Data Protection Policy
Sum & Substance (hereinafter – the Company) as a software as a service business takes its responsibilities with regard to the management of the requirements of the EU GDPR very seriously.
This document provides the policy framework through which effective management of Data Protection matters can be achieved.
This Policy is addressed to the Company’s clients as well as to those individuals who will provide their personal data for processing (hereinafter – Data Subjects).
The Company is a Processor of personal data under Article 28 of the EU GDPR and is engaged by the the Company’s client (hereinafter – the Controller) to process his or her personal data for the agreed purpose, established in a separate data protection agreement. In certain cases the Company may serve as the Data Controller under Article 24 of the EU GDPR.
The Company confirms that the personal data are submitted by the Data Subjects directly to the Company’s servers located in the EU, so that our corporate clients outside the EU and EEA would not need to have access to the personal data of the Data Subjects unless it is necessary under applicable laws.
Scope of the Policy
The purpose of this policy is to ensure that the Sum & Substance’s staff shall comply with the provisions of English law and the EU GDPR when processing personal data. Any serious infringement will be treated seriously and may be considered under disciplinary procedures.
The company adheres to the principles of data protection as laid down by the EU GDPR. In accordance with those principles personal data shall be:
- Processed fairly and lawfully and in a transparent manner in relation to the data subject;
- Processed for specified, explicit and legitimate purposes only and not further processed in a manner that is incompatible with those purposes;
- Adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed;
- Accurate and up to date;
- Kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed;
- Not kept longer than necessary;
- Processed in a manner that ensures appropriate security of the personal data;
- Not transferred outside the countries of the European Economic Area or the EU without adequate protection.
[a] Sum & Substance’s responsibilities
Sum & Substance Sum is responsible for establishing policies and procedures in order to comply with the EU GDPR. The key person in this area is our Data Protection Officer, whose contact info is available at: https://sumsub.com/about-us/.
[b] Data Protection Officer’s responsibilities
Data Protection Officer holds responsibility for:
- drawing up guidance and promoting compliance with this policy in such a way as to ensure the easy, appropriate and timely retrieval of information;
- the appropriate compliance with subject access rights and ensuring that data is processed in accordance with the Data Protection Act 2018 and the EU GDPR;
- ensuring that any data protection breaches are resolved, catalogued and reported appropriately in a swift manner;
- investigating and responding to complaints regarding data protection including requests to cease processing personal data.
[c] Staff responsibilities
Staff members who process personal data must comply with the requirements of this policy. Staff members must ensure that:
- all personal data is kept securely;
- no personal data is disclosed either verbally or in writing, accidentally or otherwise, to any unauthorised third party;
- any queries regarding data protection, including subject access requests and complaints, are promptly directed to the Data Protection Officer;
- any data protection breaches are swiftly brought to the attention of the Governance Team and that they support the Data Protection Officer in resolving breaches;
- where there is uncertainty around a Data Protection matter advice is sought from Data Protection Officer.
[d] Third-Party Processors
Where external companies are used to process personal data on behalf of Sum & Substance, responsibility for the security and appropriate use of that data remains with Sum & Substance. Where a third-party processor is used:
- a third-party processor may be chosen only when it provides sufficient guarantees about its security measures to protect the processing of personal data;
- reasonable steps must be taken that such security measures are in place;
- a written contract establishing what personal data will be processed and for what purpose must be set out;
- a data processing agreement must be signed by both parties.
Specific measures to ensure data protection
The company shall carry out the following specific measures to ensure data protection:
- Any personal data storage or processing shall be made on the basis of respective Service Agreements, Non Disclosure Agreements and Data Processing Agreements compliant with the EU GDPR;
- The Company uses a specially designed API interface (so-called IFrame) that makes it possible to submit the data directly to the Company’s secure servers;
- The personal data accepted by the Company is always securely stored on the servers located in safe European data centers of the security level no lower than Tier 3;
- All information gathered undergoes anonymization/pseudonymization and hashing;
- The Company undertakes to preserve the personal data as long as it is necessary for the clients under applicable laws;
- All persons dealing with personal data shall be officially authorized and must undergo background checks and special periodical training;
- The Company shall hold data protection and security audits by a leading international expert institution;
- The Company shall not disclose any biometic information that is provided to it;
- The Company shall not accept for processing or storage the personal data of children;
- The Company tends not to transfer the personal data to or provide access to it from the countries outside the EU and the EEA;
- Where applicable, the Company complies with certain Asian data protection laws requiring to abstain from collecting and processing the resident registration numbers, passport number and some other data;
- in particular the Company’s technological solution automatically hides relevant zones on identity documents of the nationals of certain Asian countries.
The Company is working on preventing any unauthorized physical access, damage and interference to Company’s information and information processing areas. In particular, the Company has established:
- Removable media blocked company wide;
- CCTV monitoring;
- Enforced entry controls into our premises;
- Defined secure areas for authorised personnel;
- and Physical protection of hardware against natural disasters, malicious attack or accidents.
Software and network security
The Company holds regular vulnerability scans against our full infrastructure. We also have external, independent, penetration tests conducted on a periodic basis.
- Our dashboard supports several regimes of secrecy, so that our clients could monitor the status of processing without learning any personal data of the their customers.
- Code changes are always peer reviewed and static source code reviews are performed systematically and at a high frequency.
- All engineering and development operations staff are regularly trained on system, application and network security.
- Our IT and container infrastructure is continuously monitored and audited for change.
- Critical systems and information are protected with strong authentication mechanisms.
- All networks connections are protected by firewalls and are monitored by cyber security solutions to detect intrusions and suspicious activity.
- Machine learning is used to discover malicious behaviour of network endpoints and applications.
- All our computers, laptops and servers utilise full disk/volume encryption and are installed with antivirus/malware protection which is automatically updated to the latest version and signatures available.
- All user information is encrypted using AES-256 at rest as well as in transit.
Data protection breaches
Where a Data Protection breach occurs, or is suspected, it should be reported immediately to the Data Protection Officer or the CEO. The report should include full and accurate details of the incident including who is reporting the incident and what classification of data is involved.
Data subjects’ rights
Each Data Subject providing his/her personal data to the Company has the following rights that the Company fully respects:
- Right to obtain confirmation as to whether or not his or her personal data are being processed (Article 15 EU GDPR);
- Right to obtain rectification of inaccurate personal data without undue delay (Article 16 EU GDPR);
- Right to erase personal data or “right to be forgotten” (Article 17 EU GDPR);
- Right to restrict data processing, in particular when the accuracy of the data is contested (Article 18 EU GDPR);
- Right to receive communications as to rectification or erasure of personal data or restriction on processing (Article 19 EU GDPR);
- Right to receive personal data in the form that is machine-readable and ready for transmission to another controller (Article 20 EU GDPR);
- Right to object data processing (Article 21 EU GDPR);
- Right not to be subject to a decision based solely on automated processing (Article 22 EU GDPR).
The data that we collect
The Company usually collects the following personal data:
- name and surname,
- passport or any identity card data,
- registered address,
- banking details,
- facial image.
The purposes for which we collect the data
The Company collects and processes the personal data for the purpose of identification and client diligence compliance in accordance with the laws governing the intended business relationship (KYC and AML compliance).
The Company subjects the personal data to automated reading, verification of the authenticity and other automated processing of photos and scanned copies of documents and with further check against the data in multiple databases, including inter alia International politically exposed persons (PEPs) and Sanctions, Country Specific Sanctions Lists, Criminal Lists and Financial Lists.
Once the personal data is not any more necessary for the purposes of applicable compliance rules, the Company shall erase the data completely off its servers without leaving any backup copies or, based on the same condition, transfer the data to the relevant Controller.
Consent to personal data processing
The company always collects and processes the personal data based upon Data Subjects’ free and informed consent given in explicit manner. The current text of the consent is available here:
This Policy is constantly reviewed and rectified in order to provide best compliance with the EU GDPR and applicable national laws.
If you have any request or complaint regarding the above, or you want to exercise any of the right granted to you by applicable laws, please contact us at [email protected]. Our technical and legal support works 24/7 and will answer you shortly.