Risk Quotient Consultancy Private. Limited (the “Company”) is the lawful owner of AKIRA - Software as a Service (“Software” or “AKIRA Services”) and all the rights, title, and interest in the Software vests in the Company. This Information Security and Privacy Notice (“ISPN”) lays down the manner in which the Company deals with the Customer Information (Personal as well as Business Information) provided by the Customer/s (as defined herein below) while availing or accessing AKIRA Services from time to time. The terms and conditions contained herein, outlines the manner in which the Customer Information is handled by the Company in terms of security, storage, and deletion of Customer Information in compliance with the Applicable Laws and the rights and remedies available to the Customer/s with respect to Customer Information.
By using AKIRA Services, the Customer/s agree to the terms and conditions, including any change, update or amendments to the terms and conditions made during the continued use of AKIRA Services, of this ISPN and agree that these terms and conditions are legally enforceable against them.
1. Definitions
The capitalized terms unless not specifically defined in this ISPN shall derive its meaning from AKIRA Subscription Agreement or form the Applicable Laws or Foreign Applicable Laws.
"Agreement” means AKIRA Subscription Agreement, accepted by the Customer, including its Annexure, Schedule, Amendments and this Information Security and Privacy Notice as updated or amended from time to time.
“Applicable Laws” means, for the purpose of this ISPN, all legislation, regulations, codes of practice, guidelines or instruments relating to personal data protection which is applicable on the Company including (i) the Information Technology Act, 2000, Information Technology (Reasonable security practices and procedures and sensitive personal data or information) Rules, 2011 and any other rules made thereunder applicable on Personal Information / data of an individual governed by laws of India.
“Business Information” means the information related to Customer’s business including but not limited to (i) the name and address of Customer’s business entity (ii) nature of business entity, like private limited, public limited, partnership firm, limited liability partnership, (iii) Corporate / Entity Identification Number and/or registration number as applicable,(iv) business contact information (such as job title, department and organization's name, statutory details, filings, identity, and business proofs) (iv) Any such other information which may or may not be publicly accessible.
“Controller Data” means the Customer Information provided to the Company by its Customer pursuant to the Agreement.
“Customer” means the customer who has accepted the Terms and Conditions of AKIRA Services and agreed to avail AKIRA Services.
“Customer Information” means the Personal Information and the Business Information of the Customer provided by the Customer to use and access AKIRA Services.
“Data Subject” means the personal data of an individual / employee of the Customer.
“Data Incidents” means a breach of Company’s security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Controller Data transmitted, stored or otherwise processed by the Company. “Data Incidents” will not include unsuccessful attempts or activities that do not compromise the security of Controller Data, including unsuccessful log-in attempts, pings, port scans, denial of service attacks, and other network attacks on firewalls or networked systems.
“Foreign Applicable Laws” means, for the purpose of this ISPN, any other laws, rules, regulations, directives other than the Applicable Laws with respect to the Personal Information of an individual not governed by the laws of India and shall include but not limited to (i) Directive 2014/59/EU as amended from time to time governing Processing of Personal Information of EU Citizens (ii) the California Consumer Privacy Act (“CCPA”) and other applicable laws pertaining to Personal Information of resident of California (iii) any other law related to Personal Information of an individual not governed by Applicable Laws.
“Party” means, individually as, the Company or the Customer.
“Parties” means, collectively as, the Company and the Customer.
“Personal Information / Personal Data” means any information relating to a natural identifiable person, whether the person identified is an employee, staff, vendor, partner, potential partner, or other individual who provide their personal information to access and use AKIRA Services and expressly excludes Company’s Personnel.
“Processing of (or to Process) Personal Information or Personal Data” means any operation or set of operations that is performed upon Personal Data, and includes, without limitation, the following: access, collection, use, retention, copying, recording, organization, storage, adaptation or alteration, retrieval, transmission, dissemination or otherwise making available, and/or disposal or destruction of Personal Data.
“Security Measures” means the administrative, technical, and physical safeguards adopted by the Company to protect and secure AKIRA Services and Controller Data under the Applicable Laws.
“Territory” means the territory of Republic of India.
For the purpose this ISPN the term
“You” or
“you” means an individual who can be the employee or authorized person of the Customer or the Customer and the term
“We” or
“we” or
“us” or
“our” means Risk Quotient Consultancy Pvt. Ltd or the Company.
2. Personal Data Processing Terms
The Customer acknowledge and agree that:
a) For purposes of this ISPN, the Customer is the controller, and the Company is the processor of all Controller Personal Data.
b) The subject-matter of the data processing covered by this ISPN is with respect to AKIRA Services of the Company. The Company will not process the Controller Personal Data for any other purposes unless specifically asked to do so by the Customer.
c) The Company may disclose the Controller Personal Data to regulatory authorities as and when required by such regulatory authorities and to comply with the Applicable Laws and Foreign Applicable Laws. In the event the Company discloses the Controller Personal Data to any regulatory authority within the Territory or in order to comply with the Applicable Laws, the Company may not take prior written consent of the Customer for such disclosure of the Controller Personal Data.
d) During the Term of the Subscription Agreement, the Customer will comply with the Applicable Laws (i.e., all applicable provisions of constitutions, laws, statutes, ordinances, rules, treaties, regulations, permits, licenses, approvals, interpretations and orders of courts or governmental authorities and all orders and decrees of all courts) with respect to the processing of Controller Personal Data. However, the Company may not be required to comply with Foreign Applicable Laws unless the Company collects, stores or process any data for a person governed by Foreign Laws and provided by the Customer.
3. Data Security
3.1 Security Measures
3.1.1 The Company has implemented and maintained the Security Measures to protect and secure (i) Controller Data, including Controller Personal Data, against unauthorized or unlawful processing and against accidental or unlawful loss, destruction or alteration or damage, unauthorized disclosure of, or access to, Controller Data, and (ii) the confidentiality and integrity of Controller Data. These Security Measures will remain in place for the Term.
3.1.2 The Company will promptly notify the Customer in writing via email address provided by the Customer if the Company becomes aware that Company’s technical and organizational measures do not meet or exceed the security objectives set forth in the Security Measures and the Company will implement such Security Measures as required to protect and secure the Controller Personal Data from time to time.
3.1.3 The Company will take or has taken reasonable steps (in terms of recurrent and adequate training, allocating personnel with expertise relevant for AKIRA Services, staffing of a sufficient number of team members) to ensure the reliability and competence of the Company personnel engaged in the processing of Controller Personal Data.
3.1.4 The Company will take appropriate and reasonable steps (in terms of process definition and implementation, signing of confidentiality agreements) to ensure that all Company personnel engaged in the processing of Controller Personal Data (i) comply with the Security Measures, to the extent applicable to their scope of performance, (ii) are informed of the confidential nature of the Controller Data, (iii) have received appropriate training on their responsibilities and (iv) have executed written confidentiality agreements. The Company shall ensure that such confidentiality obligations survive the termination of the personnel engagement.
3.1.5 The Customer agrees and acknowledges that though the Company uses technical, physical, and administrative safeguards that are designed to improve the confidentiality, integrity and accessibility of Personal Information and the Company incorporate secure storage and transmission technologies including strong encryption, firewalls, fine-grained access control and secure audit the Company cannot, however, ensure or warrant the security of any information transmit to us via AKIRA Services, and the Customer do so at its own risk. The Company also cannot guarantee that such information may not be accessed, disclosed, altered, or destroyed by breach of any of Company’s technical, physical, or administrative safeguards.
3.2 Data Incidents
3.2.1 If the Company becomes aware of a Data Incident, the Company will: (a) notify the Customer of such Data Incident within 72 hours after becoming aware of the Data Incident; and (b) promptly take reasonable steps to minimize harm and secure Controller Data.
3.2.2 Notifications made pursuant to this section will describe, to the extent possible, details of the Data Incident, including steps taken to mitigate the potential risks.
3.2.3 Notification(s) of any Data Incident(s) will be delivered to the Customer in writing pursuant to any notice provisions of the Agreement. The Customer is solely responsible for ensuring that the Customer’s contact information, including the Customer’s notification email address, is current and valid.
4. Return or Deletion of Controller Data
Upon Customer’s request, which may be made through the Services, the Company will delete any Controller Data, or any portion thereof, in its possession subject to the provisions of Applicable Laws or Foreign Applicable Laws. The Company will comply with this instruction as soon as reasonably practicable and within a maximum period of 30 days. Subject to the provisions of the Applicable Laws or Foreign Applicable Laws the Company may retain a copy of Controller Data or any portion thereof to comply with any legal or regulatory compliance from time to time.
5. Data Subject Rights; Data Export
5.1 During the Term of the Subscription Agreement;
5.1.1 The Company will, in a manner consistent with the functionality of the Services, enable the Customer to access, rectify and restrict processing of Controller Data, including deletion as described in Section 4 (Return or Deletion of Controller Data), and to export Controller Data;
5.1.2 The Company will, without undue delay, notify the Customer, to the extent permitted under the Applicable Laws or the Foreign Applicable Laws, if the Company receives a request from a data subject to exercise the data subject's right of access, right to rectification, restriction of processing, erasure, data portability, objection to the processing, or its right not to be subject to an automated individual decision making (“Data Subject Request”); and
5.1.3 If the Company receives any request from a data subject in relation to Controller Personal Data, the Company will advise the data subject to submit his or her request to the Customer and the Customer shall be responsible for responding to any such request;
5.1.4 Taking into account the nature of the processing, the Company will assist the Customer by appropriate technical and organizational measures, insofar as it is possible, for the fulfilment of the Customer’s obligation to respond to a Data Subject Request under Foreign Applicable Laws. In addition, to the extent the Customer, in its use of the AKIRA Services, does not have the ability to address a Data Subject Request, the Company shall, upon Customer’s written request, provide the Customer with reasonable cooperation and assistance to facilitate Customer’s response to such Data Subject Request to the extent a response to such Data Subject Request is required under any Foreign Applicable Laws.
6. Transfer of Personal Data outside of the Territory
The Customer agrees that any Personal Information or Personal Data collected by the Company in course of providing AKIRA Services then such Personal Data shall only be transferred outside the Territory to comply with Foreign Applicable Laws and such compliance will be only as per the request of the Data Subject or the Customer.
7. Privacy Notice
7.1 Nature of Information and Mode of Collection
For the purpose of providing AKIRA Services to the Customer, the Company may collect via various mode Personal Information of employees or authorized person of the Customer. When any employee or authorized person of the Customer access and uses AKIRA Services, the Company may collect the following categories of Personal Information about such individual or employee of the Customer;
-
Information which can directly identify you, such as name, address, email address, telephone number, or an Internet Protocol address (IP address) or other online identifier. The Company typically and may collect this information directly from the employee or authorized person of the Customer or commercially available sources (such as data aggregators, public databases and other third parties) in order to communicate with the Customer and provide the Customer with access to certain information through AKIRA Services.
-
Internet usage and AKIRA Service usage information, such as browsing history, search history, and browser information. For example, we may log when you’re using and have last used AKIRA Services, and what content you view on AKIRA Services. We typically collect this information from our use of cookies and other data collection technologies to help us to provide better services, to identify popular features, and for other managerial purposes.
-
Business or Commercial Information, such as products and services purchased from us. We typically collect this information directly from you in order to fulfil your transactions and provide related customer service. We do not collect, store or process any financial information such banking details, credit or debit card or any other financial instrument details used by the Customer to purchase AKIRA Services.
-
Location information, such as information used to locate the device you use to access AKIRA Services. Location information may include: (i) the location derived from the IP address of the device or internet service used to access and use AKIRA Services, and (ii) other information made available by a user or others that indicates the current or prior location of the user. We typically collect this information from our use of cookies and other data collection technologies so that we may tailor AKIRA services to your location.
-
Information Related to Profile and Inference, such as information about your preferences and characteristics. We typically collect this information directly from you and through our use of cookies and other data collection technologies in order to customize our communications and services to you.
7.2 Use of Personal Information
Personal Information that you provide to us will be used as described in this ISPN, or in AKIRA Subscription Agreement.
We may use or disclose your Personal Information to:
- To provide you with information, products or services that you request from us.
- To perform our contracts with you or your employer or business.
- To provide you with notices and to facilitate communications deemed appropriate by us.
- To support, personalize, and develop our services.
- To comply with any legal or regulatory obligations.
- In any other way we may describe when you provide the Personal Information.
- For any other purpose permitted by law or with your lawful consent.
Your Personal Information can be deidentify, pseudonymize, or anonymize by us meaning the information that can be reasonably used to identify you will be removed. We create and use such deidentified information as per the provisions of the Applicable Laws and/or with your consent.
7.3 Sharing of Personal Information
- We may share your Personal Information internally among our business units and our affiliates in order to provide you our services and generally to improve our product and service offerings.
- With vendors and other service providers. Your Personal Information may be shared with our service providers who provide various services to us and act as per our instructions and direction from time to time. These services may include but not limited activities such as cloud storage and services, fulfilment services, and other IT services. Our policy is to prohibit these service providers from using your Personal Information for purposes other than providing services to us.
- In the event of a corporate transaction. In the event we go through a business transition like a merger, acquisition, reorganization, or sale of all or a portion of our assets, we may disclose your Personal Information to the party or parties of such transaction.
- In order to comply with any of our legal obligations, statutory compliances or any compliance requirement direct to us by any regulatory authority within or outside India to which may be subjected to and to protect our rights under Applicable Laws or Foreign Laws as the case may be. Your Personal Information can be disclosed if we think doing so is necessary to investigate or prevent actual or expected fraud, criminal activity, injury or damage to us or others or when otherwise required by statute, regulation, subpoena, court order, or other law, or if necessary to protect the rights, property, or safety or us, our employees, or others.
7.4 Cookies & Other Data Collection Technologies
A cookie is a small file placed on the hard drive of your computer. We use cookies if you have a AKIRA Services account, use of AKIRA Services, including our website, or visit other websites that is used to subscribe to AKIRA Services. Cookies enable us to offer AKIRA Services to you and to understand the information we receive about you, including information about your use of other websites and apps, whether or not you are registered or logged in.
You may refuse to accept browser cookies by activating the appropriate setting on your browser. However, if you select this setting, you may be unable to access certain parts of AKIRA Services. Unless you have adjusted your browser setting so that it will refuse cookies, our system will issue cookies when you direct your browser to our website.
7.5 Your Rights under Indian Laws
If you are citizen of India or the Customer is situated in India and has principal place of business in India, then the applicable provision of Information Technology Act, 2000 and rules framed thereunder, as amended from time to time(the “Act”), shall be the governing laws for the Personal Information of the employee or authorized person of the Customer with whom we interact during the course of providing AKIRA Services. And such employees or the authorized person can exercise their rights related to Personal Information as per the provisions of the Act.
You have given express consent to us to use your Personal Information as per the applicable provisions of the Act.
7.6 Your Rights under California Consumer Privacy Act
If you are a resident of California, you may be entitled to the privacy rights described below under the California Consumer Privacy Act (“CCPA”) and other applicable laws.
The Right to Know. You have the right to request:
- the specific pieces of Personal Information we have about you
- the categories of Personal Information we have collected about you in the last 12 months
- the categories of sources from which that Personal Information was collected
- if we sold or disclosed your Personal Information in the last 12 months and the categories of your Personal Information that we sold or disclosed
- the categories of third parties with whom we share your Personal Information
- the purpose for collecting and selling Personal Information.
In general:
- Within the past 12 months, we have collected the categories of personal information detailed in the section titled “Nature of Information and Mode of Collection” above.
- Within the past 12 months, we have not sold (within the meaning of CCP) Personal Information about any adults in the preceding 12 months.
- Within the past 12 months, we have sold (within the meaning of CCPA) de-identified information.
- We may disclose the categories of Personal Information that we collect to third parties as described above under “Sharing of Your Personal Information.”
Specifically, we have disclosed the following categories of Personal Information in the preceding 12 months: direct identifiers, other personal information, internet activity information, and commercial information.
The Right to Deletion. You have the right to request us to delete the Personal Information that we have collected or maintain about you. We may deny your request under certain circumstances, such as if we need to comply with our legal obligations or complete a transaction for which your Personal Information was collected. If we deny your request for deletion, we will let you know the reason why.
Non-discrimination. We will not discriminate against you in any way if you choose to exercise your rights under the CCPA. However, if we delete your Personal Information based on a request you make, understand that you may be unable to use or access certain features of our Services.
You may exercise your right to know and your right to deletion twice a year free of charge. To exercise your right to know or your right to deletion, contact us via email at privacy@rqsolutions.com. We endeavour to respond to a verifiable consumer request within forty-five (45) days of receipt. If we require more time (up to 90 days), we will inform you of the reason and extension period in writing.
We will take steps to verify your identity before processing your request to know or request to delete. We will not fulfil your request unless you have provided sufficient information for us to reasonably verify you are the individual about whom we collected Personal Information. If you have an account with us, we will use our existing account authentication practices to verify your identity. If you do not have an account with us, we may request additional information about you to verify your identity. We will only use the Personal Information provided in the verification process to verify your identity or authority to make a request and to track and document request responses, unless you initially provided the information for another purpose.
You may use an authorized agent to submit a request to know or a request to delete. When we verify your agent’s request, we may verify both your and your agent’s identity and request a signed document from you that authorizes your agent to make the request on your behalf. To protect your Personal Information, we reserve the right to deny a request from an agent that does not submit proof that they have been authorized by you to act on their behalf.
Other California Privacy Rights. California’s “Shine the Light” law also gives California residents the rights to request certain information regarding our disclosure of their Personal Information to third parties for those third parties’ direct marketing purposes. You may request information regarding the disclosure of your Personal Information to third parties for those third parties’ direct marketing purposes by emailing privacy@rqsolutions.com or writing us at the address in the Contact Information section below. Please indicate “California Rights” in the subject or attention line of your communication.
7.7 Your European Union Privacy Rights
If you are a resident of the European Union, you have certain data protection rights under the General Data Protection Regulation (GDPR).
Your Rights Under GDPR. We are committed to provide individuals greater control over the processing of their personal data. You are entitled to certain rights under GDPR:
- Right to Request Information. You have the right to ask us questions about our processing of your Personal Data, including if you feel information is missing from this ISPN.
- Right to Access. You have the right to request access to your Personal Data.
- Right to Rectification. You have the right to ask us to correct errors, or to complete omissions, in your Personal Data.
- *Right to Erasure. You may have the right to ask us to delete your Personal Data. Some people call this the “right to be forgotten.”
- *Right to Object. You may have the right to object to, and stop, our processing of your Personal Data.
- *Right to Restriction of Processing. You may have the right to limit our processing of your Personal Data.
- *Right to Data Portability. You may have the right to receive, or have us transmit to another person, a portable copy of your Personal Data.
The rights above with an asterisk (*) are subject to certain conditions or exceptions and may not be applicable under this ISPN. If you want to know more about those conditions, or if you would like to exercise one or more of the rights above, please contact us at privacy@rqsolutions.com. We will never discriminate against individuals who exercise their legal rights concerning their personal data.
In addition, you can always reach out to your local data protection authority for more information on your rights. The identity of your local data protection authority depends on where you live, so we are unable to identify it for you. If you reside in European Union , for information about your rights under GDPR you may refer to:
this link
7.8 Processing Personal Data Under Applicable Laws
We process personal data in order to perform our testing services and to bill for these services, to perform our contracts with you, and to meet our legal obligations. Additionally, our processing is necessary based on our legitimate interest of providing AKIRA Services and other services to you.
International Transfers. As you may be aware, Republic of India has not been subject to a universal adequacy decision by the European Commission. This means that the European Commission has not determined that Indian laws provide the same level of legal protections to individuals concerning their personal data and how it is used. In other words, processing in India may be undertaken with fewer privacy- and security-focused protections than in Europe, which may increase the risk of data breaches, losses of data, or similar events affecting personal data privacy and security. In any event, we are committed to data privacy and security and has implemented a number of measures that are intended to ensure all personal data (including your Personal Information) is protected just as strongly in India as it might be in Europe, including entering into EU-approved model contract clauses with certain of our processors (including those vendors or service providers we’ve described above) and providing appropriate technical and organizational measures to secure your Personal Information (as discussed above). If you have any questions about cross-border processing, you may reach out to us at privacy@rqsolutions.com.
7.9 International Users
Our services are hosted in India and are intended for users located within India. Your use of AKIRA Services and provision of your information is subject to the laws and regulations of Republic of India (Applicable Laws) . If you choose to use AKIRA Services from other regions of the world with laws governing data collection, use and disclosures that may differ from Indian Laws, then you acknowledge and agree that (a) you are transferring your personal information outside of those regions to India and (b) the laws and regulations of India regarding data privacy and security governing the use and disclosure of Personal Information may differ from those of your country of residence.
7.10 Changes to This Privacy Notice
It is our policy to post any changes that we make to our Privacy Policy on our website. If we make material changes to how we treat our users’ Personal Information, we will update this Privacy Notice section of ISPN. The date our Privacy Notice was last revised is identified at the top of the page. You are responsible for ensuring we have an up-to-date active and deliverable e-mail address for you, and for periodically visiting our website and this Policy for changes. For any questions or comments regarding this Privacy Notice, please contact us at privacy@rqsolutions.com.
7.11 Contact Information
Please contact us with any questions or comments about this ISPN, your Personal Information or Privacy Notice, or your consent choices by email privacy@rqsolutions.com or by mail to Risk Quotient Consultancy Private Ltd., Unit 9, Build Number 02, Sector 3, Plot No: 1, Millennium Business Park, Mahape, Navi Mumbai, Maharashtra, India, PIN: 400701. Attn: Privacy Officer.