Table of Content:
- Legal Framework
- Personal Data Collection
- Data Protection Measures
- Cookie Consent
- Third-Party Service Providers and Sub-Processors
- Personal Data Transfer and Hosting
- Data Breach Response
- Data Protection Officer and GDPR Representation
- The Rights and Freedoms of Data Subjects
- Privacy by Design and Default
- Privacy Policy
- Training and Awareness
- We are committed
CHEQ is fully committed to complying with the GDPR and CCPA requirements. We have established policies and procedures that ensure our adherence to these laws, including conducting data protection impact assessments, privacy impact assessments, and incident response plans. In addition, we have representation in the EU and UK to ensure compliance with regional regulations.
CHEQ maintaining a robust security and privacy posture is of utmost importance. We regularly review and update our security and privacy controls and practices to align with the appropriate compliance standards and regulations, ensuring the confidentiality, integrity, and availability of our users' data.
We take data privacy seriously and are dedicated to complying with all relevant data protection laws, including the EU's GDPR and the California Consumer Privacy Act. To outline our privacy policies and procedures, as well as answer frequently asked questions about GDPR and CCPA compliance, we have prepared this Privacy Posture Document.
With respect to GDPR compliance, we ensure the lawful, fair, and transparent processing of our users' personal data. We have implemented technical and organizational measures to safeguard our users' data and enable data subject rights.
Legal Framework
CHEQ operates in compliance with the EU General Data Protection Regulation (GDPR) and the California Consumer Privacy Act (CCPA). We also comply with other relevant privacy laws and regulations as applicable. We have implemented appropriate technical and organizational measures to ensure that personal data is processed in accordance with these laws and regulations.
Personal Data Collection
CHEQ uses the IP address, along with other data points, to determine whether a session is fraudulent and block access to the customer's website. The IP address is considered personal data under the GDPR, and the other data points may also be considered personal data depending on their nature. To comply with the GDPR, CHEQ obtains explicit consent from its customers to collect and process personal data for this purpose.
However, GDPR Article 6(1)(f) provides the legal basis for processing personal data, including IP addresses and cookies, without obtaining explicit consent, provided that the processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject, which require protection of personal data.
If a customer opts to use CHEQ's product to track fraudulent services, the data collected will be used only for this purpose, and in compliance with the GDPR and CCPA. CHEQ is classified as a "Processor" under GDPR and a "Service Provider" under CCPA, which means that CHEQ processes personal data it collects only as necessary to provide its services to the applicable CHEQ customers who authorized the collection of such data.
CHEQ takes appropriate technical and organizational measures to ensure the security of personal data, including the IP address and other data points it collects. Individuals have the right to access, rectify, and delete their personal data collected by CHEQ. CHEQ will promptly respond to any request to exercise these rights, as required by the GDPR and CCPA.
Data Protection Measures
CHEQ takes appropriate technical and organizational measures to protect personal data from unauthorized access, disclosure, alteration, or destruction. We use industry-standard security measures, such as encryption and access controls, to safeguard personal data. We also conduct regular security assessments and audits to identify and mitigate potential security risks.
We have implemented a comprehensive Information Security Management System (ISMS) that covers all aspects of our data processing activities, including data collection, processing, storage, and transmission. Our ISMS is based on the ISO/IEC 27001 standard, which is a globally recognized standard for information security management.
Third-Party Service Providers and Sub-Processors
CHEQ may share data collected through its product with a limited number of third-party service providers as necessary for the operation of the services, specifically our hosting provider. Certain optional features of the CHEQ service offering, which are not part of CHEQ’s core offering, may involve additional transfers of data, as described in the relevant feature documentation. Before sharing any data with third-party providers, CHEQ ensures that appropriate safeguards are in place to protect the privacy and security of the data in compliance with GDPR requirements. Additionally, CHEQ has entered into data processing agreements with its third-party providers to ensure they comply with GDPR and any other applicable data protection laws. Please view this Link to our Sub-Processor.
Personal Data Transfer and Hosting
PII-included data will be stored and processed either in EU, specifically on Azure North Europe. However, this data is not used to infringe on the GDPR, and it is stored in accordance with European regulations. Our employees may access personal data as necessary to provide the services, and they will do so from our offices located either in the EEA or in Israel, which has received an adequacy decision from the European Commission. We take appropriate technical and organizational measures to ensure the security of personal data, including data stored in AWS. Individuals have the right to access, rectify, and delete their personal data collected by CHEQ. We will promptly respond to any request to exercise these rights, as required by the GDPR and CCPA.
Data Breach Response
CHEQ has implemented a data breach response plan to detect, respond to, and recover from data breaches. In the event of a data breach, we will promptly notify affected individuals and authorities as required by law. We have established a dedicated incident response team that is responsible for managing data breaches, and we conduct regular training and simulations to ensure that our team is prepared to respond to data breaches.
We have also implemented appropriate technical and organizational measures to prevent, detect, and respond to data breaches, such as intrusion detection systems and firewalls. We conduct regular vulnerability assessments and penetration testing to identify and mitigate potential security risks.
Data Protection Officer and GDPR Representation
CHEQ has appointed a Data Protection Officer (DPO) to ensure compliance with data protection laws and regulations. The DPO is responsible for advising on data protection matters, monitoring compliance with data protection laws and regulations, and acting as a point of contact for individuals and authorities regarding data protection issues. General Data Protection Regulation (GDPR) – European Representative Pursuant to Article 27 of the General Data Protection Regulation (GDPR), Cheq AI Technologies (2018) Ltd has appointed the European Data Protection Office (EDPO) as its GDPR Representative in the EU. You can contact EDPO regarding matters pertaining to the GDPR: by using EDPO’s online request form: https://edpo.com/gdpr-data-request/ by writing to EDPO at Avenue Huart Hamoir 71, 1030 Brussels, Belgium This representative acts as a point of contact for individuals and supervisory authorities in the EU and the UK regarding matters relating to the processing of personal data. UK Certification, EU Certification.
The Rights and Freedoms of Data Subjects
Individuals have the right to access, rectify, and delete their personal data collected by CHEQ. We also respect individuals' rights to data portability, restriction of processing, and objection to processing. We provide individuals with mechanisms to exercise their rights, such as self-service portals and email requests, and we respond promptly to all requests.
We have implemented appropriate procedures to verify the identity of individuals making requests to ensure that personal data is not disclosed to unauthorized persons. We also provide individuals with information on their rights and the procedures for exercising them through our privacy policy and other communications.
Privacy by Design and Default
CHEQ incorporates privacy by design and default principles into our products and services. We implement appropriate technical and organizational measures to ensure that personal data is protected from the outset and that data protection is embedded into all aspects of our data processing activities.
Privacy Policy
CHEQ maintains a privacy policy that provides individuals with information on our data processing activities, their rights, and how to exercise them if they access our corporate website. Our privacy policy is regularly reviewed and updated to ensure compliance with data protection laws and regulations and to provide transparency and clarity on our data processing activities.
Data Processing Agreement
We enter into a Data Processing Agreement with all our customers located in the EEU and can be found here: https://cheq.ai/data-processing-agreement/ (“DPA”). The DPA defines the role of CHEQ as "Processor” and our customers as “Controller” and describes the respective rights and obligations.
Training and Awareness
CHEQ provides regular training and awareness programs to all employees and contractors on data protection laws and regulations, our privacy policies and procedures, and best practices for protecting personal data. We also conduct regular audits and assessments to ensure that our employees and contractors are complying with our data protection policies and procedures.
We are committed
CHEQ is committed to protecting the privacy and personal data of our customers, partners, and users. We believe that privacy is a fundamental human right and that it is our responsibility to ensure that personal data is collected, processed, and used in a transparent, lawful, and responsible manner. We will continue to monitor and update our privacy posture to ensure that we are compliant with applicable data protection laws and regulations and that we are providing the highest level of privacy protection to our stakeholders.