Introduction

The EU General Data Protection Regulation (GDPR) is the most significant piece of the European privacy legislation in the last twenty years. It replaces the 1995 EU Data Protection Directive (European Directive 95/46/EC), strengthening the rights that EU individuals have over their data, and creating a uniform data protection law across Europe. 

In addition to strengthening and standardizing user data privacy across EU member states, it introduces new or additional obligations on all organizations that handle EU citizens’ personal data, regardless of where the organizations are located. On this page, we explain how we help our customers comply with the GDPR.

Commitment to the user and the protection of user’s data

Weyond Inc. (“Weyond”, “We”) is committed to ensuring that user’s privacy is protected and we strictly adhere to the provisions of GDPR and all relevant Data Protection Legislation, ensuring all personal data is handled in line with the principles outlined in the regulation.

Where Do We Stand

Weyond as a Data Processor: GDPR defines Data Controllers as an entity that determines the purposes for which and the means by which personal data is processed. Data Controllers decide ‘why’ and ‘how’ the personal data of the data subject should be processed. The Data Processor processes personal data only on behalf of the Data Controller as per the requirements of the Data Controller.

Weyond acts as a Data Processor and processes data on behalf of its Clients/Organizations  who act as Data Controllers. The Data Controllers specify the kind of data required from the data subject, i.e., the Agent. We act as a mediator between the Data Controller and the Data Subject by collecting the specified data during the session and then processing it as per Data Controller’s instructions.

Data Protection: Weyond is committed to information security best practices. In line with GDPR, Weyond assesses the measures required in its products based on factors like data sensitivity, impact, risk and available technology.

Security is a core requirement of, and a guiding mantra in the design of any component of Weyond’s products, including encryption of data whilst in-flight and at rest, continuous vulnerability and penetration testing of systems and “firewalled” DevOps procedures to ensure security.

Data Deletion & Retention: We have a dedicated data deletion period and procedures in place unless specified otherwise by the Organizations.  To meet the new ‘Right To Be Forgotten’ obligation and are aware of when this and other data subjects’ rights apply, along with any exemptions, response time frames and notification responsibilities as specified by the Organization.

Our default retention policy for Data collected on behalf of the sponsor organizations is 7 days or as specified by the Sponsor Organizations. The biometric data collected for identity profile and identity verification purposes (including the biometric data we use to create your identity profile) is retained for up to one year from the time the identity profile is created in our Platform or, as configured by the applicable Sponsor Organization (Data Controller).

Consent from Users (Data Subjects): The user’s consent is obtained every time they use Weyond’s product. This ensures that users are provided the relevant privacy policy and terms of service with details on why such information is being collected, and give their consent before using the service. 

Our Privacy policy provides further details on the “What”  & “Why” of the user’s information being collected. 

International Data transfers – At present, our operations do not involve clients located outside of the United States. Therefore, there is no transfer of data to entities in the European Union (EU), Switzerland, or the United Kingdom (UK). As we expand or if there are changes in regulatory requirements, we will continuously review and implement appropriate mechanisms to safeguard data privacy and security in accordance with global standards. 

Data Subject Rights

We provide easy-to-access information procedures of an individual’s right to access any personal information that Weyond processes about them and to request information about:

• what personal data we hold about them
• the purposes of the processing
• the categories of personal data concerned
• the recipients to whom the personal data has/will be disclosed
• how long we intend to store the personal data
• if we did not collect the data directly from them, information about the source
• the right to have incomplete or inaccurate data about them corrected or completed and the process for requesting this
• the right to request deletion of personal data (where applicable) and after express consent from the Sponsor Organization is received or to restrict processing in accordance with data protection laws, as well as to object to any direct marketing from us and to be informed about any automated decision-making that we use
• the right to lodge a complaint or seek judicial remedy and who to contact in such instances.

‍

As per GDPR, Weyond (Data Processor) is required to obtain prior approval from the client or Sponsor organization (Data Controller) before accommodating the user’s request to exercise their rights under the GDPR. 

Third-party audits and certifications

Weyond is SOC 2 audited, and to utilize the SSAE 16/18 framework to provide security review. Weyond is SOC 2 Type 2 certified and undertakes an independent third party audit that reviews and verifies the effectiveness of internal controls and processes. The audit covers internal governance, production operations, change management, data backups, and software development processes. It assures that we have the appropriate controls and processes in place and that they are actively functioning appropriately in accordance with related standards.

As a cloud-based company entrusted with some of our customers’ most valuable data, we’ve set high standards for security. We’ve received several security certifications from the American Institute of Certified Public Accountants such as SOC 2 Type 2. 

We have invested heavily in building a robust security team, one that can handle a variety of issues – everything from threat detection to building new tools. In accordance with GDPR requirements relating to real-time security incident notifications, Weyond will continue to meet its obligations and offer contractual assurances.

The SOC2 program offers independent verification that our security practices provide a recognized standard of security measures. Furthermore, the program is designed to cover key elements of data processing and integrity, while maintaining auditing practices within our business and operational processes. As all users and clients are concerned with their data and its security, Weyond has integrated its SOC controls into its operating procedures. These procedures span the organization, teams or functions that provide service or support to our clients and users.

The key components of our SOC controls environment include:

• Data Security: how we set up information security and data protection controls
• Change Management: how we make sure changes are tracked and properly reviewed
• Access Control and Management: who has access to our platform operations and how this access is managed
• Data Redundancy and Backup: how data is kept safe and stored in the event of adversity
• Software Architecture and Development: oversight of the development effort around our platform

‍

Data Privacy Team

Weyond has designated a Data Protection Officer (DPO) and a designated Data Privacy Team to develop and implement policies, procedures and controls for complying with the new Data Protection Framework Program. The team is responsible for promoting awareness of the GDPR across the organization, assessing our GDPR compliance, identifying any gap areas and implementing the new policies, procedures, and measures.

We understand that continuous employee awareness and understanding is vital to the continued compliance of the GDPR and have involved our employees in our preparation plans.

If you have any questions about our GDPR compliance policies, please contact our Data Privacy Team at: privacy@weyond.com.

Please visit our Privacy Policy, for details on the “Information We Collect”