Book a demo
Book a demo

Data Processing & Transfer Policy

Effective Date: 28th August, 2024
Last Updated: 31st December, 2024

1. Introduction

Suprdense (“the Company,” “we,” “us,” or “our”) is committed to safeguarding the personal data of its customers, end users, and other stakeholders. This Data Processing & Transfer Policy (“Policy”) sets out Suprdense’s practices relating to the processing, storage, and transfer of data—particularly in scenarios where data may be transferred outside the European Union (“EU”) and the European Economic Area (“EEA”). This document is designed to address compliance requirements under data protection regulations such as the General Data Protection Regulation (GDPR) and other relevant global privacy laws.

2. Purpose & Scope

  1. Purpose: The purpose of this Policy is to ensure that any personal data collected, stored, processed, or transferred by Suprdense is handled securely and in compliance with all applicable data protection laws and regulations.
  2. Scope: This Policy applies to all Suprdense employees, contractors, affiliates, and authorized third-party service providers (“sub-processors”) that process data on our behalf. It covers all data processing activities that involve personal data, including but not limited to data collection, storage, transmission, analysis, and deletion.

3. Definitions

  1. “Personal Data”: Any information relating to an identified or identifiable natural person.
  2. “Processing”: Any operation or set of operations performed on personal data (e.g., collection, recording, organization, structuring, storage, adaptation, alteration, retrieval, consultation, use, disclosure, combination, restriction, erasure, or destruction).
  3. “Data Controller”: The entity that determines the purposes and means of processing personal data.
  4. “Data Processor”: The entity that processes personal data on behalf of the Data Controller.
  5. “Sub-Processor”: Any third party appointed by Suprdense to process personal data on Suprdense’s behalf.
  6. “EU”: Member States of the European Union.
  7. “EEA”: The European Economic Area, which includes all EU Member States plus Iceland, Liechtenstein, and Norway.

4. Roles & Responsibilities

  1. Suprdense as a Data Processor: Suprdense does not process personal data of or on behalf of our customers (who may act as the Data Controllers). In a situation where data processing is required for successful completion or execution of a task related to any of our products, we follow the instructions of our customers with respect to the processing of that data.
  2. Suprdense as a Data Controller: Where Suprdense collects personal data for its own purposes (e.g., employee data, sales leads), we act as a Data Controller and adhere to all data controller obligations under relevant laws. As regards any of our products, we do not collect any personally identifiable information as part of usage of any of the products.
  3. Employees & Staff: All Suprdense employees and staff are obligated to comply with this Policy.
  4. Sub-Processors: Suprdense carefully selects and manages sub-processors who must meet our security, privacy, and regulatory compliance standards.

5. Data Collection & Usage

  1. Types of Data Collected
    1. Customer-Provided Data: Any information that our customers intentionally submit (e.g., account creation details, usage logs, support tickets).
    2. Service Metadata: Automatic collection of non-personally identifiable information related to service performance, logs, and usage metrics.
  2. Purposes of Data Processing
    1. Service Provision: We process data primarily to deliver and improve our core services.
    2. Customer Support: This includes handling queries, troubleshooting, and resolving technical issues.
    3. Internal Analytics: We may analyze anonymized or aggregated data to refine our services but do not read or utilize raw customer data beyond what is necessary to maintain and optimize our platform.

6. Sub-Processors & Data Transfers

  1. Sub-Processors Outside the EU/EEA
    1. MongoDB (U.S.)
    2. Google Firestore (U.S.)
  2. These sub-processors facilitate secure and scalable database hosting solutions. Although they are based in the United States, Suprdense implements appropriate safeguards to ensure the legality and security of these transfers.
  3. Legal Basis for International Transfers
    1. Standard Contractual Clauses (SCCs): Where required, Suprdense enters into EU-approved SCCs with sub-processors outside the EU/EEA.
    2. Adequacy Decisions: In the absence of an adequacy decision, Suprdense ensures equivalent levels of data protection are in place via contractual obligations.
    3. Additional Technical Safeguards: Encryption at rest and in transit, strict access controls, and robust authentication mechanisms.
  4. Minimization of Data Access
    1. No Reading of Customer Data: Suprdense and its sub-processors do not “store” the contents of customer data unless upon explicit instruction by the customer.
    2. Access on a Need-to-Know Basis: Any access to customer data by Suprdense staff or sub-processors is tightly restricted and audited.

7. Data Security Measures

Suprdense employs a comprehensive information security program that includes administrative, technical, and physical safeguards. Key elements include:

  1. Encryption
    1. Data in Transit: TLS/SSL encryption for all data transfers.
    2. Data at Rest: Encrypted storage through sub-processor-managed encryption (e.g., AES-256).
  2. Access Controls
    1. Role-Based Access: Access to systems is restricted based on job role and function.
    2. Multi-Factor Authentication: Enabled for all administrative access.
    3. Least Privilege Principle: Users have the minimum level of access necessary to perform their roles.
  3. Network Security
    1. Firewalls & IDS: Firewalls, intrusion detection, and prevention systems are in place to prevent unauthorized external access.
    2. Logging & Monitoring: Comprehensive logs are maintained, and real-time monitoring is conducted to detect anomalies.
  4. Physical Security
    1. Secure Facilities: Data centers used by our sub-processors maintain industry-standard physical security controls.
  5. Incident Response
    1. Cyber Incident Response Plan (CIRP): We maintain a detailed incident response procedure to contain, mitigate, and investigate any security incident swiftly.
      See separate Incident Response & Security Vulnerability Policy for more details.

8. Data Subject Rights

When acting as a Data Processor, Suprdense assists Data Controllers in responding to data subjects’ requests as legally required, such as:

  • Access: Providing information about what personal data is held.
  • Rectification: Correcting inaccurate or incomplete data.
  • Erasure: Deleting personal data upon request, where appropriate.
  • Restriction/Objection: Restricting or ceasing certain data processing activities.

Data Controllers remain primarily responsible for the fulfillment of these requests; however, Suprdense offers all necessary support under the applicable data protection laws.

9. Data Retention & Deletion

  1. Retention Periods
    1. Customer Data: Retained as long as necessary to provide services to our customers or as directed by the Data Controller.
    2. Backups: Maintained for disaster recovery and business continuity purposes within standard retention periods outlined in our Data & Log Retention Policy.
      See separate Data & Log Retention Policy for more details.
  2. Secure Deletion
    1. Data Disposal: Once data is no longer required, it is securely deleted or anonymized, using industry-standard methods that prevent data reconstruction.

10. Compliance & Review

  1. Compliance Audits: Suprdense may conduct or commission periodic audits to ensure compliance with this Policy, relevant contractual obligations, and data protection laws.
  2. Policy Review: This Policy is reviewed at least annually and updated as needed to reflect legal, technological, or operational changes.

11. Breaches & Notification

In the event of a confirmed breach of personal data, Suprdense will promptly notify the relevant parties (including Data Controllers, regulatory authorities, and/or affected individuals, if required) in accordance with our Incident Response & Security Vulnerability Policy and applicable data protection laws.

12. Contact & Further Information

For questions or more information regarding this Suprdense Modern Slavery Statement, please contact:

Nishant Gupta
Chief Executive Officer
Suprdense
talk@suprdense.com