Infin8 GDPR Compliance Statement
What is the GDPR?
As of the 25th of May 2018, the EU General Data Protection Regulation (GDPR) strengthens the rights of individuals regarding their personal data and seeks to unify local data protection laws across Europe. GDPR requires new or additional obligations on organizations in the EU processing personal data, and organizations outside the EU processing personal data of EU residents.
GDPR in infin8
Infin8 complies with the GDPR and is committed to embrace and uphold the principles of the GDPR in the processing of personal data of all our users. In particular, we aim to ensure:
- transparency with regard to the use of data
- that any processing is lawful, fair, transparent, and necessary for a specific purpose
- that data is accurate, kept up to date, and removed when no longer necessary
- that data is kept safely and securely
How does Infin8 protect personal data?
Infin8 takes the privacy and security of individuals and their personal data seriously. We take every reasonable measure and precaution to protect and secure the personal data that we process. We have dedicated information security policies and procedures in place to protect personal data from unauthorized access, alteration, disclosure, or destruction.
We are committed to regularly reviewing our policies for changes, effectiveness, changes in handling of data, and changes to the state of affairs of other countries where your data flows to.
What security measures are in place at Infin8?
Infin8 has adopted several layers of security measures. For instance:
- Technical and organizational measures are in place to ensure an appropriate level of security and data integrity for the data we process (encryption, penetration testing, password protection, Secure Socket Layer, and more).
- Measures are in place to ensure timely and effective notification in the case of a data breach.
- Infin8 enters into written contracts with all our sub-processors imposing the same level of security and data protection obligations that are undertaken by Infin8.
- Access to personal data is provided on a need-to-know basis, and all employees are subject to a duty of confidentiality. Mandatory security, awareness, and privacy training is provided annually.
Does Infin8 respect the fundamental principles of the GDPR?
Infin8 ensures that personal data collected is kept to the minimum required for providing the service to the user.
Infin8 has taken steps to ensure that the personal data processed is accurate, and procedures are in place to rectify and/or erase inaccurate information.
Infin8 has procedures in place to ensure that personal data is kept in a form that limits the identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed.
Infin8 has put in place extensive and appropriate technical and organizational measures to ensure the appropriate security of the personal data against unauthorized and unlawful processing and against accidental loss, destruction, and damage.
How does Infin8 comply with the data subjects´ rights?
Under the GDPR, data subjects have eight rights, and Infin8 is committed to ensuring compliance with each of them:
Infin8 ensures that the data subjects are presented with the opportunity to access, rectify, erase, and/or restrict personal data.
Infin8 ensures that the data subject is presented with the opportunity to ask for any data supplied directly to us by them, to be provided in a structured, commonly used, and machine-readable format (‘data portability’).
Infin8 gives data subjects the opportunity to object to further processing of their data for direct marketing purposes and otherwise as required by the GDPR.
Infin8 emphasizes the right of data subjects not to be subject to a decision based solely on automated processing. In this regard, Infin8 does not utilize automated processing, nor does it use profiling for its products or services.
Does Infin8 transfer data to countries outside the EU/EEA?
Customer and user data will be stored at Infin8’s sub-processors, located, as applicable, in Europe, Canada, and the USA. As such, we may transfer personal data we have collected from you to sub-processors located in countries outside of the European Economic Area (‘EEA’). For these transfers, Infin8 has ensured adequate safety measures in accordance with the GDPR.
How does Infin8 ensure that international transfers are compliant with the GDPR?
Countries outside of the EEA may not have the same level of data protection as offered in the EEA. Infin8 has implemented measures to ensure that our international transfers are in compliance with the GDPR.
Where personal data is transferred to a country outside the EEA that is not subject to an adequacy decision, Infin8 ensures that we have appropriate safeguards in place. Infin8 will utilize Standard Contractual Clauses (‘SCCs’), as adopted by the European Commission, to protect personal data. Infin8 enters into written contracts with all our sub-processors imposing the same level of security and data protection obligations that are undertaken by Infin8.
What additional safety measures does Infin8 apply for international transfers?
The transfer of personal data to sub-processors located outside the EU/EEA is, as a main rule, done for hosting purposes only. Infin8 has put in place technical and organizational measures to protect personal data that is transferred to our hosting providers. Data is encrypted, in motion and at rest, in accordance with industry best standards. For datastores, Infin8 uses a combination of full partition encryption based on LUKS and supplied full disk encryption (AES).
All of our sub-processors hold the highest level of security and hold ISO270001, SOC2 type 2, or similar.