Client Data Safeguards

The following terms describe the technical and organizational measures, internal controls, and information security routines that DataQuel maintains to safeguard data provided by or on behalf of our clients in connection with a client service engagement (“Client Data”). These security measures are intended to protect Client Data when in DataQuel’s environments (e.g., systems, networks, facilities) against accidental, unauthorized, or unlawful access, disclosure, alteration, loss, or destruction. When Client Data includes personal data, our implementation of and compliance with these measures (and any additional security measures set out in the applicable client agreement) is designed to provide an appropriate level of security in respect of the processing of the personal data. DataQuel may change these measures from time to time, without notice, so long as any such revisions do not materially reduce or degrade the protection provided for the Client Data.

Standard Data Safeguards

Organization of Information Security

Security Ownership. DataQuel will appoint one or more security officers responsible for coordinating and monitoring the security rules and procedures.
Security Roles and Responsibilities. DataQuel’s personnel with access to Client Data will be subject to confidentiality obligations.
Risk Management Program. DataQuel will have a risk management program in place to identify, assess and take appropriate actions with respect to risks related to the processing of the Client Data in connection with the applicable agreement between the Parties.

Asset Management

Asset Inventory. DataQuel will maintain an asset inventory of its infrastructure, network, applications and cloud environments. DataQuel will also maintain an inventory of its media on which Client Data is stored. Access to the inventories of such media will be restricted to personnel authorized in writing to have such access.
Data Handling. DataQuel will
- Classify Client Data to help identify such data and to allow for access to it to be appropriately restricted.
- Limit printing of Client Data from its systems to what is minimally necessary to perform services and have procedures for disposing of printed materials that contain Client Data.
- Require its personnel to obtain appropriate authorization prior to storing Client Data outside of contractually approved locations and systems, remotely accessing Client Data, or processing Client Data outside the Parties’ facilities.

Human Resources Security

Security Training. DataQuel will
- Inform its personnel about relevant security procedures and their respective roles.
- Inform its personnel of the possible consequences of breaching the security rules and procedures.
- Only use anonymous data in its training environments.

Physical and Environmental Security

Physical Access to Facilities. DataQuel will implement and maintain procedures to limit authorized access to its facilities where information systems that process Client Data are located.
Physical Access to Components. DataQuel will maintain records of the incoming and outgoing media containing Client Data, including the kind of media, the authorized sender/recipients, date and time, the number of media, and the types of Client Data they contain.
Component Disposal. DataQuel will use industry standard (e.g., ISO 27001, CIS Sans 20, and/or NIST Cyber-Security Framework, as applicable) processes to delete Client Data when it is no longer needed.

Communications and Operations Management

Operational Policy. DataQuel will maintain security documents describing its security measures and the relevant procedures and responsibilities of its personnel who have access to Client Data.
Mobile Device Management (MDM)/Mobile Application Management (MAM). DataQuel will maintain a policy for its mobile devices that:
- Enforces device encryption.
- Prohibit use of blacklisted apps.
- Prohibits enrollment of mobile devices that have been “jail broken.”
Data Recovery Procedures. DataQuel will
- Have specific data recovery procedures with respect to its systems in place designed to enable the recovery of Client Data being maintained in its systems.
- Review its data recovery procedures at least annually.
- Log data restoration efforts with respect to its systems, including the person responsible, the description of the restored data and where applicable, the person responsible and which data (if any) had to be input manually in the data recovery process.
Malicious Software. DataQuel will have anti-malware controls to help avoid malicious software gaining unauthorized access to Client Data, including malicious software originating from public networks.
Data Beyond Boundaries. DataQuel will
- Encrypt Client Data that it transmits over public networks.
- Protect Client Data in media leaving its facilities (e.g., through encryption).
- Implement automated tools where practicable to reduce the risks of misdirected email, letters, and / or faxes from its systems.
Event Logging.
- For its systems containing Client Data, DataQuel will log events consistent with its stated policies or standards.

Access Control

Access Policy. DataQuel will maintain a record of the security privileges of individuals having access to Client Data via its systems.
Access Authorization. DataQuel will
- Maintain and update a record of personnel authorized to access Client Data via its systems.
- When responsible for access provisioning, promptly provision authentication credentials.
- Deactivate authentication credentials where such credentials have not been used for a period of time (such period of non-use not to exceed 90 days).
- Deactivate authentication credentials upon notification that access is no longer needed (e.g., employee termination, project reassignment, etc.) within two business days.
- Identify those personnel who may grant, alter or cancel authorized access to data and resources.
- Ensure that where more than one individual has access to its systems containing Client Data, the individuals have unique identifiers/log-ins (i.e., no shared ids).
Least Privilege. DataQuel will
- Only permit its technical support personnel to have access to Client Data when needed
- Maintain controls that enable emergency access to productions systems via firefighter ids, temporary ids or ids managed by a Privileged Access Management (PAM) solution.
- Restrict access to Client Data in its systems to only those individuals who require such access to perform their job function.
- Limit access to Client Data in its systems to only that data minimally necessary to perform the services.
- Support segregation of duties between its environments so that no individual person has access to perform tasks that create a security conflict of interest (e.g., developer/reviewer, developer/tester).
Integrity and Confidentiality. DataQuel will instruct its personnel to disable administrative sessions when leaving premises or when computers are otherwise left unattended.
Authentication. DataQuel will
- Use industry standard (e.g., ISO 27001, CIS Sans 20, and/or NIST Cyber-Security Framework, as applicable) practices to identify and authenticate users who attempt to access its information systems.
- Where authentication mechanisms are based on passwords, require that the passwords are renewed regularly.
- Where authentication mechanisms are based on passwords, require the password to contain at least eight characters and three of the following four types of characters: numeric (0-9), lowercase (a-z), uppercase (A-Z), special (e.g., !, *, &, etc.).
- Ensure that de-activated or expired identifiers are not granted to other individuals.
- Monitor repeated attempts to gain access to its information systems using an invalid password.
- Maintain industry standard (e.g., ISO 27001, CIS Sans 20, and/or NIST Cyber-Security Framework, as applicable) procedures to deactivate passwords that have been corrupted or inadvertently disclosed.
- Use industry standard (e.g., ISO 27001, CIS Sans 20, and/or NIST Cyber-Security Framework, as applicable) password protection practices, including practices designed to maintain the confidentiality and integrity of passwords when they are assigned and distributed, as well as during storage.
Multi-Factor Authentication. DataQuel will implement Multi-Factor Authentication for internal access and remote access over virtual private network (VPN) to its systems.

Penetration Testing and Vulnerability Scanning of DataQuel Systems

At least annually, DataQuel will perform penetration and vulnerability assessments on DataQuel's IT environments in accordance with DataQuel's internal security policies and standard practices.
DataQuel agrees to share with Client summary level information related to such tests as conducted by DataQuel to the extent applicable to the Services.
For clarity, as it relates to such penetration and vulnerability testing, Client will not be entitled to (i) data or information of other customers or clients of DataQuel; (ii) test third party IT environments except to the extent DataQuel has the right to allow such testing; (iii) any access to or testing of shared service infrastructure or environments, or (iv) any other Confidential Information of DataQuel that is not directly relevant to such tests and the Services.
For any DataQuel IT systems that are physically dedicated to Client, the Parties may agree to separate, written testing plans and such testing will not to exceed two tests per year.

Network and Application Design and Management

DataQuel will

Have controls to avoid individuals gaining unauthorized access to Client Data in its systems.
Use email-based data loss prevention to monitor or restrict movement of sensitive data.
Use network-based web filtering to prevent access to unauthorized sites.
Use firefighter IDs or temporary user IDs for production access.
Use network intrusion detection and / or prevention in its systems.
Use secure coding standards.
Scan for and remediate OWASP vulnerabilities in its systems.
To the extent technically possible, expect that the Parties will work together to limit the ability of DataQuel personnel to access non-Client and non-DataQuel environments from the Client systems.
Maintain up to date server, network, infrastructure, application and cloud security configuration standards.
Scan its environments to ensure identified configuration vulnerabilities have been remediated.

Patch Management

DataQuel will have a patch management procedure that deploys security patches for its systems used to process Client Data that includes:
- Defined time allowed to implement patches (not to exceed 90 days for high or medium patches as defined by DataQuel’s standard); and
- Established process to handle emergency or critical patches as soon as practicable.

Workstations

DataQuel will implement controls for workstations it provides that are used in connection with service delivery/receipt incorporating the following:
- Software agent that manages overall compliance of workstation and reports at a minimum on a weekly basis to a central server
- Encrypted hard drive
- Patching process so that workstations are patched within the documented patching schedule
- Ability to prevent blacklisted software from being installed
- Antivirus with a minimum weekly scan
- Firewalls installed

Information Security Breach Management

Security Breach Response Process. DataQuel will maintain a record of its own security breaches in its systems with a description of the breach, the time period, the consequences of the breach, the name of the reporter, and to whom the breach was reported, and the process for recovering data.
Service Monitoring. DataQuel’s security personnel will review their own logs as part of their security breach response process to propose remediation efforts if necessary.

Business Continuity Management

DataQuel will have processes and programs that are aligned to ISO 22301 to enable recovery from events that impact its ability to perform in accordance with the Agreement.

Supplementary Measures

In addition, in accordance with regulatory guidance following the European Court of Justice “Schrems II” decision, DataQuel further commits to maintaining the following additional technical, organizational and legal/contractual measures with respect to Client Data, including personal data.

Technical Supplementary Measures

The Client Data in transit between DataQuel entities will be strongly encrypted with encryption that:
- is state of the art,
- secures the confidentiality for the required time period,
- is implemented by properly maintained software,
- is robust and provides protection against active and passive attacks by public authorities, including crypto analysis, and
- does not contain back doors in hardware or software, unless otherwise agreed with the applicable Client.
The Client Data at rest and stored by any DataQuel entities will be strongly encrypted with encryption that:
- is state of the art,
- secures the confidentiality for the required time period,
- is implemented by properly maintained software,
- is robust and provides protection against active and passive attacks by public authorities, including crypto analysis, and
- does not contain back doors in hardware or software, unless otherwise agreed with the applicable Client.

Organizational Supplementary Measures

The Client Data transfer between DataQuel entities and the processing by any DataQuel entities will be in accordance with:
- DataQuel’s internal policies and procedures to manage requests from public authorities to access personal data,
- DataQuel’s internal data access and confidentiality policies and procedures,
- DataQuel’s internal data minimization policies and procedures, and
- DataQuel’s internal data security and data privacy policies and procedures.
DataQuel will maintain a documented log of requests for access to personal data received from public authorities and the response provided, along with the legal reasoning and the involved parties.
DataQuel will regularly provide reports of public authority requests for personal data, if any, to DataQuel’s Chief Compliance Officer.

Legal/Contractual Supplementary Measures

DataQuel will maintain regularly updated assessment reports with respect to the surveillance laws and privacy practices for the countries in which DataQuel processes Client Data where such country is not formally recognized as providing a lever of protection essentially similar to EU countries and will provide copies of applicable reports to clients upon request.
The DataQuel entity/s processing Client Data certify that, unless otherwise agreed with the applicable Client, (a) it has not purposefully created back doors or similar programming that could be used to access the system and/or personal data (b) it has not purposefully created or changed its business processes in a manner that facilitates access to personal data or systems, and (c) to the best of DataQuel’s knowledge, applicable national law or government policy does not require the DataQuel entity to create or maintain back doors or to facilitate access to personal data or systems or for the DataQuel entity to be in possession or to hand over the encryption key without a legally valid order and following an appropriate legal review.
To the extent permitted under applicable law the DataQuel entity/s processing Client Data will inform the client of Government Requests relating to Personal Data that DataQuel is processing on behalf of the client. If, under applicable law, DataQuel is not permitted to inform the client of a Government Request, DataQuel will take reasonable steps to either (i) obtain administrative or judicial leave to inform the client at the earliest possible time or (ii) request that the respective Government Authority directly informs the client. In any event, DataQuel will take reasonable steps before the courts or in administrative proceedings to challenge Government Requests it deems unlawful.
DataQuel will advise the applicable client of any change in applicable law that would affect DataQuel’s ability to comply with the data transfer mechanism relied on.
The DataQuel entity/s processing Client Data will allow the applicable client to verify if its personal data was disclosed to public authorities via agreed audit procedures as set out in the applicable client agreement.
The DataQuel entity/s processing Client Data will not engage in any onward transfer of Client Data, or suspend ongoing transfers, without the client’s approval as required in the applicable client agreement or as otherwise required by law.
Nothing herein shall prejudice the rights of the data subject to recover damages from DataQuel to the extent permitted by applicable law in the event DataQuel discloses Client Data transferred in violation of its commitments contained under the chosen transfer tool.

Ready To Get Started?

Schedule your risk-free consultation to explore our technology solutions today.

Connect With Us

Cyber Security

Audit & Assurance

Governance Risk & Compliance

Penetration Testing Services

Identity Access Management

Virtual CISO Services & Cybersecurity Strategy

IT Strategy

CIO Mentoring / Interim CIO

CIO Services

Cybersecurity

IT Strategy Development

Enterprise Architecture

Outsourcing IT Services

Managed Services

IT Implementation Planning

Modern Software Delivery

Cloud Solutions

Custom Application Development

DevOps

Software Quality Assurance & Testing

Website Development (WordPress)

SEO & Digital Marketing

Modern Workplace

Microsoft Adoption and Change Management

Microsoft Teams

Microsoft 365 Managed Services

Microsoft 365 Migration Services

Microsoft & Office 365 Security and Compliance

Our Platforms

Microsoft

Google Cloud

AWS

Quality Management Systems

ISO 9001

ISO 13485:2015 MD

Environment Management Systems

ISO 14001:2015 EMS

Occupational Health and Safety Management System

ISO 45001:2018 OHSMS

Corporate Social Responsibility

ISO 26001:2019

Food Safety Management System

ISO 22000:2018 – FSMS

Food Safety Certification 22000

HACCP

HALAL

Event Management System

ISO 20121:2012

Energy Management System

ISO 50001:2018

Information Technology

ISO 27001:2022 - Information Security Management Systems (ISMS)

ISO 22301:2019 - Business Continuity Management System

ISO 27701:2019 Privacy Information Management

ISO 27018:2019 Protection of Personally Identifiable

ISO 27017:2015 Information Security Control for Cloud Services

ISO 27019:2019 Information Security Control for Energy Utility Industry

ISO 20000-1:2018 Information Technology Services Management System

Cloud Security Alliance (CSA)

Capability Maturity Model Integration (CMMI)

PCI DSS

SOC TYPE2

TISAX

GDPR

HIPPA

Customer Contact Centers

ISO 18295-1:2017

SEDEX

BSCI

OEKO-TEX

Services

Advisory and Certification Service

USA, UK, GCC, UAE

Industries

Financial Services

Health Care

Retail Services

Manufacturing Services

About Us

Who We Are