1. Privacy by design (Recital 78 and Section 25, GDPR)
We also follow the 7 fundamental principles of Privacy by Design as the basis for creating and developing our products, and implementing privacy protection from conception to end users of our products and solutions. E-book Incognia Privacy by Design.
2. Data Processing Agent (Section 4, items 7 and 8, GDPR)
We process data on our behalf and under our clients' determination to achieve their purposes. Thus, our Clients are the Data Controllers and we act as the Data Processor, according to the definitions of the GDPR. We sign a Data Processing Agreement with all of our clients to dispose of the parties' limits and obligations and stipulates all the requirements provided in the Section 28 (3), GDPR.
3. Lawfulness of processing (Section 7, GDPR)
It is up to the Controller, our Client, to define the most appropriate legal basis to justify the processing of personal data performed by the Processor Incognia. Despite this, it should be noted that our Clients generally adopt the basis of legitimate interests (Section 7 "f", GDPR) to justify the processing of data since the GDPR highlights that processing data for fraud prevention purposes constitutes a legitimate interest (Recital 47, GDPR). To confirm whether the legitimate interest is the most appropriate lawful basis to justify a particular data processing activity, it is recommended to assess each part of the “three-part test”, referred to as “legitimate interests assessment” (LIA). We are prepared to help our clients to provide a LIA, if it is the case.
4. Consent and location permission (Recitals 39, 58 and 60, GDPR)
Location data can only be collected in cases where the data subject agrees with the location permission. The location permission is not taken as consent, but rather as an operational requirement of the devices. It works as a tool to meet the obligations of transparency that must be observed as a requirement of GDPR and especially to apply legitimate interest as a legal basis, if it is the case. Using legitimate interest to justify the data collection dispenses the consent from the data subject.
5. Location data
Incognia’s solution does not continuously track or monitor users. Continuous monitoring is unnecessary to deliver a highly performant geolocation solution for fraud detection usage models. Incognia’s geolocation solution proactively performs location checks when a geolocation check is needed. Incognia also passively collects location events generated by other (unrelated) events, e.g., if the app uses location for different reasons. We do not analyze this data to check which place where the user is (store, park etc.) or infer any sensitive personal data about he/she.
6. Data Subject Rights (Recital 4, 59 and Chapter 3, GDPR)
The rights of the data subjects must be made available by the Controller. Still, Incognia takes all measures to assist it in fulfilling its obligation to make rights available. It is important to note that data subject rights are not absolute and certain of them, such as the right of access or deletion, must be limited in activities such as fraud prevention, where it is essential that individuals do not know all the procedures involved to ensure their effectiveness. Due to the sensitive nature of the activity, the rights requests need to be analyzed very carefully by the Controller.
7. Sub-Processor (Section 28 (2), GDPR)
We do not share users’ data of our clients with any client or third parties. The personal data we collect is only shared with our Sub-Processor Amazon Web Servers ("AWS") for storage and processing purposes. The data is stored in an object storage base (Simple Storage Service, or S3) hosted in technological environments managed solely and exclusively by Incognia through a public cloud platform provided by AWS. In addition, we have access control and management processes to allow access to systems and data only to employees who necessarily need to access them, which only occurs upon approval, with effective change control.
8. International Transfer (Recital 101, 102 and Sections 44 and 46, GDPR)
The AWS cloud servers are located in Virginia, US. To ensure the international transfer of data in compliance with the provisions of applicable data protection laws, Amazon has adopted the use of SCCs, as a mechanism to authorize such a data transaction. The SCCs are listed in Data Processing Addendum the AWS, which forms part of the AWS Terms of Service and is automatically applied to all customers (including Incognia) who transfer personal data from EEA countries to any of the AWS regions. Amazon´s Data Processing Addendum guarantees that the data it stores in the US will be subject to the same high levels of security, privacy, and data protection that would apply if it were in countries subject to the application of the GDPR.
9. Incidentes (Recital 85, Section 33 (2) (3), GDPR)
We have never had any incidents involving data from our Clients and we are committed to apply all administrative and security measures to keep this scenario. However, in the event of any incident, we are prepared to notify the impacted clients as soon as we discover the event and provide all information required on GDPR. We also have an incident management policy to guide our actions to properly treat the incident.
10. Security Measures (Section 32, GDPR)
We implement all appropriate technical and organizational measures to ensure a level of security appropriate to each risk level, the requirements described in Section 32 (1) of GDPR.
We have SOC 2, Type II, which guarantees security by Incognia's technology and an international standard on cybersecurity risk management systems. SOC 2 is a report based on the existing Trust Services Criteria (TSC) of the American Institute of Certified Public Accountants Auditing Standards Council (AICPA). As a result, Incognia has security controls to address risk management and system monitoring; environment management including logical and physical access controls; corporate communication channels; assessment mechanisms, change management and others. Incognia performs Secure Development Lifecycle (SDL), code reviews and includes security tests in the Software Development LifeCycle (SDLC). In addition, explicit separations between development and production environments are created by implementing a staging environment.
Deleting the original device identifier ends risks associated with improper access to data. The identifier maintained (hashed ID) is sufficient for all Incognia services and does not allow the direct identification of data subjects, in addition to reducing the risk of identifying them in the event of a confrontation with a third-party database that contains this ID linked to other personal data, such as email, name etc. Therefore, in case of leakage or improper access to the information collected and processed by Incognia, the data subjects will not be directly associated with this data, reducing the risk of being physically or morally affected.
Access management: Restrictive access control, segregation of duties and secure credential management is applied on Incognia Systems, granting only the minimum necessary permission for the employee to carry out his activities. It is worth mentioning that all Incognia employees undergo privacy, data protection and best security practices training and they sign, at the time of hiring, a Confidentiality Agreement to guarantee the obligation of secrecy in relation to the data processed by Incognia. In addition, the corporate environment where data access occurs is physically and logically protected. Incognia has a Governance Policy and an Information Security Policy, which are widely disseminated to Incognia employees and are available on the internal knowledge base, easily accessible to any employee. There are other internal policies and standards, such as for the safe use of mobile devices, security controls for remote work, information classification, secure passwords, among others.
DPO contact: email@example.com