Last updated: May 31, 2018
Protection of privacy is a fundamental right that is extremely important to DevriX Ltd. (“us”, “we”, or “our”). This statement discloses our procedures and commitment to ensuring an adequate level of protection in respect to personal data, handled by us as processors of personal data in our standard contractual clauses.
Personal Data means data about a living individual who can be identified from those data (or from those and other information either in our possession or likely to come into our possession).
Data Controller (“Controller”)
Data Controller means the natural or legal person who (either alone or jointly or in common with other persons) determines the purposes for which and the manner in which any personal information are, or are to be, processed.
Data Processor (“Processor”)
Data Processor means any natural or legal person who processes the data on behalf of the Data Controller.
Data Subject (“User”)
Data Subject is any living individual who is using our Service and is the subject of Personal Data.
Data Subprocessor (“Subprocessor”)
Subprocessor means any processor engaged by the Processor or by any other Subprocessor of the Processor who agrees to receive from the Processor or from any other Subprocessor of the Processor personal data exclusively intended for processing activities to be carried out on behalf of the Processor under the terms of a written subcontract.
Technical and Organisational Security Measures
Technical and organisational security measures are measures aimed at protecting personal data against accidental or unlawful destruction or accidental loss, unauthorised disclosure or access, in particular where the processing involves the transmission of data over a network, and against all other unlawful forms of processing.
Description of the Technical and Organisational Security Measures Implemented
Processing personal data is carried out in accordance with the relevant provisions of the applicable data protection law. We follow technical and organisational security measures where processing personal data.
We provide adequate security measures to protect personal data against accidental or unlawful destruction or accidental loss, unauthorised disclosure or access, in particular where the processing involves the transmission of data over a network, and against all other unlawful forms of processing.
These measures ensure a level of security appropriate to the risks presented by the processing and the nature of the data to be protected after assessment of the requirements of the applicable data protection law.
Our security measures follow adequate standards and may be updated from time to time provided any needs of security modifications, as long as those will not result in a degradation of the overall security measures as part of our legal contract with a controller.
Even though data security is extremely important to us, we can never fully guarantee the absence of data breaches of a system, transferring data over a network. We notify a controller of any security breaches or data processing requests, not compliant with the applicable law, within 72 hours of its discovery by us.
- Contracting subcontractors. In the event of subprocessing, we previously inform a Controller, obtain its prior written consent and provide the Controller of a copy of the Subprocessor agreement.
- Assisting in data retention policies. We are instructed by the data Controller of the duration of the personal data transferred to us by the Controller in accordance with the applicable data protection law.
- Prompt notifications to concerned parties. We promptly notify a Controller about and legally binding requests of disclosure of personal data, transferred to us by the Controller or information.
- Commitment to compliance. We deal promptly and responsibly with all Controller requests related to the processing of personal data provided to us by that Controller and abide by the advice of the supervisory authorities in relation to the applicable law to assist the Controller in the best possible way.
- Data retention. We purge all personal data and its copies, transferred by a Controller, upon termination of contractual clauses, referring to services, requiring data processing activities by us, when it is no longer needed or upon a written request from the Controller.
- Client site admin access. We will never share WP Site admin access credentials with anybody else who isn’t involved in a service contract with a data Controller. Only the Controller is able to provide admin access credentials relating to the service contract with us for the website being worked on. Site admin access credentials are always stored in a secure environment.
- Formal written instructions. Where any activities involving personal data take place (including, for example, additional Subprocessors working on the website and having access to personal data, or the copying of a database to a local development environment), documented and written permission are created and recorded in a place which the parties both have access to.
- Non-personal data where possible. Even if a service contract with a Controller requires some elements of personal data access, the use of dummy or anonymised data is pursued where possible to restrict and minimise personal data usage and access (particularly relating to development, testing or staging sites).
- Limiting local data backups. Backups are an often essential practice within the development process. Where this is necessary this is done in a non-local way, i.e. using a secure online service or facility which the controller uses for storage but which we are also able to access.
- Data access and management. All personal data, whether stored securely online or locally, if that is absolutely necessary, is securely managed with access restricted to authorised and approved employees only.
- Log files usage. Log files such as debug.log, which can contain personal data are used selectively as part of the bug fixing process, and are stored outside of the publicly accessible file system where possible. Any logging used is accessible through authentication only. Logs are deleted once they are no longer needed.
- Duty of confidentiality. All personal data that a Subprocessor may access or come into contact with during the course of the contract with a Controller will be treated with total confidentiality, and will never be shared with any parties not directly involved in the delivery of the service contract with the Controller.
- Secure working environment. We develop processes and maintain written agreements with employees to ensure the security of their working environments and of their data processing activity. All hardware, devices, software and services use security that is appropriate to the sensitivity and scale of the data being accessed.