Incognia Privacy and Security for GDPR

(Section 5, “a”, GDPR)

We carry out the data processing to achieve the lawful and loyal purpose of promoting greater security in using the applications, reducing frauds. We achieve transparency by making our Privacy Policy available, which contains data processing information. Nevertheless, it is worth noting that some detailed information is limited in our Privacy Policy. That is because fraud prevention is the data processing purpose, where it is essential that individuals do not know all the procedures involved to ensure their effectiveness.

(Section 5, “b”, GDPR)

All data is collected for specified, explicit and legitimate purposes related to reducing fraud. We do not further process data in a manner that is incompatible with those purposes.

(Section 5, “c”, GDPR)

Incognia’s company culture promotes the mission of developing high-performance technology without requiring data subject recognition of a data subject. We only collect data adequate, relevant and limited to what is necessary to develop our solutions: location data, device data, ID and app data. No sensitive data or data that can directly identify a person (such as name, email etc.) is collected. We do not process data from public databases or from third parties. All data processed comes from our SDK and interactions via API (Application Programming Interface).

(Section 5, “d”, GDPR)

The services offered to our customers depend on up-to-date and correct personal data, with the maximum possible precision for constructing a behavioral location profile. Our location technology is accurate and able to detect a location event within a 300-meter radius. Furthermore, all data we collect through the SDK, in addition to being accurate, is constantly updated through continuous data collection and determined deletion deadlines, guaranteeing the elimination of outdated data.

(Section 5, “e”, GDPR)

We store the data obtained via SDK for a maximum period of 6 (six) months from the date of collection, which is the minimal period necessary for the purposes by which the data was collected (reducing fraud). After this period, the data is securely and permanently deleted if no exception is applied, such as keeping data for compliance with some specific and extraordinary legal or regulatory obligations.

(Section 5, “f”, GDPR)

We undergo regular third-party audits to certify our products against SOC 2 Type II certification. SOC 2, Type II is a report that assesses an organization's information systems relevant to security, availability, processing integrity, confidentiality and privacy.

(Section 5, §2º, GDPR)

We are responsible for demonstrating our compliance with all GDPR requirements. We do that through documents that, even when we are not obligated to provide that, we do. We carried out Data Processing Impact Assessment, Legitimate Interest Assessment, Data Mapping, Privacy Policies, Internal Privacy Procedures, and various other documents and internal procedures that help us to demonstrate our compliance.

1. Privacy by design (Recital 78 and Section 25, GDPR)

We also follow the 7 fundamental principles of Privacy by Design as the basis for creating and developing our products, and implementing privacy protection from conception to end users of our products and solutions. E-book Incognia Privacy by Design. 

2. Data Processing Agent (Section 4, items 7 and 8, GDPR)

We process data on our behalf and under our clients' determination to achieve their purposes. Thus, our Clients are the Data Controllers and we act as the Data Processor, according to the definitions of the GDPR. We sign a Data Processing Agreement with all of our clients to dispose of the parties' limits and obligations and stipulates all the requirements provided in the Section 28 (3), GDPR. 

3. Lawfulness of processing (Section 7, GDPR)

It is up to the Controller, our Client, to define the most appropriate legal basis to justify the processing of personal data performed by the Processor Incognia.  Despite this, it should be noted that our Clients generally adopt the basis of legitimate interests (Section 7 "f", GDPR) to justify the processing of data since the GDPR highlights that processing data for fraud prevention purposes constitutes a legitimate interest (Recital 47, GDPR). To confirm whether the legitimate interest is the most appropriate lawful basis to justify a particular data processing activity, it is recommended to assess each part of the “three-part test”, referred to as “legitimate interests assessment” (LIA). We are prepared to help our clients to provide a LIA, if it is the case.

4. Consent and location permission (Recitals 39, 58 and 60, GDPR)

Location data can only be collected in cases where the data subject agrees with the location permission. The location permission is not taken as consent, but rather as an operational requirement of the devices. It works as a tool to meet the obligations of transparency that must be observed as a requirement of GDPR and especially to apply legitimate interest as a legal basis, if it is the case.  Using legitimate interest to justify the data collection dispenses the consent from the data subject.

5. Location data

Incognia’s solution does not continuously track or monitor users. Continuous monitoring is unnecessary to deliver a highly performant geolocation solution for fraud detection usage models. Incognia’s geolocation solution proactively performs location checks when a geolocation check is needed. Incognia also passively collects location events generated by other (unrelated) events, e.g., if the app uses location for different reasons. We do not analyze this data to check which place where the user is (store, park etc.) or infer any sensitive personal data about he/she.

6. Data Subject Rights (Recital 4, 59 and Chapter 3, GDPR)

The rights of the data subjects must be made available by the Controller. Still, Incognia takes all measures to assist it in fulfilling its obligation to make rights available. It is important to note that data subject rights are not absolute and certain of them, such as the right of access or deletion, must be limited in activities such as fraud prevention, where it is essential that individuals do not know all the procedures involved to ensure their effectiveness. Due to the sensitive nature of the activity, the rights requests need to be analyzed very carefully by the Controller. 

7. Sub-Processor (Section 28 (2), GDPR)

We do not share users’ data of our clients with any client or third parties. The personal data we collect is only shared with our Sub-Processor Amazon Web Servers ("AWS") for storage and processing purposes. The data is stored in an object storage base (Simple Storage Service, or S3) hosted in technological environments managed solely and exclusively by Incognia through a public cloud platform provided by AWS. In addition, we have access control and management processes to allow access to systems and data only to employees who necessarily need to access them, which only occurs upon approval, with effective change control.

8. International Transfer (Recital 101, 102 and Sections 44 and 46, GDPR)

The AWS cloud servers are located in Virginia, US. To ensure the international transfer of data in compliance with the provisions of applicable data protection laws, Amazon has adopted the use of SCCs, as a mechanism to authorize such a data transaction. The SCCs are listed in Data Processing Addendum the AWS, which forms part of the AWS Terms of Service and is automatically applied to all customers (including Incognia) who transfer personal data from EEA countries to any of the AWS regions. Amazon´s Data Processing Addendum guarantees that the data it stores in the US will be subject to the same high levels of security, privacy, and data protection that would apply if it were in countries subject to the application of the GDPR.

9. Incidentes (Recital 85, Section 33 (2) (3), GDPR)

We have never had any incidents involving data from our Clients and we are committed to apply all administrative and security measures to keep this scenario.  However, in the event of any incident, we are prepared to notify the impacted clients as soon as we discover the event and provide all information required on GDPR. We also have an incident management policy to guide our actions to properly treat the incident.

10. Security Measures (Section 32, GDPR)

We implement all appropriate technical and organizational measures to ensure a level of security appropriate to each risk level, the requirements described in Section 32 (1) of GDPR.

We have SOC 2, Type II, which guarantees security by Incognia's technology and an international standard on cybersecurity risk management systems. SOC 2 is a report based on the existing Trust Services Criteria (TSC) of the American Institute of Certified Public Accountants Auditing Standards Council (AICPA). As a result, Incognia has security controls to address risk management and system monitoring; environment management including logical and physical access controls; corporate communication channels; assessment mechanisms, change management and others.  Incognia performs Secure Development Lifecycle (SDL), code reviews and includes security tests in the Software Development LifeCycle (SDLC). In addition, explicit separations between development and production environments are created by implementing a staging environment.

• Pseudonymization (Recital 28, GDPR): Advanced technique of pseudonymization is applied to users’  ID´s ​​, and the original data is removed from the database and replaced by encrypted and hashed data, as described in our Privacy Policy.
  
  Deleting the original device identifier ends risks associated with improper access to data. The identifier maintained (hashed ID) is sufficient for all Incognia services and does not allow the direct identification of data subjects, in addition to reducing the risk of identifying them in the event of a confrontation with a third-party database that contains this ID linked to other personal data, such as email, name etc. Therefore, in case of leakage or improper access to the information collected and processed by Incognia, the data subjects will not be directly associated with this data, reducing the risk of being physically or morally affected.

• Access management:  Restrictive access control, segregation of duties and secure credential management is applied on Incognia Systems, granting only the minimum necessary permission for the employee to carry out his activities. It is worth mentioning that all Incognia employees undergo privacy, data protection and best security practices training and they sign, at the time of hiring, a Confidentiality Agreement to guarantee the obligation of secrecy in relation to the data processed by Incognia. In addition, the corporate environment where data access occurs is physically and logically protected. Incognia has a Governance Policy and an Information Security Policy, which are widely disseminated to Incognia employees and are available on the internal knowledge base, easily accessible to any employee. There are other internal policies and standards, such as for the safe use of mobile devices, security controls for remote work, information classification, secure passwords, among others.

DPO contact: dpo@incognia.com