Home Solutions
Products IDP RFI QA/QC Risk Assessment Lead Management
Pricing About Contact

Data Protection & Handling Policy

Ensuring Client Data Security

1. OVERVIEW AND SCOPE

1.1. Overview

Opaida takes protecting client data seriously. All Opaida employees, contractors, and suppliers are responsible for ensuring the security and confidentiality of client information. To meet this responsibility, we maintain a system of controls and requirements to prevent unauthorized access, modification, destruction, or disclosure of client data. This Data Protection & Handling Policy (Policy) establishes the system of controls for protecting Sensitive & Confidential Data (as defined below).

1.2. Purpose

This Policy and supporting procedures are designed to provide Opaida with a documented and formalized data protection policy to comply with various regulatory and business needs.

1.3. Scope

The scope of this Policy covers all Confidential & Sensitive Data stored, accessed, or transmitted by our software platform, including its applications, components, infrastructure, and underlying code (together, our products).

Additionally, this Policy applies to all employees, contractors, and third-party suppliers of Opaida that collect, access, maintain, distribute, process, protect, store, use, transmit, dispose of, or otherwise handle Opaida's Confidential & Sensitive Data. All employees, contractors, and, as applicable, third- party suppliers are responsible for reading this Policy and complying with its requirements.

2. ROLES AND RESPONSIBILITIES

The following roles and responsibilities regarding data protection practices are to be developed and subsequently assigned to authorized personnel within Opaida:

  • Risk Committee: Responsibilities include approving and monitoring adherence to this policy as well as ensuring data stewardship is assigned, documented, and communicated.
  • Chief Technology Officer (CTO): Responsibilities include providing overall direction, guidance, leadership, and support on methods and tools for secure storage, retention, and disposal of Confidential & Sensitive Data.
  • Systems Administrator: Responsibilities include actually implementing the baseline configuration standards for all in-scope system components. The Systems Administrator (or assigned delegate) is responsible for establishing, documenting, reviewing, modifying, and terminating user access to Company information systems that contain sensitive and confidential data.
  • End Users (Employees, Consultants): Responsibilities include adhering to the organization's data protection policies, procedures, and practices and. Additionally, end- users are to report instances of non-compliance to senior authorities, specifically those by other users.
  • Vendors, Contractors, Other Third-Party Entities: Responsibilities for such individuals and organizations are much like those stated for end-users: adhering to the organization's data protection policies, procedures, practices, and not undertaking any measure to alter such standards that protect client data. Additionally, vendors, contractors, and other third-party entities are expected to complete due diligence and ongoing monitoring assessments per the requirements set forth in the Supplier Risk Management Policy. Vendors, contractors, and other third-party entities are required to immediately notify Opaida of any policy violations involving client data.

3. DATA DEFINITION

Opaida products for clients are deployed using one of the following models:

  • Cloud Deployment: The Could deployment is an entirely cloud-based offering. The third party cloud service vender stores all data pertaining to the use of products, including confidential Consumer Data, on a secure cloud environment rather than on a client's server or hardware. Customer owns all the data, and Opaida does not have access to the data unless the data access permission is granted and monitored by the customer.
  • On-Premises Deployment: Opaida products operate on-premises (i.e., within a client's security environment). Under on-premises deployments, confidential Consumer Data, investigation analysis data, and risk scoring data remain stored on- premises.

3.1. Types of Data

The following types of data are being stored, processed, and/or transmitted on system components that are owned, operated, maintained, and controlled by Opaida:

  • Sensitive: Applies to the most sensitive business information, to which access is strictly limited. Examples of sensitive information include, but are not limited to, passwords, encryption keys, consumer data.
  • Confidential: Applies to less sensitive business information, which is intended for use solely within the Company. Examples of confidential information include, but are not limited to, internal market research, audit reports, and marketing or strategic plans.
  • Public: Applies to all other information that does not clearly fit into the above classifications.

4. DATA PROTECTION POLICY

4.1. Risk Management

Opaida believes in proactive risk management of data protection threats. Opaida conducts a thorough, periodic information security risk assessment (Risk Assessment) of our products' networks, systems, and applications to document threats and vulnerabilities to stored and transmitted information. The Risk Assessment incorporates data protection risks, including, but not limited to:

  • The types and volume of Sensitive & Confidential Data collected and processed through our products.
  • The company's jurisdictional legal and regulatory data protection obligations.

The Risk Assessment serves as a roadmap for Opaida to implement mitigating controls to reduce the impact of identified data protection risks. The Chief Risk Officer oversees remediation plan development and tracks remediation actions to completion.

4.2. Data Collection

Opaida collects, processes, uses, shares, retains and disposes of Sensitive & Confidential Data only in compliance with our legal and business requirements. Opaida also works with clients to define the specific Sensitive & Confidential Data types collected by our products.

4.3. Use and Disclosure

Opaida uses the following guidelines for the use and disclosure of Sensitive & Confidential Data:

4.4. Retention, Storage and Disposal

4.4.1. Retention

Internal data use: Only use Sensitive & Confidential Data for approved business purposes consistent with the scope of services outlined in the respective client's contract.

Internal data sharing: Limit the internal sharing of Sensitive & Confidential Data to members of the workforce whose access is necessary to execute their specific roles and responsibilities (i.e., apply the principle of "Just Enough Privilege”). External data sharing: May share Sensitive & Confidential Data with third parties for approved business purposes that are consistent with the purposes for which Opaida collected the Sensitive & Confidential Data. Written agreements are maintained with such third parties that require them to maintain robust data protection and security controls to ensure an appropriate level of protection.

Cross-border data transfers: Ensure that all parties with which we engage in cross- border data sharing provide adequate data protection safeguards for Sensitive & Confidential Data transfers. The identities and respective countries of non-U.S. suppliers, or types of non-U.S. suppliers, that may access/store Sensitive & Confidential Data are disclosed to the client.

Unless otherwise required by law, Opaida retains Sensitive & Confidential Data only for as long as necessary to fulfill the purposes for which it is collected and processed, or to meet legal and client contractual obligations. To support compliance with these obligations, the CTO shall, on an annual basis, review Opaida's existing retention practices regarding Sensitive & Confidential Data.

4.4.2. Storage

Sensitive Data is only stored in approved systems, databases, and devices. The storage location depends on the type of deployment:

  • On-premises: Sensitive Data is stored on client-owned or client- leveraged servers.
  • Cloud: Sensitive Data is stored in a secure, dedicated cloud environment behind a firewall.

Opaida specifically prohibits employees from storing Sensitive Data in the Opaida development environment, on their Opaida-issued laptops or desktop computers, on their personal devices, on removable media (e.g., USB flash drives), or on printed media.

4.4.3. Disposal

Once Sensitive & Confidential Data is no longer necessary or has reached the end of its retention period, it is securely disposed of. Processes are in place for the secure disposal of data when the data is no longer needed for legal, regulatory and, business requirements. An automatic or manually executed process is to be in place for identifying and securely removing data that exceeds the defined legal, regulatory, and business requirements. As for disposing of data, the following methods are to be utilized for both hard copy and electronic data:

  • Purging and deleting data from all system components. This can be done by utilizing a secure wipe program in accordance with industry-accepted standards for secure deletion (i.e., degaussing).
  • Destroying (cross-shredding) any cardholder data that is in a hardcopy format.
  • For electronic media stored on system components that are no longer in use, data is to be disposed of through any one of the following procedures:
    • Disintegration
    • Shredding (disk grinding device)
    • Incineration by a licensed incinerator ▪ Pulverization
  • Instances of disposal of customer data will be tracked via a ticketing system and will include the steps taken to complete the removal.

4.5. Information Security

Opaida maintains reasonable technical, organizational, and physical security measures to protect the security and confidentiality of Sensitive & Confidential Data from unauthorized access or unlawful disclosure. The security for Sensitive & Confidential Data is managed in accordance with the Opaida's Information Security Policy. Critical security controls include, but are not limited to, the following:

4.6. Access

Encryption in transit:

Sensitive & Confidential Data transfers must be sent via a secure transfer system, such as TLS or SFTP.

Encryption at rest:

All Opaida servers, workstations, and laptops must use disk encryption.

Outbound files:

Use a secure file transfer platform to transfer files outside of the Opaida network.

Inbound files:

During transfer, verify that all files sent into the Opaida network are free of corruption and that the file originated from a known source.

Database:

Encrypt company application databases that are externally accessible via web traffic and provide a level of identification security using an application- specific protocol, such as HTTPS. Sensitive Data in Opaida databases must additionally be encrypted client-side before being inserted into the database.

Data segregation:

Sensitive Data remains in either (i) the on-premises deployment of our products, or (ii) the secure cloud environments.

Production and test environments:

Sanitize all production data before use in non- production environments, as applicable.

Incident management:

Maintain a process for identifying, managing, and resolving privacy incidents, in accordance with the Opaida Incident Response Policy.

A critical component of any successful organization is the ability to properly provision, manage, monitor, and off-board all users that have been granted access rights to company-wide information a concept universally known as access rights and/or access control. The phrase "system resources" includes any type of component, application, data source, or any other type of business resource identified by a company for which users have the ability to access through a process generally known as authentication and authorization. Opaida's data access policy consists of several parts:

  • Client authentication: Opaida authorizes user access to our products only and does not permit client access to underlying Opaida systems or databases.
  • Role-Based Access Control (RBAC) protocols: Access is limited to that which is required for the performance of job duties for individual users, and generic access by Opaida employees is not allowed. The RBAC protocols encompass the following components:
    • Data Classification: A classification scheme that labels each kind of data with one or more categories. (see Data and Personnel Classification Matrix Document)
    • Personnel Classification: A classification scheme that gives each user access to particular data categories. In particular, it specifies that these access permissions must satisfy the "principle of least privilege.” (see Data and Personnel Classification Matrix Document)
    • User onboarding: How Opaida employees are assigned unique user ID's and given initial data access permissions.
  • Access Policies: Requirements for users to authenticate and access the data.
  • User off-boarding: Procedures for off-boarding employees and contractors.
  • "Just Enough Privilege”: To protect against unauthorized access to Sensitive & Confidential Data internally, Opaida limits user access based on the principle of "Just Enough Access.” Users are provided with only enough access to relevant systems, applications, and information to execute their job responsibilities. User access rights to our products, internal network, systems, and applications are regularly and annually reviewed to identify and terminate access rights that are no longer needed. For purposes of this section, a user refers to any employee, contractor, consultant, or supplier accessing company information.

4.6.1. Access Authorization

Opaida is required to protect the confidentiality, integrity, and availability of its information systems that contain sensitive and confidential data. All sensitive and confidential data must be protected via access controls to ensure that data is not improperly disclosed, modified, deleted, or rendered unavailable. The Systems Administrator or assigned delegate is responsible for establishing, documenting, reviewing, modifying, and terminating user access to Company information systems that contain sensitive and confidential data.

As described in section Data Access Request Process, approvals must be obtained and documented prior to granting access. Employees who have been authorized to view information at a particular classification level will only be permitted to access such information on a need to know basis. All access to systems should be configured to provide a particular user access only to what he/she needs to perform his/her business function. On an as-needed basis, employees may request additional access permissions if their work requires it. This additional access must be approved in writing by the relevant executive.

4.6.2. Data Access Request Process

The following generally describes the workflow used within the Company for requesting new access:

  1. The manager of the candidate (whether internal or external) will determine if he/she is fit to perform the new role and authorize access via the Authorization Request Form by completing and signing the form. The form must reflect the access requirements based on the employee's role and clearly identify any additional access requirements above the standard defined role.
  2. The Systems Administrator or his/her delegate will review the request and approve it if the roles assigned to the employee are consistent with security policies. If the access requested requires privileges above the user's role, the Systems Administrator will engage additional system owners or management to collect necessary approvals prior to authorization.
  3. Once the request has been approved, the Systems Administrator will create the user account(s) requested.

4.6.3. Changes to Access & Removal of Access

Requests for change of access must be submitted by the user's manager. HR and department managers must complete an access change checklist as part of any employee transfer when a role or department change is initiated.

Direction regarding the removal of an employee's access shall follow the same workflow above except the request for removal can come from either the HR Department or the employee's manager and should be requested within a reasonably acceptable expeditious manner and in accordance with HR policies concerning user/employee off-boarding.

4.7. Training and Awareness

4.7.1. Information Security Training

Opaida conducts annual Information Security Training as required per our Information Security Policy. A component of this required training includes coverage of data protection and privacy requirements related to Sensitive & Confidential Data. The data protection and privacy training components include, but are not limited to, requirements about Sensitive & Confidential Data collection, handling, use, disclosure, and safeguarding.

4.7.2. Developer/Engineer Training

Opaida provides training on secure coding practices to its developers. This is facilitated by the management team. The training covers all the content included in the most recent OWASP Top Ten, providing technical concepts and recommendations to address them.

5. POLICY ADMINISTRATION

5.1. Ownership and Review

The Policy Owner owns this Policy and is responsible for reviewing the Policy for updates annually, or following any major changes to Opaida's sensitive data environment. The Policy Approver retains approving authority over this Policy.

5.2. Monitoring and Enforcement

Opaida periodically monitors adherence to this Policy to help ensure compliance with applicable laws, requirements, and contractual agreements that apply to Client & Consumer Data. Opaida may also establish enforcement mechanisms, including disciplinary actions, to help ensure compliance with this Policy.

Hi, I’m EVA from opAIda.ai! I'm here to help you.
Chat with OPAIDA

Your Privacy Matters

We use cookies to provide a secure environment (SOC 2), ensure the integrity of our Services (HIPAA), and analyze site performance. While essential cookies are always active, we ask for your consent to use optional cookies for analytics and personalized experiences.