GDPR / Personal Data Regulation in Inpay
Inpay takes data protection, including the protection of personal data, very seriously. Inpay has always been working based on a principle of high ethics in the handling and storing of personal data. Inpay has implemented both physical and systematic separation of data, ensuring that only intended employees have access to the data necessary to perform their specific work functions and tasks.
In the following sections, we have described what types of data we collect, process and store in our systems.
Inpay collects, processes and stores personal data and in rare instances sensitive data uncovered during the KYC process. Inpay primarily stores data that can identify a customer, their transaction history, UBOs, origin, etc.
Inpay only register sensitive data when required by law. Sensitive data includes, but is not limited to; political associations, criminal history, etc.
Data collected, processed and stored by Inpay is available exclusively to intended employees and only to the extend needed to perform their specific work function and tasks. This effectively means that e.g. a Sales representative will only have access to data relevant to the sales process.
Inpay developers only have access to the testing environment and as a rule, and not to the production environment. However, access is granted for limited periods of time when the installation of updates, maintenance and implementation of software is necessary.
All access to data in Inpay’s production environment is recorded in logs. Logs are reviewed at least once a quarter.
Inpay’s websites are also using cookies, which are stored on visitors devices to analyse website traffic and visitor behaviour. We also share information about our visitors submitted support issues, with zendesk.com who may combine it with other information that the visitor provided to zenddesk.com or that they’ve collected from their use of zenddesk.com’s services.
Customers’ rights in term of transparency, access to and request to delete data
Customers of Inpay have the right to at any time know what data Inpay has registered in connection to that particular customer and to have this data deleted if desired. However, the customers must be aware that special legislation is applicable in most cases. This means, that where an overruling legislation states that data must be stored, it will not be possible for Inpay to delete that data. Examples of such legislation are; the AML Directive and the Bookkeeping Act.
Inpay has introduced special processes concerning inactive customers. Inactive customers are limited to restricted access to data, which means that inactive customers only have access to historical data pertaining to that customer. They will not have access to any updated data collected on the customer record. A customer is classified as inactive after an account is dormant for six (6) months.
Storage of data
Data is, unless otherwise dictated by law, kept for five (5) years after a contract has expired, been terminated or otherwise annulled.
All customers will be prompted to sign a Data Handling Agreement before Inpay creates a record in our system.
Breach of safety
An important part of the General Data Protection Regulation is monitoring data security and detecting potential and actual breaches. Violation of security may occur due to theft, unauthorized access data, hacker attacks, etc.
Inpay takes security breaches very seriously, thus Inpay has implemented a special action plan pertaining to this. The plan specifies actions to be taken during the following phases:
Gaining an overview of the situation
Limitation, containment and restoration
Consider the risk and extent of the breach
Review of data audit and customers
Evaluation and response
In other words, if a breach should occur Inpay will stop it quickly and efficiently. Breached are reported to the relevant authorities as required by law and involved customers.
Should there be any questions, concerns, enquiries in relation to this statement, please feel free to contact us at: [email protected]