i-nexus is committed to preserving the confidentiality and integrity of all information it holds and processes and to operating its business in compliance with the requirements of relevant Data Protection Laws and Regulations.
We recognize the importance of Personal Data and of respecting the privacy rights of individuals. This Data Protection & Security Policy (“Policy”) sets out the principles which we apply to our Processing of Personal Data and use of Confidential Information and our commitment to safeguard one of the most valuable assets which belong to our Customers.
This Policy supplements the i-nexus data processing addendum and describes i-nexus’ approach to ensuring the privacy and security of the Customer Data, including the technical and organizational measures adopted by i-nexus which are applicable to the i-nexus products and Services.
Any questions about this Policy should be raised with the Data Officer whose details are at the end of this Policy.
The following key words and phrases are used within this Policy:
| “Confidential Information” | means all confidential information disclosed by the Customer to i-nexus whether orally or in writing, that is designated as confidential or that reasonably should be understood to be confidential given the nature of the information (including Personal Data); |
|---|---|
| “Customer Data” or “Data” | means all electronic data or information submitted by or on behalf of the Customer including data submitted through an API and, where the context so admits, the content and or form/appearance of any document templates created by Customer in the course of using the Services; |
| “Data Controller” | means the entity which determines the purposes and means of the Processing of Personal Data; |
| “Data Processor” | means the entity which Processes Personal Data on behalf of the Controller; |
| “Data Protection Laws and Regulations” | means all laws and regulations, including laws and regulations of the European Union, the European Economic Area and their member states and the United Kingdom, applicable to the Processing of Personal Data as part of the Services; |
| “Data Subject” | means the identified or identifiable person to whom Personal Data relates; |
| “GDPR” | means the Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation); |
| “Personal Data” | means any information relating to an identified or identifiable natural person where such data is Customer Data. An identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person; |
| “Processing” | means any operation or set of operations which is performed upon Personal Data, whether or not by automatic means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction; |
| “Services” | means: (i) access to the relevant i-nexus solutions provided via Customer’s login link at the i-nexus website or another designated web site or IP address; and/or (ii) ancillary online or offline products and services provided or licensed to Customer by i-nexus. |
Under the Data Protection Laws and Regulations, Personal Data must be processed in accordance with certain data protection principles, under which Personal Data must:
i-nexus ensures it employs appropriate technical and organizational measures to adhere to these principles.
The purposes for which we use your information and the legal basis under the Data Protection Laws and Regulations on which we rely to do this are explained below.
We may use and process your Personal Data where you have consented for us to do so for the following purposes:
You may withdraw your consent for us to use your information in any of these ways at any time by using the unsubscribe automated link included at the bottom of i-nexus marketing emails. Alternately please send an email to info@i-nexus.com, putting OPTOUT in the title.
We may use and process your Personal Data where it is necessary for us to pursue our legitimate interests as a business, or that of a third party, for the following purposes:
We will use your Personal Data to comply with our legal obligations: (i) to assist a public authority or criminal investigation body; (ii) to identify you when you contact us; (iii) to send you any required information if you are a shareholder, and/or (iv) to verify the accuracy of data we hold about you.
i-nexus will Process Personal Data as necessary to perform the i-nexus services and as further instructed by the Customer in its use of the Services, as a Data Controller. This shall include automated processing of Personal Data to evaluate and analyze certain personal aspects relating to the Data Subject, in particular to analyze or predict aspects concerning that Data Subject’s personal preference, interests, behaviour and location.
Customer may submit Personal Data to the i-nexus services, the extent of which is determined and controlled by Customer in its sole discretion, and which may include, but is not limited to Personal Data relating to the following categories of data subjects:
Customer may submit, or allow collection of, Personal Data in the use of the Services, the extent of which is determined and controlled by Customer in its sole discretion, and which may include, but is not limited to the following categories of Personal Data:
The Services are operated in a multitenant architecture that is designed to segregate and restrict Customer Data storage and access based on business needs. The architecture provides an effective logical data separation for different Customers via Customer-specific unique IDs and allows the use of customer and user role based access privileges. Additional data segregation is ensured by providing separate environments for different functions, especially for testing and production.
i-nexus has implemented procedures designed to ensure that Customer Data is processed only as instructed by the Customer, throughout the entire chain of processing activities by i-nexus and its sub-processors. Additionally, the Services undergo security assessments by internal personnel and third parties, which include infrastructure vulnerability assessments and application security assessments.
i-nexus adopts a number of security controls, which include:
i-nexus, or an authorized independent third party, will monitor the Services for unauthorized intrusions using network-based intrusion detection mechanisms.
All i-nexus systems used in the provision of the Services, including firewalls, routers, network switches and operating systems, log information to their respective system log facility or a centralized syslog server (for network systems) in order to facilitate security reviews and analysis.
i-nexus maintains security incident management policies and procedures. i-nexus notifies impacted Customers without undue delay of any unauthorized disclosure of their respective Customer Data by i-nexus or its agents of which i-nexus becomes aware to the extent required by Data Protection Laws and Regulations.
Access to the Services requires a valid user ID and password combination (or via integrated Single Sign-On mechanism), which are encrypted via TLS while in transmission, as well as machine specific information for identity validation as described under “Security Controls,” above. Following a successful authentication, a random session ID is generated and stored in the user’s browser to preserve and track session state.
Production data centers used to provide the Services have access control systems. These systems permit only authorized personnel to have access to secure areas. These facilities are designed to withstand adverse weather and other reasonably predictable natural conditions, are secured by around the-clock guards, two-factor access screening, including biometrics, and escort-controlled access, and are also supported by on-site back-up generators in the event of a power failure.
All infrastructure components are configured in a high availability mode or in a redundant fashion. All Customer Data submitted to the Services is stored on infrastructure that supports high availability and is backed up on a regular basis. This backup data is retained for at least 24 weeks. Backups are transmitted and stored in encrypted form and held in a secondary data center region at least 100 miles from the primary region.
The Services’ production systems are protected by disaster recovery plans which provide for backup of critical data and services. A comprehensive system of recovery processes exists to bring business-critical systems back online within the briefest possible period of time. Recovery processes for database security, systems administration, and network configuration and data provide a roadmap for personnel to make processes available after an outage. The Services’ disaster recovery plans currently have at least the following standard target recovery objectives: (a) restoration of the Services (RTO) within 132 hours after i-nexus’ declaration of a disaster; and (b) maximum Customer Data loss (RPO) of 72 hours; excluding, however, a disaster or multiple disasters causing the compromise of multiple data centers at the same time, and excluding development and test bed environments, such as the sandbox service.
The Services have controls in place that are designed to prevent and detect the introduction of viruses to the Services’ respective platforms.
The Services use, or enable Customers to use, industry-accepted encryption products to protect Customer Data and communications during transmissions between a Customer’s network and the Services, including 128-bit TLS Certificates and 2048-bit RSA public keys at a minimum.
During the contract term, Customers may export a copy of Customer Data processed by the Services. Within 30 days of termination of the applicable Service, Customers may: 1) request return of Customer Data submitted to the Services; or 2) access their account to export or download Customer Data submitted to Services.
After termination of the Service, following the 30-day period for return of Customer Data, Customer Data submitted to the Services is retained in inactive status for up to 90 days, after which it is securely overwritten or deleted except for any Customer Data that is required to be retained for example as part of invoicing records for HMRC purposes or as part of a contractual requirement.
i-nexus may track and analyze the usage of the Services for purposes of security and helping i-nexus improve both the Services and the user experience in using the Services. For example, we may use this information to understand and analyze trends or track which of our features are used most often to improve product functionality.
i-nexus may share anonymous usage data with i-nexus’ service providers for the purpose of helping i-nexus in such tracking, analysis and improvements. Additionally, i-nexus may share such anonymous usage data on an aggregate basis in the normal course of operating our business; for example, we may share information publicly to show trends about the general use of our Services.
Additionally, i-nexus uses Customer Data consisting of data and metrics derived from Customer’s websites and social accounts with third party social platforms, such as geographic location, time of day of use, greatest period of use by industry, and other metrics including spend rates or click rates by geographic location and by industry to create an aggregated and anonymized data set (“Anonymized Data”). No Customer Data consisting of personally identifiable information is contained in the Anonymized Data, nor any data that would identify Customers, their users, Customers’ clients, or any individual, company or organization. I-nexus combines the Anonymized Data with that of other customers to create marketing reports and to provide product features.
i-nexus and its affiliates have entered into written agreements with their sub-processors containing privacy, data protection, and data security obligations that provide a level of protection appropriate to their processing activities.
i-nexus utilizes the services of the following sub-processors to provide part of the i-nexus infrastructure to host Customer Data and provide the Services:
The GDPR requires that Personal Data must not be transferred to a country or territory outside the European Economic Area (i.e. the member states of the EU plus Iceland, Liechtenstein and Norway), unless that country or territory or organization ensures an adequate level of protection for the rights and freedoms of Data Subjects in relation to the Processing of Personal Data.
Subject to paragraph 3.20, where the Customer entity and the i-nexus entity are based inside the EEA, i-nexus shall not transfer Personal Data to any country outside of the EEA without prior written consent from the Customer, except for transfers to and from: (i) any country which has a valid adequacy decision from the European Commission; or (ii) any organization which ensures an adequate level of protection in accordance with the applicable Data Protection Laws and Regulations.
You have a number of rights in relation to your Personal Data under Data Protection Laws and Regulations. In relation to certain rights to access your Personal Data, we may ask you for information to confirm your identity and, where applicable, to help us to search for your Personal Data. Except in rare cases, we will respond to you within one month from either (i) the date that we have confirmed your identity or (ii) where we do not need to do this because we already have this information, from the date we received your request.
Accessing your Personal Data
You have the right to ask for a copy of the information that we hold about you by emailing or writing to us at the address at the end of this policy. We may not provide you with a copy of your Personal Data if this concerns other individuals or we have another lawful reason to withhold that information.
Correcting and updating your Personal Data
The accuracy of your information is important to us and we are working on ways to make it easier for you to review and correct the information that we hold about you.
In the meantime, if you change your name or address/email address, or you discover that any of the other information we hold is inaccurate or out of date, please let us know by contacting us using the details described at the end of this policy.
Withdrawing your consent
Where we rely on your consent as the legal basis for processing your Personal Data, as set out under, you may withdraw your consent at any time by contacting us using the details at the end of this policy. If you would like to withdraw your consent to receiving any direct marketing to which you previously opted-in, you can do so using the unsubscribe automated link included at the bottom of i-nexus marketing emails. Alternately please send an email to info@i-nexus.com, putting OPTOUT in the title.
If you withdraw your consent, our use of your Personal Data before you withdraw is still lawful.
Objecting to our use of your Personal Data and automated decisions made about you
Where we rely on your legitimate business interests as the legal basis for processing your Personal Data for any purpose(s), you may object to us using your Personal Data for these purposes by emailing or writing to us at the address at the end of this policy. Except for the purposes for which we are sure we can continue to process your Personal Data, we will temporarily stop processing your Personal Data in line with your objection until we have investigated the matter. If we agree that your objection is justified in accordance with your rights under data protection laws, we will permanently stop using your data for those purposes. Otherwise we will provide you with our justification as to why we need to continue using your data.
Erasing your Personal Data or restricting its processing
In certain circumstances, you may ask for your Personal Data to be removed from our systems by emailing or writing to us at the address at the end of this policy. Unless there is a reason that the law allows us to use your Personal Data for longer, we will make reasonable efforts to comply with your request.
You may also ask us to restrict processing your Personal Data where you believe it is unlawful for us to do so, you have objected to its use and our investigation is pending or you require us to keep it in connection with legal proceedings. In these situations we may only process your Personal Data whilst its processing is restricted if we have your consent or are legally permitted to do so, for example for storage purposes, to protect the rights of another individual or company or in connection with legal proceedings.
Transferring your Personal Data in a structured data file
Where we rely on your consent as the legal basis for processing your Personal Data or need to process it in connection with the Services, you may ask us to provide you with a copy of that information in a structured data file. We will provide this to you electronically in a structured, commonly used and machine readable form, such as a CSV file.
You can ask us to send your Personal Data directly to another service provider, and we will do so if this is technically possible. We may not provide you with a copy of your Personal Data if this concerns other individuals or we have another lawful reason to withhold that information.
Complaining to the UK data protection regulator
You have the right to complain to the Information Commissioners Office (ICO) if you are concerned about the way we have processed your Personal Data. Please visit the ICO’s website for further details.
i-nexus will keep Confidential Information (which of course extends beyond Personal Data) it receives confidential in accordance with the relevant agreement between the Customer and i-nexus and, except with the prior written consent of the Customer or as permitted in the relevant agreement, will:
In each of i-nexus’ offices and internal departments, we have appointed “Data Owners” who are locally responsible for ensuring that employees within their department or area receive appropriate training and are working in compliance with this Policy. The Data Owners undertake regular assessments of Data types and ensure that the right levels of protection are in place.
i-nexus has appointed an overall Data Officer who is responsible for:
If you have any queries regarding this Policy, please contact our Data Officer by email at dataofficer@i-nexus.com
This Policy will be updated from time to time by the Data Officer to reflect any changes in legislation or in our methods or practices. The current issue of the Policy will be available from our website at i-nexus.com or from our Data Officer.
We recommend you regularly check for changes and review this policy whenever you visit our website. If you do not agree with any aspect of the updated policy you must immediately notify us and cease using our Services.
