- Scope of the Policy
- Third-Party Processors
- Specific Measures to Ensure Data Protection
- Data Protection Breaches
1.1.Keytrack Holdings Limited (“Keytrack”, “The Company”) as a cloud-based software as a service business takes its responsibilities regarding the management of security very seriously. This document provides the policy framework through which effective management of Data Protection matters can be achieved. This Policy is addressed to Keytrack’s clients as well as to those individuals who will provide their personal data for processing (hereinafter – Data Subjects).
1.2. The Company is a Processor of personal (Processor defined under Article 28 of the EU GDPR) and is engaged by Keytrack’s clients (the Controllers) to process personal data, including from Data Subjects, for the agreed purposes established in our terms of service at http://Keytrack.me/terms-of-service.
2.1. The purpose of this policy is to ensure that Keytrack’s staff shall comply with the provisions of New Zealand Law when processing personal data. Any serious infringement will be treated seriously and may be considered under disciplinary procedures. The company adheres to the privacy principles as laid down by New Zealand Privacy Act 1993, and positions for alignment with the EU GDPR. In accordance with these principles personal data shall be:
- Processed fairly and lawfully and in a transparent manner in relation to the data subject;
- Processed for specified, explicit and legitimate purposes only and not further processed in a manner that is incompatible with those purposes;
- Adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed;
- Accurate and up to date;
- Kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed;
- Not kept longer than necessary;
- Processed in a manner that ensures appropriate security of the personal data;
- Not transferred outside the countries of the European Economic Area or the EU without adequate protection.
3.1. Keytrack has established policies and procedures in order to comply with the above principles. The key person in this area is our Data Protection Officer, Richard Galbraith.
The Data Protection Officer holds responsibility for:
- promoting compliance with this policy in such a way as to ensure the easy, appropriate and timely retrieval of information;
- the appropriate compliance with subject access rights and data processing in accordance with the New Zealand Privacy Act 1993 and in alignment with the EU GDPR;
- ensuring that any data protection breaches are resolved, catalogued and reported appropriately in a swift manner;
- investigating and responding to complaints regarding data protection including requests to cease processing personal data.
- Staff members who process personal data must comply with the requirements of this policy and ensure:
- all personal data is kept securely;
- no personal data is disclosed either verbally or in writing, accidentally or otherwise, to any unauthorised third party;
- any queries regarding data protection, including subject access requests and complaints, are promptly directed to the Data Protection Officer;
- any data protection breaches are swiftly brought to the attention of Keytrack’s Governance Team and that they support the Data Protection Officer in resolving breaches;
- where there is uncertainty around a Data Protection matter advice is sought from the Data Protection Officer.
4.1. Where external companies are used to process personal data on behalf of the customer requesting Keytrack’s services, responsibility for the security and appropriate use of that data remains with the customer.
Where a third-party processor is used:
- a third-party processor may be chosen only when it provides sufficient guarantees about its security measures to protect the processing of personal data;
- reasonable steps must be taken that such security measures are in place;
- a written contract establishing what personal data will be processed and for what purpose must be set out;
- a data processing agreement must be signed by the third-party processor and the Company.
5.1. Keytrack shall carry out the following specific measures to ensure data protection:
- The Company uses a specially designed interface that makes it possible to submit the data directly to the Company’s secure servers;
- The personal data accepted by the Company is always securely stored on the servers located in safe data centres;
- Keytrack undertakes to preserve the personal data as long as it is necessary for the clients under applicable laws;
- All persons dealing with personal data shall be officially authorized and must undergo special periodical training;
- Keytrack shall hold data protection and security audits by an expert institution;
6.1. Keytrack uses commercially reasonable physical, electronic, and procedural safeguards to protect your personal information against loss or unauthorised access, use, modification, or deletion. Among other things, Keytrack encrypts sensitive information in transit. Keytrack security is managed in compliant web services. However, no security program is fool proof, and thus we cannot guarantee the absolute security of your personal or other information. Moreover, we cannot guarantee the safety of your information when in the possession of other parties, such as the Third-Party Data Controller.
6.2. Software and network security:
- The Company will hold regular vulnerability scans against our full infrastructure. We will also have external, independent, penetration tests conducted on a periodic basis.
- All engineering and development operations staff will be regularly trained on system, application and network security.
- Our IT and container infrastructure is continuously monitored and audited for change.
- Networks connections are protected by firewalls and are monitored by cyber security solutions to detect intrusions, suspicious activity, and denial of service attacks.
- All our computers, laptops and servers utilise full disk/volume encryption and are installed with antivirus/malware protection which is automatically updated to the latest version and signatures available.
- All user information is encrypted using TLS 1.2 or greater in transit.
6.3. Keytrack will continuously work to increase it’s security measures and update this policy with subsequent changes to its security efforts.
7.1. Where a Data Protection breach occurs, or is suspected, it should be reported immediately to the Data Protection Officer or the CEO, Richard Galbraith. The report should include full and accurate details of the incident including who is reporting the incident and what classification of data is involved.