PERSONAL DATA PROTECTION

A general statement for clients

This document outlines current information security and personal data protection practices at Profile-me Inc. (hereinafter, “profile-me”). The measures and documentation listed in this statement were assessed against per-article GDPR requirements and best industry practices in the field of personal data protection. The privacy and security of our clients’ data are among our priorities. For the purposes of this document, we use the terms “client” and “clients” to refer to companies looking for candidates through the Profile-me website.

We are implementing a comprehensive data governance system, which aims at:

  • Adhering to information security practices and controls appropriate to risks envisaged as a result of the processing to reduce the risk of a data breach;
  • achieving compliance with applicable data protection laws, namely the General Data Protection Regulation (“GDPR”) and other local data protection laws;
  • ensuring that our clients are aware of their compliance obligations as data controllers;
  • ongoing monitoring and review of our practices and documentation.

Information security

We aim to adhere to industry best practices in the field of information security. Below is the outline of the controls in place at Profile-me that address core requirements with a direct impact on the security of processing:

  • Confidentiality, integrity, and availability: Confidentiality is achieved through an access control restriction. Access to personal data is provided on a “need-to-have” basis and is available only to team members for whom access is required to perform their duties. Actions, such as access, rectification, or deletion, are logged in the system to provide traceability and accountability. Integrity is maintained by making sure that our production environment databases and the production servers are located in one place and are only accessible via a private network. This ensures that information in our possession cannot be accessed from anywhere else. Regular backup schemes are also implemented to ensure data availability. We additionally make sure that all access keys to our databases, as well as third-party integration access keys, are stored as environment variables and passed to the containers.
  • Regular assessment: We have implemented a process for regularly testing, assessing, and evaluating the effectiveness of technical and organizational measures implemented.
  • Data minimisation and deletionWe conduct permanent deletion of data upon the end of data retention periods and termination of the relationships with clients.
  • SoftwareOur employees are provided with corporate software, services, and storage licenses. Profile-me guarantees that each employee must make sure the software they are working with is regularly updated.
  • ISO27001-certified cloud hostingWe rely on an ISO27001-certified company for the storage of personal data, ensuring that our data falls under an externally certified audit of the hosting provider’s information security management system.

Measures to address data subject rights

  • Data subject rightsTo help our website users be in full control of their personal data, we make sure that they are provided with the ability to contact us to exercise their privacy rights. We have also embedded certain privacy controls into our website functionality so our website users can manage their personal data without necessarily contacting us. Specifically, we remove all personal data from our systems when a website user decides to delete their account. Also, we allow our website users to update their account information and make sure our systems reflect the subsequent changes of the update.
  • Privacy notificationsAt the moment of the data collection, we provide clients and website users with the details on how their personal data is being collected and processed.

Data Sharing Agreement

We acknowledge that we have a controller-to-controller relationship between us and our clients. As a result of this, we are ready to sign a Data Sharing Agreement (a “DSA”) to clarify the roles and responsibilities over the personal data that is shared between us and the clients.

A sample of the document can be found at the link.

International transfers

To achieve uniform protection of client data, we are offering to conclude an international transfer mechanism with us, namely the Standard Contractual Clauses (SCCs), as approved by the European Commission on June 4th, 2021.

Limited data retention periods

Personal data stored on our servers have limited retention periods.

Upon termination of the relationship with the client, we ensure that the personal data is destroyed from our systems, as well as from the systems of our subcontractors and vendors.

Data Protection Training

We have engaged an external data protection specialist to provide a data protection training session for our team to help us better understand and tackle our privacy obligations.

Vendor Management

We pick only those third-party providers that provide sufficient guarantees of information protection. Our due diligence assesses the following items:

  • overall reputation;
  • security practices;
  • compliance with privacy laws;
  • location of data storage;
  • commitments to privacy and security certifications or standards;
  • readiness for data protection and security audits.

Ongoing monitoring and review

We aim that our privacy and security practices be consistent and systematic. As our organisation and external environment continues to evolve, we regularly monitor and review our practices to ensure that the data is protected at all times.

Contact us

If you would like to receive more information on our personal data protection practices, please contact us at info@profile-me.io