Security and Compliance
GDPR Compliance
A brief summary of measures taken at vaultera switch to ensure GDPR compliance
The General Data Protection Regulation (GDPR) defines Data Controller, Data Processor, and Data Subject as follows:
vaultera switch plays the role of a ‘Data Processor’ and takes all the below initiatives to ensure compliance.
Other use cases such as Data Infrastructure and Monitoring Systems are solved by using a self-deployed version of popular open source technologies - ClickHouse, Grafana, and Sentry. This provides more control and reduces the need for sharing data and the data being shared across more sub-processors.
| Role | Definition |
|---|---|
| Data Controller | A natural or legal person, public authority, agency, or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data. Controllers make decisions about processing activities. |
| Data Processor | A natural or legal person, public authority, agency, or other body which processes personal data on behalf of the controller and under the instructions of the controller. |
| Data Subject | Any living individual whose personal data is collected, held, or processed by an organization. |
Data Protection and Privacy Principles
| Principles | Initiatives |
|---|---|
| Lawfulness, fairness, and transparency | Lawful: We gather data and process it with a valid legal basis which is vetted by our legal team. Fair: We process personal data in the best interest of the people and scope of our processing can be reasonably expected by the person. Transparent: We clearly communicate what, how, and why we process data and what role we play in the data lifecycle via our Privacy Notice on the website. It is written in clear, plain language that enables everyone to easily understand the scope and methods of our processing. We also enable our merchants to be compliant with the Transparency principle by enabling them to respond to Data Subject Rights Requests in a better, sustainable way via our Data Compliance APIs. |
| Purpose limitation | We only process data for clear, defined purposes and have strict processes in place to avoid function creep or utilization of data in any other way than intended. We also verify on a periodic basis that our purposes are valid and essential to deliver services to our merchants and avoid any unnecessary processing. We maintain records of our purposes via RoPA to ensure compliance with Purpose Limitation. |
| Data minimization | We ensure and evaluate that we gather only essential personal data that we need to deliver the service. In other words, we only gather and process the exact amount of data that is needed. |
| Accuracy | We as a data processor take reasonable measures to ensure that the personal data we are processing is correct and up to date by employing various security and privacy-centric principles: • Access Control (maker and checker system) • Encrypted communication channels • Encryption of data during transmission and storage • Automated Backups |
| Storage limitations | We ensure that we get defined retention period requirements from our merchants so we do not end up storing data that is no longer of use for the purpose it was intended. We have implemented a process for destroying data in a secure way that helps us ensure that the data no longer needed is really removed and not still stored on a device or in the cloud, where it could be a potential security risk. |
| Integrity and confidentiality | We have developed, implemented, and maintain effective information security and privacy policies and procedures that include administrative, technical, and physical safeguards designed to: • Ensure the security and confidentiality of confidential information and systems provided • Protect against anticipated threats or hazards to the security or integrity of such confidential information and systems • Protect against unauthorized access or use of such confidential information and systems We employ various security measures to ensure that the integrity and confidentiality of data is maintained throughout the lifecycle of the data: • Restriction of access to data (need to know principle) • Encryption of PII • Implementing a data retention policy • Antivirus programs • Firewalls • Intrusion detection systems • Multi-factor authentication • Software updates • Cyber Security and Privacy awareness trainings • Non Disclosure Agreements with our employees, merchants, and vendors |
| Accountability | We abide by this principle by taking responsibility for our data processing. It means that we, the data processor, are accountable for the proper processing of personal data and compliance with the rules of the GDPR and we ensure that the responsibilities on each side (controller and processor) are captured in our agreements/DPAs with all our merchants. |
Security
vaultera switch is engineered with a meticulous focus on safeguarding sensitive data aligning with PCI standards. The application also employs various strategies that encompass various stages, which include:- Encryption of Data at rest and Data in Transit
- Masking of PII information at source
- Minimizing PII data exposure across the application
- Secure software development practices
- SOC Type I and Type II certification
Data Retention and Deletion
In the spirit of the Data Minimization principle, we capture data retention and deletion requirements with all our merchants in our DPAs and Master Service Agreement to avoid processing data longer than required. We regularly audit our processes to ensure that the data retention requirements are met. We support the right to erasure through permanent deletion of personal data upon request. The Deletion API is published and accessible for all merchants to permanently delete Customer PII Data.Data Protection Team
vaultera Technologies Private Limited (doing business as vaultera switch) has a Privacy and Data Protection team and a designated Data Protection Officer to look after Data Protection, Privacy, and Compliance Obligations.Data Protection Agreement
vaultera switch Master Services Agreement includes a Data Protection Agreement which clearly articulates our privacy commitment to merchants. We have evolved these terms and specifically updated these terms to reflect the GDPR from the perspective of payment processing, and to facilitate merchants’ compliance assessment and GDPR readiness when using vaultera switch.Standards and Certifications
We hold ourselves to the highest standards of data security and reliability. We believe in protecting sensitive information and ensuring the utmost trust in our services by our merchants. To achieve that goal, we undergo regular audits to address any gaps and strengthen our security and privacy posture.| Standards | Significance |
|---|---|
| ISO/IEC 27001:2013 (Upgrading to ISO 27001:2022 during 2024) | ISO/IEC 27001 is the international standard for information security. It sets out the specification for an effective ISMS (information security management system). ISO 27001’s best-practice approach helps us manage our information security by addressing people, processes, and technology. This certification signifies our establishment of a robust Information Security Management System (ISMS) and the mastery of a comprehensive suite of controls to ensure the highest level of data protection. |
| SOC 2 Type 1 and 2 | System and Organization Control 2 is a security framework that specifies how we should protect customer data from unauthorized access, security incidents, and other vulnerabilities. Type 2 controls examine how well our system and controls perform over a period of time (typically 3-12 months). |
| PCI DSS v3.2.1 (Certification under process for PCI 4.0) | PCI DSS is one of the stringent compliance requirements for entities that process, store, or transmit credit card information to maintain a secure environment. It talks about the necessary framework for developing complete payment card data security systems & processes that encompass prevention, detection, and appropriate reaction to security incidents. This accomplishment marks a significant milestone in our commitment to safeguarding sensitive cardholder data and ensuring the highest level of security for our merchants. |
Use of Sub-processors
Below is the list of sub-processors we use at vaultera switch, as well as the purpose of their use.| Sub-processor | Purpose | Hosted Region |
|---|---|---|
| AWS | Cloud processing of user data and merchant data | Global server (US) EU Data Residency server (EU) |
| Slack | Merchant communication | US |
| Google Workspace | Merchant communication and documentation | US |