Version 2.1

May, 2021

Download this Policy

Data Compliance One-Stop

In this page we aim to provide a one-stop overview of our approach to data compliance, an easy way to contact our information officer should you wish to and provide details around our ongoing compliance efforts in line with, but not limited to, the GDPR and POPIA.

Need to contact us?

Have a question, query or complaint relating to data protection @ Stackworx?

Please send an email to information-officer@stackworx.io

Related content & references:

We are registered with the South African Information Regulator.

Registration Number: 8202/2021-2022/IRRTT

Download a copy of the Stackworx Registration Certificate


We are part of the Michalsons Data Protection Program.

Data Protection & Information Security Compliance Policy

An overview of how Stackworx (Pty) Ltd treats data protection compliance in line with the GDPR (General Data Protection Regulation as set out by the EU) & POPIA (Protection Of Personal Information Act as set out by South Africa)



Compiled by:

Directors & DPO of Stackworx (Pty) Ltd


Glossary

  • GDPR - General Data Protection Regulation (EU)
  • POPI(A) - Protection Of Personal Information Act (South Africa)
  • EU - European Union
  • Data subject - a natural person whose personal data is processed by a controller or processor
  • Data controller - the entity that determines the purposes, conditions, and means of the processing of personal data
  • Personal data - any information related to a natural person or Data Subject that can be used to directly or indirectly identify the person
  • Data processor - the entity that processes data on behalf of the Data Controller


Introduction


As an organisation, we treat security and personal data with the utmost importance and appreciate that as a data processor we are often left to ensure data controllers are satisfied with the level of comfort we are able to offer them in an ever-changing legal landscape on the subject of personal data protection & information security.


We appreciate the fact that GDPR & POPI(A), and other related governing compliance regulations, frameworks and laws, are an ongoing effort and not a once-off checklist and as an organisation we can only provide assurances to the means and ways we process, handle, transfer and store data in line with these regulations.


The below outlines the core details of our efforts in compliance:


Data Protection Officer

Currently, the data protection officer role is managed by the team of directors and can be reached on information-officer@stackworx.io.


Technical measures to ensure data being processes is secured


As an organisation building international products and services, we are no stranger to ensuring that the appropriate security measures are put in place and maintained for projects of any size. More on this can be found in our dedicated document titled “Stackworx Compliance | Security & Hosting Overview” on request.


Keeping personal data confidential


Business Data: business or organisation personal data for clients we work with is always treated as confidential and is shared on a need-to-know basis within the existing NDA/Confidentiality agreement. No personal data is made available publicly nor to internal Stackworx (Pty) Ltd employees unless explicitly required. Should a business relationship be terminated all personal data on a data processor can be returned on request and deleted from our records.


Project Data: project-level personal data is always obscured and not accessible unless explicit and controlled access has been granted only in cases that warrant such access. Furthermore, passwords (to access projects built by Stackworx (Pty) Ltd) are encrypted (using bcrypt hashing function to generate password hashes and only storing the hash) in such a manner that nor Stackworx (Pty) Ltd employees or any of its members including infrastructure and hosting personnel are able to decrypt these.


Record keeping


Business Data: all business-related data are being kept securely within Enterprise Google Drive and Enterprise Google Email, we as an organisation utilize the Google platform for all official business and commercial document storage & communication. Should a business relationship be terminated all personal information on a data processor can be returned on request and deleted from our records.


Project Data: all project-related data are being recorded and stored for a period in line with the retention strategy of every project and always follow a minimal personal data approach where we only ask for and store operational- or business-critical data. Where applicable records are being kept in a database, more details can be obtained in our dedicated document titled “Stackworx Compliance | Security & Hosting Overview” on request.


Data Breach / Incident Response Handling


In accordance with https://gdpr-info.eu/art-33-gdpr/ we strive to take the following actions upon a data breach where there is any risk to the rights and freedoms of natural (or jurisdiction in line with POPIA) persons:


  • Notifying the data controller within 72 hours.
  • Describe the nature of the personal data breach including where possible, the categories and approximate number of data subjects concerned and the categories and approximate number of personal data records concerned.
  • Communicate the name and contact details of the data protection officer or another contact point where more information can be obtained.
  • Describe the likely consequences of the personal data breach.
  • Describe the measures taken or proposed to be taken by the controller to address the personal data breach, including, where appropriate, measures to mitigate its possible adverse effects.


Furthermore, where not possible to provide all the above information at the same time it will be done in phases.


Stackworx (Pty) Ltd will as far as reasonable and within its power assist the data controller with communication and preparation thereof to data subjects as outlined in https://gdpr-info.eu/art-34-gdpr/.


To obtain a copy of our “Incident Response & Breach Management Policy” please send an email to information-officer@stackworx.io.


Personal data processed in accordance with what the data controller & GDPR deems appropriate and acceptable


As a data processor we follow the principles as set out in https://gdpr-info.eu/chapter-2/ to ensure we capture, store and process personal data in line with being:


  • Lawful, fair and transparent - this means we are clear about why we need the personal data we need and is transparent in its usage.
  • Purpose limited - this means we only collect the personal data for specified, explicit and legitimate purposes.
  • Minimised - this means we only capture and store the personal data we need.
  • Accurate - this means every reasonable effort is taken to ensure the personal data we capture is accurate and correct at all times.
  • Storage limited - this means we only keep personal data on file/storage for as long as it is deemed necessary and no longer.
  • Confidentiality & integrity - this means personal data will be stored in a safe manner with appropriate security measures to ensure its integrity.


Obtaining controllers written consent before engaging sub-processors


Outsourced work: as a general rule Stackworx (Pty) Ltd does not employ an outsourced or sub-contracting model and hence no individuals directly involved in project delivery are subcontractors of the data processor. Should there ever be an exception to this rule the required communication will be made with the data controller as prescribed by the GDPR.


Hosting: Stackworx (Pty) Ltd does, however, employ external 3rd parties for hosting services to bring solutions to market, in these cases, the chosen service providers are always made public knowledge to the data controller and various suppliers can be chosen from in line with any specific project or compliance requirements. More on this in our dedicated document titled “Stackworx Compliance | Security & Hosting Overview” on request.



Notifying Controllers if their instructions infringe on GDPR or Personal Data Protection laws


As an organisation we strive towards better and continuous compliance and in an effort to do so we may from time to time point out to data controllers where their instructions or requests are not in line with general compliance and regulation.


Transferring data across borders


Given that Stackowrx (Pty) Ltd’s head office resides in South Africa there is a need to transfer personal data to and from the EU to South Africa, every effort is made to limit this transfer to not include project-level personal data of data subjects of a particular project where it is also possible to facilitate the hosting of said personal data in an EU state complying with the GDPR regulations.


However, where personal data of a data subject is required by the project outlines and limitations to transfer cross-borders the GDPR guidelines outlined in https://gdpr-info.eu/art-46-gdpr/ are followed and data subjects are made aware of this where appropriate and relevant.


Assisting data controllers in assisting individuals or data subjects that require details on exercising their right to privacy


As the data processor Stackworx (Pty) Ltd will always ensure to assist the data controller as far as possible and reasonable, whether through system design and implementation or communication after-the-fact to adhere to the guidelines set out by the GDPR in https://gdpr-info.eu/chapter-3/ including:


  • Having clear and transparent communication as to what personal information is being used and for what purpose.
  • Assisting data subjects to their “right of access”.
  • Assisting data subject to their “right to rectification”.
  • Assisting data subject to their “right to be forgotten”.
  • Assisting data subjects to their “right to restriction of processing”.
  • Notification to data subjects upon any personal data rectification or deletion as deemed appropriate and reasonable.
  • Assisting data subjects to their “right to data portability”.



Project level public privacy policies & notices in line with regulation


Where it is required based on the project scope Stackworx (Pty) Ltd will assist in so far as ensuring that the data controller has a privacy policy in place and in line with the personal data the application is collecting and explaining the purpose of said personal data.


In line with https://gdpr-info.eu/art-7-gdpr/ Stackworx (Pty) Ltd as the data processor will ensure processing is based on consent, the controller shall be able to demonstrate that the data subject has consented to the processing of his or her personal data.


In closing


As mentioned, personal data compliance is an ongoing effort and we treat it as such taking into account that for the scope of this document we perform the role of the data processor and is required to assist the data controller in their efforts to comply and ensure data subjects are comfortable with the manner in which their personal data is being obtained, stored and processed.


We, Stackworx (Pty) Ltd, do however acknowledge that compliance is a collection of efforts, policies, documentation and intent.

Need to contact us?

Have a question, query or complaint relating to data protection @ Stackworx?

Please send an email to information-officer@stackworx.io

Version 2.1

May, 2021

Download this Policy

us@stackworx.io
Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.
South Africa Flag

South Africa

13 Umgazi Street - 4th Floor, Menlo Park
Pretoria, 0081
+27 72 147 8840

Directions ➜
United Kingdom Flag

United Kingdom

Working from Southwark, 32 Blackfriars Road
London, SE1 9PB
+44 7816 222149

Directions ➜
© All Rights Reserved
GDPR, POPIA, Data Compliance? Visit our Data Compliance One-StopPrivacy Policy & Cookie Notice