This policy covers matters of privacy and data security at Triggerise. It provides the framework within which Triggerise operates and defines the principle that applies to Triggerise’s handling of data & maximizing data protection.
This policy applies to all records, including cloud based data, paper, electronic, computing systems, storage media, laptops, portable devices or any other medium.
This policy is reviewed and updated regularly. Triggerise is committed to providing regular independent security review as well as regular security and vulnerability testing to assess network, system and application security. If you have questions about this policy, please email us: hello[at]triggerise.org.
Implementation and dissemination of policy
- The principles in this policy are implemented consistently throughout Triggerise’s internal and external handling of Data.
- Every new employee is familiarized with this policy and all employment contracts include references to data confidentiality and this policy.
- Third party service providers or consultants who have access to personal or sensitive data are required to sign an NDA and their contracts includes confidentiality and data protection clauses.
By using any service provided by Triggerise you consent to Triggerise collecting and processing data related to your interactions. Triggerise processes and analyzes this data in order to:
- Make our products more useful and relevant;
- Improve the quality of our services and help us develop new ones;
- Improve security by protecting against fraud and abuse; and
- Conduct analytics and measurement to understand how our services are used.
Triggerise is committed to protect your privacy and no data that can be used to identify you will be shared with any third party.
You can revoke this consent at any time by emailing us hello[at]triggerise.org or replying “STOP” with your mobile phone.
SECTION 1 – OUR DEFINITION OF DATA
Personal data/ Personal Information refers (and is not limited) to any information that can be used to identify an individual, such as name, address, date of birth, marital status, email, or telephone number.
Sensitive Data/ Sensitive information refers (and is not limited) to information that reveals an individual’s medical history, disabilities, sex life, membership in a professional or trade organization or intentions to acquire goods and services.
Movercado Data refers to all data stored and handled within the Movercado platform.
Internal Data refers to data used internally by Triggerise employees and contractors.
Confidential Data/ Confidential Information includes all information or materials that are specific to and/ or could have utility for Triggerise, including internal data and Movercado data, irrespective of the medium in which such information or data is embedded. This includes any copies or abstracts made of this data as well as any modules, samples, prototypes or parts thereof.
SECTION 2 – WHAT WE COLLECT
Commitment to Data Protection and Confidentiality
In our work we collect and handle personal and sensitive data. However, we do not share this data with third parties, except if anonymized and only for the purposes of improving the quality of our work and Rafiki’s experience. Personal and Sensitive data will not be shared for commercial purpose.
Collection of data is always preceded by an express or implied consent from users. This consent can always be revoked by the user, using pre-defined triggers. If you continue to use our services, it is assumed that you agree to the terms in this policy.
Personal Data Collected
As part of implementing activities, Triggerise collects, stores and handles Personal Data (PD). This may include:
- Phone Number(s)
- State, city, or district
- Date of birth
- Marital status
- Relationship status
In addition, Triggerise may collect, store and handle Sensitive Data (SD) which may include:
- Medical history
- Personal health information
- Sexual life
- Intention of buying specific products or services
- Attitudes towards or knowledge about our products or services
- All Triggerise employees are bound by the principles outlined in this policy;
- Failure to comply may lead to disciplinary sanctions including termination of contract with Triggerise.
- Triggerise has a Data Protection & Privacy Officer;
- Upon termination of any employee, physical and electronic access to any confidential data is terminated immediately, including deactivating passwords and usernames from any relevant service;
Compliance as applied to service providers/ consultants
- All Consultants and service providers that have access to any PD or SD are required to sign a NDA;
- In addition, all contracts with such suppliers and consultants have a clause that refers to this policy;
- Upon starting their engagement all such service providers and consultants are required to acknowledge reading of this policy;
- Upon termination of engagement of any such service provider or consultant, physical and electronic access to any confidential data is terminated immediately, including deactivating passwords and usernames from any relevant service;
Confidential Data and Third Party Services
- Triggerise will only use third party services for storing or handling of personal or sensitive data if such services comply with industry standards for data protection and security.
- Currently, Triggerise Data is stored on Encrypted Cloud Based platforms provided by AWS. More information about AWS Cloud Security compliance here: https://aws.amazon.com/compliance/
Subject access requests
Individuals whose data Triggerise collects can request access to their own personal data at any time. As part of Triggerise’s efforts to facilitate these requests, dedicated processes are put in place in all markets where we work. To conduct a subject access request, email hello[at]triggerise.org.
SECTION 3 – HOW WE PROTECT YOUR DATA
All devices used by Triggerise staff (laptops & mobile devices) need to comply with minimum security standards outlined in this policy.
All Triggerise Employees are encouraged to use highly secure, ideally randomized passwords for accessing any platform that is relevant for their work at Triggerise. To facilitate this, all employees have access to a enterprise level password tool, which allows the generation of random passwords & the secure storing of passwords.
Any equipment that is retired or designated for re-use needs to receive a hard reset to ensure that any personal data that may be cached on the device is securely removed.
Mobile devices need to allow remote protection managed by Triggerise. Under no circumstances are Triggerise employees allowed to transfer organization, user, personal or sensitive data over unsecured (wireless) networks. Triggerise discourages their employees to the use of unsecured networks in general and strives to facilitate flexible internet possibilities as much as possible (secure office connections, mobile (data) network benefits, data dongles when applicable, etc.)
Personal and sensitive data is encrypted on transmission.
Triggerise exposes its’ web applications through a connection that is encrypted and authenticated using a strong protocol (TLS 1.2), a strong key exchange (ECDHE_RSA), and a strong cipher (AES_256_GCM).
APIs that are shared with 3rd parties and partners use HTTPS and Basic Authentication.
Before we expose any personal information to our users through any of our user interfaces (Movercado admin panel, analytics reports, website, apps, etc.), a process of verifying the person requesting the information is in place. The nature of this process depends on the product/solution and the usertype that requests the information. Verification means may include:
- Secure username / password protection, https (web-utilities)
- Phone number verification (initial app to back-end connection)
- One time password or Pin security (local app security)
Security/privacy incident response protocol (for any sort of breach, including malware)
Any breach reported to and detected by Triggerise will be reported immediately to the Data Security Officer and/or other designated staff, who will take immediate steps to remove access to the information in question until the breach is resolved. In addition, the breach and the solution applied will be logged in a breach register. If any users are affected, they will be notified immediately with information on the breach and how to prevent any further security issues.
Security Review/ Audits
Triggerise holds audits every year to ensure an appropriate level of security in all of its infrastructure. These audits are performed by an external entity, accredited for the effect, and encompass several layers of inspection ranging from server access, employees’ permissions and network security to data secrecy.
Code, database snapshots and other assets should be backed up routinely to externals providers like on S3 and tests written to assert that the backup and restore works.
Periodic database snapshots are stored at Amazon Web Services. These are made at a rate that allows us to recover any lost data in case of an unplanned incident. These backups are stored under the same layer of security as the production database.
Changes to this policy
We may revise this Policy from time to time. The most current version of the policy will govern our use of your data and will always be at http://triggerise.org/privacy. By continuing to access or use our services after those changes become effective, you agree to be bound by the revised Policy. Should you have any questions about this policy, you can email us: hello[at]triggerise.org.