to integrate Single Sign-On technologies to directly control the authentication and credential complexity, expiration, account lockout, IP white/black listing ;
- Customers have the option to manage their application users, define roles, and apply permissions and rights within their implementation of the Services;
- User passwords are stored using a salted hash format and are not transmitted unencrypted;
- User access log entries will be maintained, containing date, time, User ID, URL executed or identity ID operated on, operation performed (accessed, created, edited, deleted, );
- If there is suspicion of inappropriate access to the Services, i-nexus can provide Customer log entry records to assist in forensic analysis. This service will be provided to Customers on a time and materials basis;
- User access logs will be stored in a secure centralized host to prevent tampering;
- User access logs will be kept for a minimum of 90 days;
- i-nexus personnel will not set a defined password for a user.
3.6 Intrusion Detection
i-nexus, or an authorized independent third party, will monitor the Services for unauthorized intrusions using network-based intrusion detection mechanisms.
3.7 Security Logs
All i-nexus systems used in the provision of the Services, including firewalls, routers, network switches and operating systems, log information to their respective system log facility or a centralized syslog server (for network systems) in order to facilitate security reviews and analysis.
3.8 Incident Management
i-nexus maintains security incident management policies and procedures. i-nexus notifies impacted Customers without undue delay of any unauthorized disclosure of their respective Customer Data by i-nexus or its agents of which i-nexus becomes aware to the extent required by Data Protection Laws and Regulations.
3.9 User Authentication
Access to the Services requires a valid user ID and password combination (or via integrated Single Sign-On mechanism), which are encrypted via TLS while in transmission, as well as machine specific information for identity validation as described under “Security Controls,” above. Following a successful authentication, a random session ID is generated and stored in the user’s browser to preserve and track session state.
3.10 Physical Security
Production data centers used to provide the Services have access control systems. These systems permit only authorized personnel to have access to secure areas. These facilities are designed to withstand adverse weather and other reasonably predictable natural conditions, are secured by around the-clock guards, two-factor access screening, including biometrics, and escort-controlled access, and are also supported by on-site back-up generators in the event of a power failure.
3.11 Reliability and Backup
All infrastructure components are configured in a high availability mode or in a redundant fashion. All Customer Data submitted to the Services is stored on infrastructure that supports high availability and is backed up on a regular basis. This backup data is retained for at least 24 weeks. Backups are transmitted and stored in encrypted form and held in a secondary data center region at least 100 miles from the primary region.
3.12 Disaster Recovery
The Services’ production systems are protected by disaster recovery plans which provide for backup of critical data and services. A comprehensive system of recovery processes exists to bring business-critical systems back online within the briefest possible period of time. Recovery processes for database security, systems administration, and network configuration and data provide a roadmap for personnel to make processes available after an outage. The Services’ disaster recovery plans currently have at least the following standard target recovery objectives: (a) restoration of the Services (RTO) within 132 hours after i-nexus’ declaration of a disaster; and (b) maximum Customer Data loss (RPO) of 72 hours; excluding, however, a disaster or multiple disasters causing the compromise of multiple data centers at the same time, and excluding development and test bed environments, such as the sandbox service.
3.13 Viruses
The Services have controls in place that are designed to prevent and detect the introduction of viruses to the Services’ respective platforms.
3.14 Data Encryption
The Services use, or enable Customers to use, industry-accepted encryption products to protect Customer Data and communications during transmissions between a Customer’s network and the Services, including 128-bit TLS Certificates and 2048-bit RSA public keys at a minimum.
3.15 Return of Customer Data
During the contract term, Customers may export a copy of Customer Data processed by the Services. Within 30 days of termination of the applicable Service, Customers may: 1) request return of Customer Data submitted to the Services; or 2) access their account to export or download Customer Data submitted to Services.
3.16 Deletion of Customer Data
After termination of the Service, following the 30-day period for return of Customer Data, Customer Data submitted to the Services is retained in inactive status for up to 90 days, after which it is securely overwritten or deleted except for any Customer Data that is required to be retained for example as part of invoicing records for HMRC purposes or as part of a contractual requirement.
3.17 Analytics
i-nexus may track and analyze the usage of the Services for purposes of security and helping i-nexus improve both the Services and the user experience in using the Services. For example, we may use this information to understand and analyze trends or track which of our features are used most often to improve product functionality.
i-nexus may share anonymous usage data with i-nexus’ service providers for the purpose of helping i-nexus in such tracking, analysis and improvements. Additionally, i-nexus may share such anonymous usage data on an aggregate basis in the normal course of operating our business; for example, we may share information publicly to show trends about the general use of our Services.
Additionally, i-nexus uses Customer Data consisting of data and metrics derived from Customer’s websites and social accounts with third party social platforms, such as geographic location, time of day of use, greatest period of use by industry, and other metrics including spend rates or click rates by geographic location and by industry to create an aggregated and anonymized data set (“Anonymized Data”). No Customer Data consisting of personally identifiable information is contained in the Anonymized Data, nor any data that would identify Customers, their users, Customers’ clients, or any individual, company or organization. I-nexus combines the Anonymized Data with that of other customers to create marketing reports and to provide product features.
3.18 Sub-processors
i-nexus and its affiliates have entered into written agreements with their sub-processors containing privacy, data protection, and data security obligations that provide a level of protection appropriate to their processing activities.
i-nexus utilizes the services of the following sub-processors to provide part of the i-nexus infrastructure to host Customer Data and provide the Services:
- Rackspace – i-nexus operates its Services from Rackspace. Data stored in Rackspace is held within i-nexus’ Rackspace subscriptions across multiple geographic regions (limited to the EEA where the Customer entity and i-nexus entity are based inside the EEA) – https://www.rackspace.com/en-gb/compliance
- Mailchimp – i-nexus uses this marketing automation tool to deliver email campaigns, share web pages and online ads with clients, subscribers and other interested parties. Mailchimp has necessary provisions in place to be compliant with GDPR requirements and other data protection regulations. Read more at: https://kb.mailchimp.com/accounts/management/about-the-general-data-protection-regulation
- Salesloft – i-nexus uses Salesloft to manage follow-up communications on the enquiries it receives from clients, prospects and other interested parties. Salesloft takes security and compliance with data protection regulations seriously. Read more at https://salesloft.com/security-compliance/
- Salesforce – i-nexus uses this platform to manage customer and prospect data as well as to process incoming inquiries about its Services. Salesforce has a comprehensive set of compliance certifications and is 100% committed to protecting personal and business data. For more information, go to https://trust.salesforce.com/en/compliance/
3.19 European specific provisions – Overseas Transfers
The GDPR requires that Personal Data must not be transferred to a country or territory outside the European Economic Area (i.e. the member states of the EU plus Iceland, Liechtenstein and Norway), unless that country or territory or organization ensures an adequate level of protection for the rights and freedoms of Data Subjects in relation to the Processing of Personal Data.
Subject to paragraph 3.20, where the Customer entity and the i-nexus entity are based inside the EEA, i-nexus shall not transfer Personal Data to any country outside of the EEA without prior written consent from the Customer, except for transfers to and from: (i) any country which has a valid adequacy decision from the European Commission; or (ii) any organization which ensures an adequate level of protection in accordance with the applicable Data Protection Laws and Regulations.
YOUR RIGHTS
You have a number of rights in relation to your Personal Data under Data Protection Laws and Regulations. In relation to certain rights to access your Personal Data, we may ask you for information to confirm your identity and, where applicable, to help us to search for your Personal Data. Except in rare cases, we will respond to you within one month from either (i) the date that we have confirmed your identity or (ii) where we do not need to do this because we already have this information, from the date we received your request.
Accessing your Personal Data
You have the right to ask for a copy of the information that we hold about you by emailing or writing to us at the address at the end of this policy. We may not provide you with a copy of your Personal Data if this concerns other individuals or we have another lawful reason to withhold that information.
Correcting and updating your Personal Data
The accuracy of your information is important to us and we are working on ways to make it easier for you to review and correct the information that we hold about you.
In the meantime, if you change your name or address/email address, or you discover that any of the other information we hold is inaccurate or out of date, please let us know by contacting us using the details described at the end of this policy.
Withdrawing your consent
Where we rely on your consent as the legal basis for processing your Personal Data, as set out under, you may withdraw your consent at any time by contacting us using the details at the end of this policy. If you would like to withdraw your consent to receiving any direct marketing to which you previously opted-in, you can do so using the unsubscribe automated link included at the bottom of i-nexus marketing emails. Alternately please send an email to info@i-nexus.com, putting OPTOUT in the title.
If you withdraw your consent, our use of your Personal Data before you withdraw is still lawful.
Objecting to our use of your Personal Data and automated decisions made about you
Where we rely on your legitimate business interests as the legal basis for processing your Personal Data for any purpose(s), you may object to us using your Personal Data for these purposes by emailing or writing to us at the address at the end of this policy. Except for the purposes for which we are sure we can continue to process your Personal Data, we will temporarily stop processing your Personal Data in line with your objection until we have investigated the matter. If we agree that your objection is justified in accordance with your rights under data protection laws, we will permanently stop using your data for those purposes. Otherwise we will provide you with our justification as to why we need to continue using your data.
Erasing your Personal Data or restricting its processing
In certain circumstances, you may ask for your Personal Data to be removed from our systems by emailing or writing to us at the address at the end of this policy. Unless there is a reason that the law allows us to use your Personal Data for longer, we will make reasonable efforts to comply with your request.
You may also ask us to restrict processing your Personal Data where you believe it is unlawful for us to do so, you have objected to its use and our investigation is pending or you require us to keep it in connection with legal proceedings. In these situations we may only process your Personal Data whilst its processing is restricted if we have your consent or are legally permitted to do so, for example for storage purposes, to protect the rights of another individual or company or in connection with legal proceedings.
Transferring your Personal Data in a structured data file
Where we rely on your consent as the legal basis for processing your Personal Data or need to process it in connection with the Services, you may ask us to provide you with a copy of that information in a structured data file. We will provide this to you electronically in a structured, commonly used and machine readable form, such as a CSV file.
You can ask us to send your Personal Data directly to another service provider, and we will do so if this is technically possible. We may not provide you with a copy of your Personal Data if this concerns other individuals or we have another lawful reason to withhold that information.
Complaining to the UK data protection regulator
You have the right to complain to the Information Commissioners Office (ICO) if you are concerned about the way we have processed your Personal Data. Please visit the ICO’s website for further details.
4. Confidential Information
i-nexus will keep Confidential Information (which of course extends beyond Personal Data) it receives confidential in accordance with the relevant agreement between the Customer and i-nexus and, except with the prior written consent of the Customer or as permitted in the relevant agreement, will:
- Not use or exploit the Confidential Information in any way except for the purposes for which it has been disclosed;
- Not disclose or make available the Confidential Information in whole or in part to any third party; and
- Apply the technical and organizational measures as detailed in to this Policy to Confidential Information.
5. Contacts and Responsibilities
In each of i-nexus’ offices and internal departments, we have appointed “Data Owners” who are locally responsible for ensuring that employees within their department or area receive appropriate training and are working in compliance with this Policy. The Data Owners undertake regular assessments of Data types and ensure that the right levels of protection are in place.
i-nexus has appointed an overall Data Officer who is responsible for:
- Acting as a key point of contact for data protection queries and the reporting of breaches for all Data Owners, employees, customers and Data Subjects;
- Monitoring and ensuring the compliance with this Policy across the whole of the i-nexus group worldwide and dealing with any disputes which may arise concerning data protection issues;
- Conducting reviews of internal procedures to ensure that they continue to provide adequate protection of Customer Data and Confidential Information;
- Liaising with Data Owners to deliver training, improve security awareness and communicate information relating to this Policy to employees;
- Updating this Policy to reflect any changes in data protection laws;
- Registering with government agencies (such as the UK Information Commissioner’s Office).
If you have any queries regarding this Policy, please contact our Data Officer by email at dataofficer@i-nexus.com
6. Amendments to This Policy
This Policy will be updated from time to time by the Data Officer to reflect any changes in legislation or in our methods or practices. The current issue of the Policy will be available from our website at i-nexus.com or from our Data Officer.
We recommend you regularly check for changes and review this policy whenever you visit our website. If you do not agree with any aspect of the updated policy you must immediately notify us and cease using our Services.