GDPR compliance
The General Data Protection Regulation (GDPR) lays out the definition of Data Controller, Data Processor and Data Subject as below:
| Role | Definition |
|---|---|
| Data Controller | A Data Controller is a natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data. Controllers make decisions about processing activities. |
| Data Processor | A Data Processor means a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller and under the instructions of the controller |
| Data Subject | The term 'data subject' refers to any living individual whose personal data is collected, held or processed by an organization. |
OrchestratorX plays the role of a 'Data Processor' and takes all the below initiatives to ensure compliance.
Data Protection and Privacy Principles
| Principles | Initiatives |
|---|---|
| Lawfulness, fairness, and transparency | Lawful - We gather data and process it with a valid legal basis which is vetted by our legal team Fair - We process personal data in the best interest of the people and scope of our processing can be reasonably expected by the person. Transparent - We clearly communicate what, how, and why we process data and what role do we play in the data lifecycle via our Privacy Notice on the website. It is written in a clear, plain language that enables everyone to easily understand the scope and methods of our processing. We also enable our merchants to be compliant to the Transparency principle by enabling them to respond to Data Subject Rights Requests in a better, sustainable way via our Data Compliance APIs. |
| Purpose limitation | We only process data for clear, defined purposes and have strict processes in place to avoid function creep or utilisation of data in any other way than intended. We also verify on a periodic basis that our purposes are valid and essential to deliver services to our merchants and avoid any unnecessary processing. We maintain records of our purposes via RoPA to ensure compliance to Purpose Limitation |
| Data minimisation | We ensure and evaluate that we gather only essential personal data that we need to deliver the service. In other words, we only gather and process the exact amount of data that is needed. |
| Accuracy | We as a data processor take reasonable measures to ensure that the personal data we are processing is correct and up to date by employing various security and privacy centric principles:
|
| Storage limitation | We limit storage based on identified purposes and defined retention periods. Our Master Services Agreement captures data retention and deletion requirements with all merchants. We regularly audit our processes to ensure that the data retention requirements are met. |
| Integrity and confidentiality | We implement appropriate security measures to ensure personal data remains secure, including protection against unauthorised or unlawful processing, accidental loss, destruction, or damage. |
| Accountability | We maintain comprehensive documentation of our processing activities, conduct regular audits, and implement appropriate technical and organisational measures to demonstrate compliance with GDPR principles. |
Security
OrchestratorX is engineered with a meticulous focus on safeguarding sensitive data aligning with PCI standards. The application also employs various strategies that encompasses various stages, which includes:
- Encryption of Data at rest and Data in Transit
- Masking of PII information at source
- Minimizing PII data exposure across the application
- Secure software development practices
- SOC Type I and Type II certification
Read more about Data security at OrchestratorX.
Data Retention and Deletion
In the spirit of Data Minimisation principle, we capture data retention and deletion requirements with all our merchants in our DPAs and Master Service Agreement to avoid processing data longer than required. We regularly audit our processes to ensure that the data retention requirements are met.
We support the right to erasure through a permanent deletion of personal data upon request. The Deletion API is published and accessible for all merchants to permanently delete Customer PII Data.
Data Protection Team
OrchestratorX Technologies has a Privacy and Data Protection team and a designated Data Protection Officer to look after Data Protection, Privacy and Compliance Obligations.
Data Protection Agreement
OrchestratorX Master Services Agreement includes a Data Protection Agreement which clearly articulates our privacy commitment to merchants. We have evolved these terms and specifically updated these terms to reflect the GDPR from the perspective of payment processing, and, to facilitate merchants' compliance assessment and GDPR readiness when using OrchestratorX.
Standards and Certifications
We hold ourselves to the highest standards of data security and reliability. We believe in protecting sensitive information and ensuring the utmost trust in our services by our merchants. To achieve that goal we undergo regular audits to address any gaps and strengthen our security and privacy posture.
| Standards | Significance |
|---|---|
ISO/IEC 27001:2013 (Upgrading to ISO 27001:2022 during 2024) | ISO/IEC 27001 is the international standard for information security. It sets out the specification for an effective ISMS (information security management system). ISO 27001's best-practice approach helps us manage our information security by addressing people, processes and technology. This certification signifies our establishment of a robust Information Security Management System (ISMS) and the mastery of a comprehensive suite of controls to ensure the highest level of data protection. |
| SOC 2 Type 1 and 2 | System and Organisation Control 2 is a security framework that specifies how we should protect customer data from unauthorized access, security incidents, and other vulnerabilities. Type 2 controls examines how well our system and controls perform over a period of time (typically 3-12 months). |
PCI DSS v3.2.1 (Certification under process for PCI 4.0) | PCI DSS is one of the stringent compliance requirements for entities that process, store, or transmit credit card information to maintain a secure environment - It talks about the necessary framework for developing complete payment card data security systems & processes that encompasses prevention, detection, and appropriate reaction to security incidents. This accomplishment marks a significant milestone in our commitment to safeguarding sensitive cardholder data and ensuring the highest level of security for our merchants. |
Use of Sub processors
Below is the list of sub-processors we use at OrchestratorX, as well as the purpose of their use.
| Sub processor | Purpose | Hosted region |
|---|---|---|
| AWS | Cloud processing of user data and merchant data | Global server (US) EU Data Residency server (EU) |
| Slack | Merchant communication | US |
| Google Workspace | Merchant communication and documentation | US |
Other use cases such as Data Infrastructure, Monitoring Systems are solved by using a self-deployed version of popular open source technologies - Clickhouse, Grafana and Sentry. This provides more control and reduces the need for sharing data and the data being shared across more sub-processors.