General Data Protection Regulation (GDPR)
Last updated: October, 2022
In light of the General Data Protection Regulation (“GDPR”), we have decided to prepare this document to provide an overview of Zenity’s standing with regard to GDPR.
Zenity Ltd. and Zenity Inc., (“Zenity”, “we”, “us” and/or “our”) welcome the positive changes the GDPR brings, such as the increased harmonization and the “privacy by design and privacy by default” approach. Our view is that the GDPR is not only an obligation but also an opportunity to build privacy-friendly products while further fostering customer trust.
The following sections provide a summary describing what Zenity has done in order to comply with the GDPR when providing its platform and services.
Should I, as a Zenity customer, be concerned about the GDPR?
Our recommendation is that all of our customers carefully assess whether they are subject to the GDPR and, if so, to what extent. The consequences of breaching the GDPR are very serious. Zenity recommends that you consult with legal counsel regarding your obligations (if any) under the GDPR (and other applicable privacy laws).
If I am a customer not based in the EU, should I still be concerned about the GDPR?
Given the GDPR’s extraterritorial effect, our non-EU based customers are also encouraged to assess whether the GDPR applies to them or not. The GDPR will not only apply to companies that process the personal data of European individuals and have a presence in the EU (e.g. offices or establishments) but also to companies that do not have any presence in the EU but offer goods or services to individuals in the EU and/or monitor the behavior of European individuals where their behavior takes place within the EU.
As a Zenity customer, where should you start your “GDPR journey”?
If the GDPR applies to your company, we highly recommend conducting internal due diligence to map your specific data collection practices. This includes, among other matters, understanding what specific personal data (including sensitive personal data) of individuals protected by the GDPR your company is collecting (e.g., end-users, customers, employees, etc.), from whom is the data collected, where is it being stored, for what purposes is it being used, with whom is it being disclosed, and whether the personal data is transferred outside of the European Union or European Economic Area.
What is Zenity doing in order to comply?
This is a high level summary of what we have done so far:
✔ GDPR strategy.
o We retained a leading outside counsel to help us understand the GDPR and prepare a privacy compliance strategy suitable to the size and nature of our business.
o We built an internal taskforce with members of different disciplines (engineering, security, , product development, and others) to implement the privacy compliance strategy internally.
o Top management has been personally involved in the supervision of our strategy implementation.
o We provide training and awareness among our employees about key GDPR requirements.
✔ Data Processing Agreement. We drafted a Data Processing Agreement (“DPA”) in accordance with Article 28 of the GDPR for signature with our customers upon request.
o Zenity upholds industry and enterprise-ready safeguards, including processes and tooling, with respect to the personal data that it processes. Zenity has obtained SOC2, Type 2 certification. The following is a high level summary of various safeguards that we implemented in the context of our services:
▪ Data encryption in motion and data encryption at rest: encryption of all databases according to SOC2 requirements.
▪ Access to customer data is not available to Zenity employees or contractors.
▪ Fully logged changes to access policies and permissions.
o The following measures for ensuring ongoing confidentiality, integrity, availability of the Services’ processing systems are continuously maintained by:
a) Full data encryption in motion and at rest.
b) A data recovery and redundancy plan for failover scenarios is maintained.
c) There is an audit trail of user permissions, active monitoring of security threats and code vulnerability scanning.
d) Zenity implements processes for regularly testing, assessing and evaluating the effectiveness of technical and organizational measures in order to ensure the security of data processing: our services undergo annual penetration tests by a third party. Within SOC2 controls, audits are performed on a regular basis to maintain our certification.
e) Zenity’s personnel and sponsored by the Company’s CTO, is responsible for platform management, including all security updates, new versions, and bug fixes. This way Zenity’s customers can focus on their research and manufacturing without the need to carry out any work or any platform-related management or maintenance.
f) Zenity has processes in place to identify and handle security incidents.
✔ Response to data requests. We receive and respond to requests to grant access, correct or to information data made by our customers through our customer success channels.
✔ Data transfers.
o Staff. Most of our staff sit in Israel. Israel was declared by the European Commission as a country that offers adequate level of data protection (see: https://ec.europa.eu/info/law/law-topic/data-protection/data-transfers-outside-eu/adequacy-protection-personal-data-non-eu-countries_en). If the Company expands and engages staff outside the EEA/countries not declared adequate, Zenity will address any other additional privacy requirements.
o Vendors and partners. To provide our services, Zenity engages and uses vendors and service providers. These service providers are referred to as “sub-processors“. We are happy to provide a list of sub-processors used for the services to you upon request. This list may change from time to time.
o All of the sub-processors implemented by Zenity are known and respected vendors and service providers, who, like Amazon Web Services, have announced that they comply with the GDPR and have undertaken to do so.
✔ Ongoing compliance. We are not approaching GDPR compliance as a one-time exercise. Therefore, we are committed to periodically review our roadmap and ensure ongoing compliance.
Where can I learn more about GDPR?
Additional information is available on the European Commission’s website here
I have more questions. Who should I contact?
If you have any additional questions about the GDPR you are welcome to contact us at [email protected]
Disclaimer: The information in this document may not be construed or used as legal advice about the content, interpretation or application of any law, regulation or regulatory guideline. Customers and prospective customers must seek their own legal counsel to understand the applicability of any law or regulation on their processing of personal data.