Zycus and GDPR
GDPR roles and definitions relating to Zycus:
Article 4 EU GDPR defines data controllers and data processors as below:
- ‘controller’ means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data; where the purposes and means of such processing are determined by Union or Member State law, the controller or the specific criteria for its nomination may be provided for by Union or Member State law;
- ‘processor’ means a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller;
In other words, the data controller determines the purposes for which and the means by which personal data is processed and the data processor processes personal data only on behalf of the controller. The data processor is usually a third-party external to the company.
In general, the controller assumes responsibility for all personal data collected and must ensure that rights of the data subject and the controller’s own legal obligations are also covered by the processor.
The Data Processing Agreement is important, so that both parties understand their responsibilities and liabilities. When it comes to Zycus, our customers are data controllers when they use Zycus applications (Source to Pay suite of procurement performance solutions). Zycus is a data processor on behalf of the customer by means of Data Processing Addendum.
ZYCUS’ DATA PROCESSING AGREEMENT (DPA)
Zycus’ Data Processing Agreement terms are designed to ensure that processing carried out by a processor meets all the requirements of the GDPR (not just those related to keeping personal data secure). By having such DPA in place with the required terms, we are ensuring that we are complying with the GDPR.
PREPARING FOR EUROPE’S BIGGEST EVER CHANGE TO DATA REGULATIONS – How Zycus is getting ready for GDPR?
GDPR roles and definitions relating to Zycus:
At Zycus we have state-of-the-art security to ensure that data from our prospects and customers is never compromised. We know that security is crucial to you; therefore, security is our top priority and it is fundamental to successful operation of Zycus. We devote significant resources to continually improve our world-class security infrastructure. The result: unsurpassed security and privacy for our customers’ information.
Standards and Specifications
Zycus rely on SSAE 16 and SOC 1 & 2 Type II audits and reports to build trust and confidence. The SOC 1 Type II report provides reasonable assurance over the effectiveness of the controls at Zycus which are directly or indirectly relevant to our customers financial reporting and SOC 2 type II report provides reasonable assurance over the controls that are relevant to the Trust Service Principals of Service Organization Control (security, availability and confidentiality). The SOC 2 Type II report also describes the operating effectiveness of these controls and it is the most comprehensive type of report. With our SOC1 & 2 audit reports, we can assure our customers that we meet the most demanding requirements for the security, availability and confidentiality of their information.”
Key pointers surrounding GDPR pertaining to Zycus
Consent
Consent to obtain personal data is done through acceptance of Zycus’ privacy policy, which includes the purpose, the categories of personal data, and other relevant considerations.
Access to Data
Personal data can be accessed only by a user who has been authorized by Zycus authorization mechanisms
Right to Rectification
Zycus has the right to edit or correct customer’s personal data in the user profile during the contract period.
Erasure of Data
Zycus deletes all customer data which, upon termination / expiry of contract.
Authorization and Disclosure control
Customers can manage authorization, authentication and role based access in Zycus’ solution.
Privacy by Design and by Default
For development of any feature Zycus considers GDPR regulations and standard security guidelines.
Data Breach Notification
Zycus services are obligated to notify, within 72 hours, in case of any data breach without any undue delay.
Subprocessor Compliance
Zycus ensures ongoing subprocessor compliance using corporate standard purchasing processes by subprocessor contract vetting and assessment of security risks. This is in accordance with the DPA.
Transparency
Zycus services keep the records of processing activities in accordance with GDPR requirements for data processors to aid customers to fulfill their obligations.
Accountability
Zycus will deliver all the ongoing accountability activities such as regular risk assessment and security assessment of applications, network, and IT infrastructure; documented security programs and policies; and regular security trainings with guaranteed assurance.
Data Subject Rights
Zycus has the provision to help the customers with privacy related questions and assist the customers when they have any query towards the security of personal information.
Personal Data Processing
- Zycus (a cloud solution provider) executes all the suitable terms of accountability and technology. This includes maintaining the records of all the activities being processed, assessments of the impact on privacy.
- ‘Zycus abides by the Data Processing addendum (DPA) as a significant part of the customer contract. These agreements incorporate data protection assurances to the customer by including standard contractual clauses included in the contract.
- Zycus employees are obligated to pass the data protection and privacy/ security awareness trainings annually. These trainings will cover privacy principles and security topics.
- Zycus solutions are protecting the confidentiality, integrity and availability of their data and provide the above accountability continuously.