xcPEP Data Privacy Policy

xcPEP Data Privacy Policy for xcPEP

 

1. Introduction

This Data Privacy Policy outlines Advanced Structures India Private Limited's commitment to protecting the privacy and security of data processed through our xcPEP SaaS platform. As a global SaaS provider, we adhere to stringent data protection principles and comply with applicable laws, including GDPR and other relevant data protection regulations.

2. Definitions

  • Personal Data: Any information relating to an identified or identifiable natural person.
  • Customer Data: All electronic data, text, messages, or other materials submitted to the service by Customers in connection with their use of the service.
  • Processing: Any operation or set of operations which is performed on Personal Data or on sets of Personal Data, whether or not by automated means.
  • Data Controller: The entity that determines the purposes and means of the processing of Personal Data (typically the customer).
  • Data Processor: The entity that processes Personal Data on behalf of the Data Controller (e.g., Advanced Structures India Private Limited when providing the service).
  • Data Subject: An identified or identifiable natural person to whom Personal Data relates.

3. Principles of Data Processing

We process data in accordance with the following principles:

  • Lawfulness, fairness, and transparency: Processing is conducted lawfully, fairly, and in a transparent manner.
  • Purpose limitation: Data is collected for specified, explicit, and legitimate purposes (e.g., Cost Engineering) and not further processed in a manner incompatible with those purposes.
  • Data minimization: We only collect and process Personal Data that is adequate, relevant, and limited to what is necessary in relation to the purposes for which they are processed. We implement Data Minimization by Design.
  • Accuracy: Personal Data is accurate and, where necessary, kept up to date.
  • Storage limitation: Data is kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the Personal Data are processed.
  • Integrity and confidentiality: Personal Data is processed in a manner that ensures appropriate security, including protection against unauthorized or unlawful processing and against accidental loss, destruction, or damage, using appropriate technical or organizational measures.
  • Accountability: We are responsible for, and are able to demonstrate compliance with, these principles.

4. Types of Data Collected and Processed

We process various categories of data to provide the xcPEP service, including:

  • Customer Account Data: Information related to customer accounts (e.g., company name, contact details, billing information) used for service management, support, and invoicing.
  • Customer Content Data: All data, text, messages, and other materials submitted by customers through the xcPEP platform for Cost Engineering purposes. This may include project costs, financial figures, employee data (if relevant to cost analysis), and other business-critical information.
  • Usage Data: Information about how users interact with the service (e.g., login times, features used, performance metrics). This data is anonymized or aggregated where possible.

5. How We Use Data

Data is used solely for the following purposes:

  • To provide, maintain, and secure the xcPEP service.
  • To improve and develop service functionalities and user experience.
  • For internal security monitoring, incident response, and performance analysis.
  • For billing, account management, and contractual obligations.
  • To comply with legal and regulatory requirements.

6. Data Minimization by Design

Our processes and features are meticulously designed to collect and utilize the minimum necessary data required for the robust functionality of xcPEP. We integrate privacy considerations from the initial design phase of new features and systems.

7. Data Ownership

Customers retain full ownership of all Customer Data submitted to the xcPEP service. Advanced Structures India Private Limited acts solely as a data processor on behalf of the customer, the data controller, regarding Customer Content Data.

8. Data Sharing and Disclosure

  • With Third Parties: We may share data with trusted third-party service providers (sub-processors) who assist us in delivering the xcPEP service (e.g., cloud hosting, email services, support tools). All sub-processors are subject to rigorous due diligence, contractual agreements, and adhere to data protection standards at least as stringent as our own. A comprehensive list of our current sub-processors is available in our Sub-Processor List and Policy (link to your policy).
  • Legal Requirements: We may disclose data if legally required to do so by a court order, subpoena, or other valid legal process, or if we believe in good faith that such disclosure is necessary to comply with legal obligations, protect our rights or property, or ensure the safety of our users or the public.
  • Business Transfers: In the event of a merger, acquisition, or sale of all or a portion of our assets, customer data may be transferred as part of the transaction, subject to appropriate data protection safeguards.

9. International Data Transfers

Our primary hosting infrastructure is on Amazon Web Services (AWS), with the capability to provide services in multiple AWS regions globally. While we are a global SaaS provider, we facilitate data residency in specific AWS regions based on customer requirements. Any transfer of Personal Data across international borders is conducted in compliance with applicable data protection laws, utilizing appropriate safeguards such as Standard Contractual Clauses for GDPR, or other legally recognized transfer mechanisms.

10. Data Subject Rights

Data subjects whose Personal Data is processed by xcPEP (where Advanced Structures India Private Limited is the processor) have the following rights, which our customers (the controllers) can facilitate through our platform:

  • Right to Access: Request access to their Personal Data.
  • Right to Rectification: Request correction of inaccurate or incomplete Personal Data.
  • Right to Erasure (Right to be Forgotten): Request deletion of their Personal Data under certain conditions.
  • Right to Restriction of Processing: Request limitation on the processing of their Personal Data.
  • Right to Data Portability: Request their Personal Data in a structured, commonly used, and machine-readable format.
  • Right to Object: Object to the processing of their Personal Data.

Customers are responsible for responding to data subject requests related to Customer Content Data. We will assist customers in fulfilling these requests where necessary, as per our Data Processing Addendum.

11. Security Measures

We implement robust technical and organizational measures to protect Personal Data against unauthorized access, alteration, disclosure, or destruction. This includes encryption, access controls, regular security assessments, and a comprehensive Information Security Policy.

12. Data Retention

We retain Personal Data only for as long as necessary to fulfill the purposes for which it was collected, or as required by legal and regulatory obligations. Our Data Retention and Deletion Policy provides detailed information on retention periods and deletion procedures.

13. Children's Privacy

Our service is not intended for individuals under the age of 18. We do not knowingly collect Personal Data from children. If we become aware that we have collected Personal Data from a child without parental consent, we will take steps to delete that information promptly.

14. Changes to This Policy

We may update this Data Privacy Policy periodically to reflect changes in our practices or legal requirements. We will notify customers of any material changes by posting the updated policy on our website or through direct communication.

15. Contact Information

For any questions or concerns regarding this Data Privacy Policy or our data processing practices, please contact [email protected]