Privacy at Wingify

#

Principle Name

Privacy Management Principle  Description

Wingify Adherence Details

6.1.1

Assigned Responsibilities

Assign accountability through documented roles and responsibilities to qualified individuals for maintaining compliance with all applicable privacy requirements that involve appropriately monitoring and documenting the privacy program.

Wingify has appointed a Data Protection Officer and assigned responsibilities to liaise on matters of information security, data protection, compliance and overseeing the security and compliance of PII, Company IP, etc. for the Wingify which aligns with data protection by law and local law(s).

6.1.2

Policies, Standards & Procedures

Ensure appropriate policies, standards and procedures exist to operationalize the privacy program.

Wingify follows ISO 27001:2013 standard control framework as a baseline, cross-mapping control with ISO 27701, PCI DSS, CSA, SOC 2, GDPR, CCPA, HIPAA and certified with ISO 27001 and ISO 27701 standard.

Wingify has an integrated Information Security & Privacy management policy in place. Refer to this link https://wingify.com/information-security-policy for more details.   

6.1.3

Periodic Review

At planned intervals or after significant changes, policies, standards, and procedures are reviewed to ensure continuing suitability, adequacy, and effectiveness to meet the organization’s applicable statutory, regulatory and contractual needs.

Wingify has established the Corporate Security & Compliance Committee (CSCC) comprising of the workforce who are knowledgeable in legal cross-regulation, policy, product and IT  to ensure confidentiality, privacy, and security related as required by applicable law. The CSCC meets on a quarterly basis to discuss and review concerns that arise during the quarter. 

 Wingify runs Vulnerability Assessment Penetration Testing (VAPT) on an annual basis through a third-party service provider and performs quarterly security audits for all production environment systems.

6.1.4

Oversight

Provide oversight of privacy controls throughout the lifecycle of systems, applications, and services to ensure that in a timely manner, senior leaders with the organization are made aware of privacy-related risks that are not appropriately remediated.

As mentioned above #1.3, CSCC ensures that overall controls are in place. CSCC is headed by the  CEO and members from various departments.

6.1.5

Management Visibility

Provide performance metrics and trend analysis to enable management visibility and coordinate privacy efforts across the organization.

Yes, as mentioned in #1.1, DPO provides overall visibility to the CEO, Top, and Senior Management on a regular basis.  

6.1.6

Compliance

Oversee the execution of privacy controls with appropriate evidence of due care and due diligence, demonstrating compliance with all applicable statutory, regulatory and contractual obligations, including age-based restrictions.

Yes, Wingify adheres to all applicable law(s) and regulatory and contractual controls are in place. Also, we don’t knowingly collect any personal information from children under the age of 13.

Refer to our  Privacy Policy for more details. 

6.1.7

Data Classification

Classify data according to the sensitivity and type of personal data as defined by appropriate statutory, regulatory and contractual contexts.

Wingify has a robust data & assets classification mechanism in place that ensures categorization in accordance with applicable law(s), regulatory & contractual requirements only. 

6.1.8

Registering Databases

Register applicable databases containing personal data with the appropriate Data Authority, when required.

Wingify has created Personal Data Inventory and Data Flow in accordance with all applicable law(s), regulatory requirements. We also maintain ROPA (Record of Processing Activities) as defined in Article 30 of GDPR. 

6.1.9

Resource Planning

Identify and plan for resources needed to operate a privacy program and include privacy requirements in solicitations for technology solutions and services.

Yes, Wingify implemented a robust Privacy Program which comprises DPO, Core privacy team, departmental level DPRs (data protection representatives) and facilitates regular training for them. 

6.1.10

Inventory of PI

Maintain an inventory of both the type of personal data and specific data elements, as well as the systems, applications, and processes that collect, create, use, disseminate, maintain, and/or disclose that personal data.

Yes, as mentioned above Wingify established and maintains the Personal Information Inventory & flow which covers the whole information lifecycle from entry to exit of information like collection, processing, storing, and deletion, and reviewed and updated on an annual basis.

6.1.11

Privacy Training

Provide recurring privacy awareness and training for all employees and contractors.

Yes, Wingify has established a robust privacy program which includes awareness and training program to all the workforce members.

Mandatory Privacy & Security Awareness training is provided to all workforce members on an annual basis. workforce members who access any system for processing, storing or transmitting personal information or sensitive information are formally trained in data handling requirements prior to being authorized to access the system. 

#

Principle Name

Privacy Management Principle  Description

Wingify Adherence Details

6.2.1

Clear Choices

Provide clear and conspicuous choices that enable an individual, or a person authorized by the individual, to permit or prohibit the collection, creation, use, dissemination, maintenance, retention, and/or disclosure of the individual’s personal data. This is also referred to as the right to “opt-out.”

Refer to Privacy Policy which clearly mentions all privacy attributes and management practices in detail such as how we collect, process information, how to exercise data protection rights, retention, etc. 

Note: Wingify provides Services primarily intended for use by organizations. Where the VWO Services are made available to Users through an organization (such as your employer), that organization is responsible for administering the accounts over which it has control. If this is the case, please direct your information privacy and security questions and requests to your administrator. We are not responsible for the privacy and security practices of your administrator’s organization, which may be different than VWO policy. When our Customers use VWO Services as part of their own websites, apps, and services, they are responsible for their own privacy and security practices. 

6.2.2

Initial Consent

Prior to the collection, creation, use, dissemination, maintenance, retention, and/or disclosure of the individual’s personal data, the knowledge and consent of the individual are required.

Yes, Wingify is committed to providing Services with information. controls and transparency that allows users to choose from opt-in or opt-out. We may ask for consent as a legal basis for information processing to collect, use and share personal information

 Refer to the section “Legal basis for processing” and ”Notice to Users of Our Customers and End Users of the Services” of VWO  Privacy Policy for more details. 

6.2.3

Updated Consent

Based on changes to privacy practices that affect the parameters of an individual’s initial consent, the updated consent of the individual is required to continue the collection, creation, use, dissemination, maintenance, retention, and/or disclosure of the individual’s personal data. This is also referred to as the right to “opt-out” at any time after the initial consent was provided.

Processing is based on your consent. Where we rely on Your consent You have the right to withdraw it anytime by sending a request to support@vwo.com with the word “Opt-out” or “UNSUBSCRIBE” in the subject field of the email.

Note: Even after You opt-out from receiving promotional messages from us, if You have any account for VWO Services, we will still send You non-promotional communications, like service-related emails.

6.2.4

Equal Service & Price

Implement business processes to protect the right of data subjects to equal service and price, even if they exercise their privacy rights.

Yes, as mentioned above in #1.6, Wingify is committed and adheres to all applicable law(s) relevant to Services and regulatory and contractual controls in place. Refer to the Privacy Policy for more details.

6.2.5

Prohibit The Sale of Personal Data

Provide a clear and conspicuous link on the organization’s Internet-based homepage, titled “Do Not Sell My Personal Information” that enables a consumer, or a person authorized by the consumer, to opt-out of the sale of the consumer’s personal data.

We do not “sell” our customers’ personal information to anyone, meaning that we also do not rent, disclose, release, transfer, make available or otherwise communicate that personal information to a third party for monetary or other valuable consideration.

Refer to section “Privacy Commitment” of VWO Privacy Policy for reference.

#

Principle Name

Privacy Management Principle  Description

Wingify Adherence Details

6.3.1

Authority to Collect

Identify the authority given to collect, create, use, disseminate, maintain, and/or disclose an individual’s personal data. Document the authority in the organization’s privacy notice.

Yes, Refer to VWO Privacy Policy.

6.3.2

Data Minimization

Take steps to minimize the collection, creation, use, dissemination, maintenance, retention, and/or disclosure of the individual’s personal data to what is directly relevant and necessary to accomplish a legally authorized purpose.

Yes, Wingify has established a Privacy Impact Assessment and Privacy Risk Treatment  (PIA & PRT) exercise which is conducted on an annual basis and validated by an external third party auditor. 

6.3.3

Internal Use

Restrict the internal use of personal data to the only authorized purpose(s) that are consistent with the stated privacy notice.

Wingify has adopted the least access privileges principles and role-based access provision across all the information systems, this is our by-design and by-default approach.

Wingify has Information Retention, Archive, and Retention /Disposal Policy and Procedure in place which is consistent with applicable laws and clearly defines ownership and accountability, access, use, storage location, etc.  of information and the same is validated by an external third-party auditor on an annual basis. 

#

Principle

Name

Privacy Management Principle  Description

Wingify Adherence Details

6.4.1

Notice & Purpose Specification

Provide notice of the specific purpose(s) for which personal data is collected, created, used, disseminated, maintained, retained and/or disclosed.

As a controller, Wingify clearly mentions about information collection and its usage under its Privacy Policy. This policy is updated on an annual basis and the same is notified to all the individuals over the email.
As a processor, the controller (Customers)  is responsible for mentioning the information collection and uses purposes to its end-users or customers.

#

Principle Name

Privacy Management Principle  Description

Wingify Adherence Details

6.5.1

Data Flow Mapping

Maintain a record of processing activities that document the flow of personal data that includes:

– Geographic locations and third-parties involved in the storage, transmission and/or processing of personal data;

– Contact details of the controller(s) involved in the storage, transmission and/or processing of personal data;

– The purposes of the storage, transmission, and processing;

– A description of the categories of data subjects and personal data;

– Where possible, the time limits for erasure of the different categories of data; and

– Where possible, a description of the cybersecurity and privacy measures of the data controller.

As mentioned above in section #1.8, Wingify has a robust Data Inventory and DataFlow document in place as per Article 30 requirements under EU GDPR and applicable laws.   

We also maintain the Network Architecture Diagram that contains details to assess the security of the networks, reflect the current state of network or information transmission.

6.5.2

Retention of Personal Information

Ensure that all records containing personal data are maintained in accordance with the organization’s records retention schedule and comply with applicable statutory, regulatory and contractual obligations.

As mentioned above, Wingify has maintained ROPA (Record of Processing Activities) and Information Retention, Archive, and Retention /Disposal Policy and Procedure are in place, which clearly define ownership & accountability, access, use, storage location etc  of information and the same is validated by external third-party auditor on an annual basis. This helps us adhere with all applicable laws.

6.5.3

Secure Destruction of Personal Information

Utilize secure methods to dispose of or destroy, both physical and digital media, that contains personal data.

Wingify Customer data is hosted in a secure cloud data center service provider and also logically segregated by the VWO application and already has a mechanism in place to De-identifying personal information.

And, Wingify follows NIST SP 800-88 Rev 1- Guidelines for Media Sanitization for PII Deletion / Disposal of Media. Refer to this link for more details.    

6.5.4

Geolocation Restrictions

Restrict the location of processing, storage and service locations to comply with the privacy notice, as well as applicable statutory, regulatory and contractual obligations.

As mentioned above, Wingify has established and maintains Data Flow Diagram for personal information processing and that clearly mentions the information storage and location. We store or process personal information about  Website visitors and Attendees within the United States and in other countries and territories to facilitate our global operations. Refer to this  Sub-Processor utilized by Wingify for Third-party processing, storage and service locations details. 

Personal Information may be processed outside of the EEA and in countries that are not subject to an adequacy decision by the European Commission. In this event, Wingify will ensure that the recipient of personal information offers an adequate level of protection, for instance by entering into standard contractual clauses for the transfer of data as approved by the European Commission Article 46 of the GDPR. 

6.5.5

Data Portability

Provide the functionality to export personal data in a structured, commonly-used and machine-readable format that can be transferred to another controller without hindrance.

  Wingify has taken all the necessary 

   and appropriate steps to protect 

   and respect data subject rights and 

   personal information.

   Wingify has a robust Data Subject  

   Access Request (DSAR) Procedure   

   and Process in place. We will 

   provide information in a structured, 

   commonly-used electronic format  

   after submission of such requests by email to  

   support@vwo.com.  

   Note:We may request specific 

  information from you to help us 

  confirm your identity and process 

  your request.

6.5.6

Record of Disclosures

Develop and maintain an account of personal data disclosures, that upon request, can be made available to the individual whose personal data was disclosed.

Wingify keeps  accurate information held in each system of records under its control including date, nature and purpose of information of record, name and address of the person or agency to which the disclosure was made. 

Retaining the accounting of disclosures for the life of the record or as per applicable data protection laws. And makes the accounting of disclosures available to the person named in the record upon request by data protection authority or applicable. 

6.5.7

Integrity Protections

Maintain the accuracy and relevance of personal data across the information lifecycle as personal data is collected, created, used, disseminated, maintained, retained and/or disclosed.

Yes,Wingify confirms to the greatest extent practicable upon collection or creation of personal information lifecycle , the accuracy, relevance ,timeliness and completeness of that information. Collects personal information directly from the individual to the greatest extent practicable. And additionally  Wingify revalidated collected information via sending email for VWO Services account creation. 

6.5.8

De-Identification

Process personal data in such a manner that it is not attributable to a data subject through technical or organizational measures (e.g., anonymization, pseudonymization or data minimization).

Wingify Customer data is hosted in a secure cloud data center service provider and also logically segregated by the VWO application and already a mechanism in place to De-identifying personal information. And following measures in place:

i. VWO Services does not collect nor does it require any sensitive information  by default, for its functioning.

ii. VWO Services has also adopted a method where the UUID stored on the client-side is pseudonymized by using a one-way hash before storing on its servers.

iii. Any IP address intended to be stored is stored with anonymization of at least the last octet (configurable by a user up to complete anonymization).

Refer to VWO Privacy Center for more details.

6.5.9

Quality Management

Maintain quality assurances throughout the information lifecycle with such accuracy, relevance, timeliness, and completeness as is reasonably necessary to ensure fairness to the individual.

As mentioned above section #5.7, Wingify have proper internal guidelines which ensures and maximizing the quality, utility, objectivity and integrity of disseminated information. 

6.5.10

Flaw Remediation with Personal Information

Identify and correct flaws related to personal data as it is collected, created, used, disseminated, maintained, retained and/or disclosed.

Wingify have following measures and process in place:

i. Technical Vulnerabilities program in place.

ii. Software Development LifeCycle process in place which includes not limited to system change control procedure, technical and  security review of application after any release or platform, robust information security & privacy weakness program in place (Responsible Disclosure Policy) etc.  

#

Principal Name

Privacy Management Principle  Description

Wingify Adherence Details

6.6.1

Inquiry Management

Maintain a capability to receive and respond to privacy-related requests, complaints, concerns or questions from individuals.

  Wingify have taken all necessary 

   and appropriate steps to protect 

   and respects data subject rights and 

   personal information.

   Wingify have robust Data Subject  

   Access Request (DSAR) Procedure   

   and Process in place. We will   

   provide information about our 

   processing of Customer personal 

   information and give them access to 

   personal information. Customer can 

   submit these requests by email to 

   support@vwo.com. 

   Note:We may request specific 

   information from you to help us 

  confirm your identity and process 

  your request. 

6.6.2

Updating Personal Information

Provide individuals with appropriate opportunity to correct or amend their personal data.

As a  controller, Wingify provides Right To Rectification under which data-subject has the right to rectification of inaccurate personal information concerning you, including completion of incomplete personal information. Contact Wingify at support@vwo.com  for any questions or to update your information.

As a processor, upon instruction by the Controller, Wingify  shall correct, rectify, or block Personal Information. Any request from a data subject directly to the Processor shall be directed to the Controller.

6.6.3

Redress

Provide individuals with appropriate opportunity to challenge the organization’s compliance with its privacy principles.

As a controller, Wingify provides Rights To Object that provides the data-subjects  right to object at any time to our processing of personal information concerning you. For example, if you have requested to receive information from us, e.g., newsletters, but do not wish to receive further information, you can easily opt out of receiving further information from us. Contact Wingify at support@vwo.com  for any questions or to update your information.

As a processor, upon instruction by the Controller, Wingify  shall correct, rectify, or block Personal Information. Any request from a data subject directly to the Processor shall be directed to the Controller.

6.6.4

Notice of Correction or Amendment

Notify affected individuals when their personal data is corrected or amended                 

  We will provide information about our

   processing of your personal 

   information and give you access to 

   your personal information. You can 

   submit these requests by email to 

   support@vwo.com. 

We may request specific information from you to help us confirm your identity and process your request.

6.6.5

Appeal

Provide individuals with appropriate opportunity to appeal an adverse decision to have incorrect personal data amended.

Yes, You can submit these requests by email to support@vwo.com. 

6.6.6

Right to Erasure

Provide individuals with appropriate opportunity to request the deletion of personal data where it is used, disseminated, maintained, retained and/or disclosed, including where the personal data is stored or processed by third-parties.

As a  controller, VWO provides Right To Erasure. Under certain circumstances, you have the right to the erasure of personal information concerning you. Contact Wingify at support@vwo.com  for any questions or to update your information.

As a processor, upon instruction by the Controller, VWO shall correct, rectify, or block Personal Information. Any request from a data subject directly to the Processor shall be directed to the Controller.

#

Principle Name

Privacy Management Principle  Description

Wingify Adherence Details

6.7.1

Cybersecurity Considerations

Incorporate privacy requirements into enterprise architecture to ensure that risk is addressed so that the systems, applications and services achieve the necessary levels of trustworthiness, protection, and resilience.

We back ourselves up with robust information security and privacy practices that form an integral part of our product engineering and services principles and  follow security by design principles.

We have a top-down governance and security in our DNA that lets us constantly wade through our threat vectors and calibrate to strengthen our security posture. That way, we align to the changing business and technology landscape. Following necessary measures are in place:

i. Secure Engineering Principles guidelines.

ii. Robust Software Development Life Cycle procedure and process is in place which includes security and privacy by design  practices in the specification, design, development, implementation, and modification phases of systems and services. 

6.7.2

Cryptographic Protections

Ensure personal data is encrypted both at rest and in transit.

Wingify has implemented best practices cryptographic protection controls using  trusted cryptographic technologies.

i. All data flow (in transit) in data pipelines  is encrypted using a secure channel like TLS1.2.

ii.Data at rest is encrypted using AES 256 standards (one of the strongest block ciphers available).

6.7.3

Physical Protections

Ensure physical security and environmental controls to provide appropriate protection for environments where personal data is stored, transmitted and/or processed.

Wingify  data centers are hosted in some of the most secure facilities available today in locations that are protected from physical and logical attacks as well as from natural disasters, such as earthquakes, fires, and floods.

Physical security measures for these data centers include intrusion protection measures and security guards. We rely on third-party attestations of their physical security. Within our office premises, we employ a number of best industry-standard physical security controls.

6.7.4

Embedded Technology

Facilitate the secure implementation of embedded technologies so that the sensors minimize the collection of personal data and alert individuals to the personal data collected by those sensors.

This is not applicable as of now.

6.7.5

Retire Outdated Systems

Upgrade, replace, or retire any system, application or service for which appropriate protections, commensurate with risk, cannot be effectively implemented.

Wingify has a mechanism in place for all EUC (End User Computing) and all EUC replacement is done before the prescribed end of life, that is within 3 years.

We also have an intelligence defence mechanism in place (Carbon Black Defence) which help us with any  vulnerbailities wrt. any unsupported component in real time.  

6.7.6

Personnel Security

Implement personnel management practices, covering employees, contractors and other entities, that ensure appropriate vetting and clearance to systems, applications and/or services that contain, store or transmit personal data.

As mentioned above section #1.11, 

Wingify has established a security  program which includes awareness and training program for all workforce members.

Mandatory Security  & Privacy Awareness training of all workforce members on an annual basis. Workforce members who access a system for processing, storing or transmitting personal information or sensitive information are formally trained in data handling requirements prior to authorizing access to the system.

6.7.7

Rules of Behavior

Require employees and contractors to read and agree to abide by the organization’s rules of behavior, prior to being granted access to systems, applications and/or services that store, transmit or process personal data.

Wingify has a Acceptable Use Policy (AUP) and every workforce member acknowledges it on an annual basis. AUPs define acceptable and unacceptable use of technologies, including consequences for unacceptable behavior.  

6.7.8

Employee Sanctions

Utilize employee sanctions to hold personnel accountable for complying with the organization’s privacy policies and processes.

Wingify has a robust Disciplinary Policy for sanctioning personnel who  fail to comply with established security & privacy policies, standards and procedures of the organization. 

6.7.9

Workforce Management

Respond to changing mission requirements and maintain workforce skills in a rapidly-developing technology environment through recruiting and retaining the talent needed to support the organization’s mission.

Wingify has Human Resource personnel security mechanisms in place as per A.7 of ISO 27001 standard control requirement and validated on an annual basis by external third-party auditor.

6.7.10

Professional Competency

Develop and enforce privacy competency requirements for staff members involved in the acquisition, management, maintenance and use of information resources, to ensure they have the appropriate knowledge and skill.

As mentioned above in section #7.9, Wingify has mechanisms (eg. BGV)  in place to manage personnel security risk by screening individuals prior to authorizing any information system access. And as well clearly defined cybersecurity and privacy  responsibilities for all personnel and RACI matrix is in place for the same. 

#

Principle Name

Privacy Management Principle  Description

Wingify Adherence Details

6.8.1

Breach Notification

Report data breaches involving personal data to relevant regulators, law enforcement and affected parties in accordance with applicable statutory, regulatory and contractual obligations for breach notification.

Wingify  has a robust Security Incident Policy & Procedure and Breach Notification Plan  where any security incident or  data breaches are reported with any undue delay. Please refer to the section 9 “Incident  Response and Breach Notification”  of our DPA