Privacy at Wingify
Wingify believes privacy is a fundamental human right. We are committed to providing you with products, information, and controls that allow you to choose how information is processed, collected and used.
1. Protecting your information is our highest priority
When you use Wingify’s VWO Services, then you trust its privacy will be protected and that it will only be used in a way that’s consistent with your expectations.
Our time-tested approach to privacy is grounded in our commitment to give you control over the collection, use, and distribution of your customer data. We are transparent about the specific policies, operational practices, and technologies that help ensure the privacy of your data in Wingify’s VWO Services.
2. Our commitment to GDPR
As part of our commitment to privacy, we made a number of investments and improvements to our data handling practices to support GDPR and the privacy rights of individuals. Learn more
3. Our commitment to CCPA
As part of our commitment to privacy, we made a number of investments and improvements to our data handling practices to support CCPA and the privacy rights of individuals. Learn more
4. Built-in privacy
The Security Development Lifecycle (SDL) and Privacy Policy provide additional details on our development process and transparent approach to keeping your data private.
Wingify Security Development Lifecycle (SDL): Privacy requirements are defined and integrated into the SDL, the software development process that helps developers build more secure products and services. The SDL consists of a set of practices that support security assurance and compliance requirements which help address data protection and privacy requirements including effective privacy reviews of each release of a Wingify product or service. The Wingify SDL introduces security and privacy considerations throughout all phases of the development process.
VWO Privacy Policy puts our commitment in writing and details out Wingify’s data protection policies and practices in a clear & straightforward language.
5. Wingify’s contractual commitments back our privacy best practices
Wingify makes broad contractual commitments to business in our Terms and Conditions. Wingify will use customer data only to provide the services agreed upon, and for purposes compatible with providing those services. We do not use customer data or derive information from it for advertising.
Furthermore, we will not disclose the customer data process in Wingify services to a government agency, unless required by law. If law enforcement demands customer data, we will attempt to redirect the agency to request that data directly from the customer. If we are compelled to disclose customer data to law enforcement, we promptly notify the customer and provide a copy of the demand, unless legally prohibited from doing so.
6. Our Privacy Management Principles & Controls
As mentioned above in Our beliefs, we are committed to privacy and data protection of individuals and customers. This is especially important as technology progresses and privacy laws evolve.
In support of the Security & Privacy by Design initiative, a volunteer effort created the Wingify Security & Privacy Management Principles. These Principles have a robust framework for building and maintaining secure systems, applications, and services that address cybersecurity and privacy consideration by default and by design.
Comparison between global privacy control frameworks was complicated to understand, what We did was identify a dozen of the leading privacy frameworks and created a set of comprehensive privacy management principles, Privacy Control Framework Principles which is a subset of Wingify Security & Privacy Management framework that is tailored for privacy and is intended to help us with designing, building and maintaining processes, systems, and applications that include both cybersecurity and privacy principles by default. The below-mentioned table clearly provides an understanding of how our Privacy Management Principles meet the control requirements for SOC 2, APEC, CCPA, EU GDPR, FIPPs, PIPEDA, GAPP, ISO 29100, NIST 800-53 Rev 4, etc.
We adopted these principles to guide our products, our processes, and our people in keeping our Customer’s and Visitor’s information private, safe and secure.
This will help us address multiple requirements since it brings a common integrated approach to privacy requirements like accountability, transparency & clarity.
The sixty-four (64) principles of the Privacy Management Principle are organized into ten (10) domains. The table below depicts each privacy principle that We adhere to along with Wingify’s implementation status for each of them making sure you get meaningful choices about how and why the information is collected/processed and used, ensuring that you have all the information you need to make the choices that are right for you across our products and services.
6.1 Privacy by Design
Establish and maintain a comprehensive privacy program that ensures privacy considerations are addressed by design in the development of policies, standards, processes, systems, applications, projects and third-party contracts.
# |
Principle Name |
Privacy Management Principle Description |
Wingify Adherence Details |
6.1.1 |
Assigned Responsibilities |
Assign accountability through documented roles and responsibilities to qualified individuals for maintaining compliance with all applicable privacy requirements that involve appropriately monitoring and documenting the privacy program. |
Wingify has appointed a Data Protection Officer and assigned responsibilities to liaise on matters of information security, data protection, compliance and overseeing the security and compliance of PII, Company IP, etc. for the Wingify which aligns with data protection by law and local law(s). |
6.1.2 |
Policies, Standards & Procedures |
Ensure appropriate policies, standards and procedures exist to operationalize the privacy program. |
Wingify follows ISO 27001:2013 standard control framework as a baseline, cross-mapping control with ISO 27701, PCI DSS, CSA, SOC 2, GDPR, CCPA, HIPAA and certified with ISO 27001 and ISO 27701 standard. Wingify has an integrated Information Security & Privacy management policy in place. Refer to this link https://wingify.com/information-security-policy for more details. |
6.1.3 |
Periodic Review |
At planned intervals or after significant changes, policies, standards, and procedures are reviewed to ensure continuing suitability, adequacy, and effectiveness to meet the organization’s applicable statutory, regulatory and contractual needs. |
Wingify has established the Corporate Security & Compliance Committee (CSCC) comprising of the workforce who are knowledgeable in legal cross-regulation, policy, product and IT to ensure confidentiality, privacy, and security related as required by applicable law. The CSCC meets on a quarterly basis to discuss and review concerns that arise during the quarter. Wingify runs Vulnerability Assessment Penetration Testing (VAPT) on an annual basis through a third-party service provider and performs quarterly security audits for all production environment systems. |
6.1.4 |
Oversight |
Provide oversight of privacy controls throughout the lifecycle of systems, applications, and services to ensure that in a timely manner, senior leaders with the organization are made aware of privacy-related risks that are not appropriately remediated. |
As mentioned above #1.3, CSCC ensures that overall controls are in place. CSCC is headed by the CEO and members from various departments. |
6.1.5 |
Management Visibility |
Provide performance metrics and trend analysis to enable management visibility and coordinate privacy efforts across the organization. |
Yes, as mentioned in #1.1, DPO provides overall visibility to the CEO, Top, and Senior Management on a regular basis. |
6.1.6 |
Compliance |
Oversee the execution of privacy controls with appropriate evidence of due care and due diligence, demonstrating compliance with all applicable statutory, regulatory and contractual obligations, including age-based restrictions. |
Yes, Wingify adheres to all applicable law(s) and regulatory and contractual controls are in place. Also, we don’t knowingly collect any personal information from children under the age of 13. Refer to our Privacy Policy for more details. |
6.1.7 |
Data Classification |
Classify data according to the sensitivity and type of personal data as defined by appropriate statutory, regulatory and contractual contexts. |
Wingify has a robust data & assets classification mechanism in place that ensures categorization in accordance with applicable law(s), regulatory & contractual requirements only. |
6.1.8 |
Registering Databases |
Register applicable databases containing personal data with the appropriate Data Authority, when required. |
Wingify has created Personal Data Inventory and Data Flow in accordance with all applicable law(s), regulatory requirements. We also maintain ROPA (Record of Processing Activities) as defined in Article 30 of GDPR. |
6.1.9 |
Resource Planning |
Identify and plan for resources needed to operate a privacy program and include privacy requirements in solicitations for technology solutions and services. |
Yes, Wingify implemented a robust Privacy Program which comprises DPO, Core privacy team, departmental level DPRs (data protection representatives) and facilitates regular training for them. |
6.1.10 |
Inventory of PI |
Maintain an inventory of both the type of personal data and specific data elements, as well as the systems, applications, and processes that collect, create, use, disseminate, maintain, and/or disclose that personal data. |
Yes, as mentioned above Wingify established and maintains the Personal Information Inventory & flow which covers the whole information lifecycle from entry to exit of information like collection, processing, storing, and deletion, and reviewed and updated on an annual basis. |
6.1.11 |
Privacy Training |
Provide recurring privacy awareness and training for all employees and contractors. |
Yes, Wingify has established a robust privacy program which includes awareness and training program to all the workforce members. Mandatory Privacy & Security Awareness training is provided to all workforce members on an annual basis. workforce members who access any system for processing, storing or transmitting personal information or sensitive information are formally trained in data handling requirements prior to being authorized to access the system. |
6.2 Data Subject Participation
Individuals are directly involved in the decision-making process regarding the fair and lawful processing of the individual’s personal data and, to the extent practicable, directly-engaged to receive explicit permission to use their personal data.
# |
Principle Name |
Privacy Management Principle Description |
Wingify Adherence Details |
6.2.1 |
Clear Choices |
Provide clear and conspicuous choices that enable an individual, or a person authorized by the individual, to permit or prohibit the collection, creation, use, dissemination, maintenance, retention, and/or disclosure of the individual’s personal data. This is also referred to as the right to “opt-out.” |
Refer to Privacy Policy which clearly mentions all privacy attributes and management practices in detail such as how we collect, process information, how to exercise data protection rights, retention, etc. Note: Wingify provides Services primarily intended for use by organizations. Where the VWO Services are made available to Users through an organization (such as your employer), that organization is responsible for administering the accounts over which it has control. If this is the case, please direct your information privacy and security questions and requests to your administrator. We are not responsible for the privacy and security practices of your administrator’s organization, which may be different than VWO policy. When our Customers use VWO Services as part of their own websites, apps, and services, they are responsible for their own privacy and security practices. |
6.2.2 |
Initial Consent |
Prior to the collection, creation, use, dissemination, maintenance, retention, and/or disclosure of the individual’s personal data, the knowledge and consent of the individual are required. |
Yes, Wingify is committed to providing Services with information. controls and transparency that allows users to choose from opt-in or opt-out. We may ask for consent as a legal basis for information processing to collect, use and share personal information Refer to the section “Legal basis for processing” and ”Notice to Users of Our Customers and End Users of the Services” of VWO Privacy Policy for more details. |
6.2.3 |
Updated Consent |
Based on changes to privacy practices that affect the parameters of an individual’s initial consent, the updated consent of the individual is required to continue the collection, creation, use, dissemination, maintenance, retention, and/or disclosure of the individual’s personal data. This is also referred to as the right to “opt-out” at any time after the initial consent was provided. |
Processing is based on your consent. Where we rely on Your consent You have the right to withdraw it anytime by sending a request to [email protected] with the word “Opt-out” or “UNSUBSCRIBE” in the subject field of the email. Note: Even after You opt-out from receiving promotional messages from us, if You have any account for VWO Services, we will still send You non-promotional communications, like service-related emails. |
6.2.4 |
Equal Service & Price |
Implement business processes to protect the right of data subjects to equal service and price, even if they exercise their privacy rights. |
Yes, as mentioned above in #1.6, Wingify is committed and adheres to all applicable law(s) relevant to Services and regulatory and contractual controls in place. Refer to the Privacy Policy for more details. |
6.2.5 |
Prohibit The Sale of Personal Data |
Provide a clear and conspicuous link on the organization’s Internet-based homepage, titled “Do Not Sell My Personal Information” that enables a consumer, or a person authorized by the consumer, to opt-out of the sale of the consumer’s personal data. |
We do not “sell” our customers’ personal information to anyone, meaning that we also do not rent, disclose, release, transfer, make available or otherwise communicate that personal information to a third party for monetary or other valuable consideration. Refer to section “Privacy Commitment” of VWO Privacy Policy for reference. |
6.3 Limited Collection & Use
Ensure that the design of information collection is consistent with the intended use of the information, and the need for new information is balanced against any privacy risks.
# |
Principle Name |
Privacy Management Principle Description |
Wingify Adherence Details |
6.3.1 |
Authority to Collect |
Identify the authority given to collect, create, use, disseminate, maintain, and/or disclose an individual’s personal data. Document the authority in the organization’s privacy notice. |
Yes, Refer to VWO Privacy Policy. |
6.3.2 |
Data Minimization |
Take steps to minimize the collection, creation, use, dissemination, maintenance, retention, and/or disclosure of the individual’s personal data to what is directly relevant and necessary to accomplish a legally authorized purpose. |
Yes, Wingify has established a Privacy Impact Assessment and Privacy Risk Treatment (PIA & PRT) exercise which is conducted on an annual basis and validated by an external third party auditor. |
6.3.3 |
Internal Use |
Restrict the internal use of personal data to the only authorized purpose(s) that are consistent with the stated privacy notice. |
Wingify has adopted the least access privileges principles and role-based access provision across all the information systems, this is our by-design and by-default approach. Wingify has Information Retention, Archive, and Retention /Disposal Policy and Procedure in place which is consistent with applicable laws and clearly defines ownership and accountability, access, use, storage location, etc. of information and the same is validated by an external third-party auditor on an annual basis. |
6.4 Transparency
Provide a transparent notice to the public about privacy practices through a clear and conspicuous notice on all organizational websites, mobile applications, and other digital services regarding the collection, creation, use, dissemination, maintenance, retention, and/or disclosure of personal data.
# |
Principle Name |
Privacy Management Principle Description |
Wingify Adherence Details |
6.4.1 |
Notice & Purpose Specification |
Provide notice of the specific purpose(s) for which personal data is collected, created, used, disseminated, maintained, retained and/or disclosed. |
As a controller, Wingify clearly mentions about information collection and its usage under its Privacy Policy. This policy is updated on an annual basis and the same is notified to all the individuals over the email. |
6.5 Data Lifecycle Management
Limit the collection, creation, use, dissemination, maintenance, retention, and/or disclosure of personal data to that which is legally authorized, relevant, and deemed “reasonably necessary” for the proper performance of business functions.
# |
Principle Name |
Privacy Management Principle Description |
Wingify Adherence Details |
6.5.1 |
Data Flow Mapping |
Maintain a record of processing activities that document the flow of personal data that includes: – Geographic locations and third-parties involved in the storage, transmission and/or processing of personal data; – Contact details of the controller(s) involved in the storage, transmission and/or processing of personal data; – The purposes of the storage, transmission, and processing; – A description of the categories of data subjects and personal data; – Where possible, the time limits for erasure of the different categories of data; and – Where possible, a description of the cybersecurity and privacy measures of the data controller. |
As mentioned above in section #1.8, Wingify has a robust Data Inventory and DataFlow document in place as per Article 30 requirements under EU GDPR and applicable laws. We also maintain the Network Architecture Diagram that contains details to assess the security of the networks, reflect the current state of network or information transmission. |
6.5.2 |
Retention of Personal Information |
Ensure that all records containing personal data are maintained in accordance with the organization’s records retention schedule and comply with applicable statutory, regulatory and contractual obligations. |
As mentioned above, Wingify has maintained ROPA (Record of Processing Activities) and Information Retention, Archive, and Retention /Disposal Policy and Procedure are in place, which clearly define ownership & accountability, access, use, storage location etc of information and the same is validated by external third-party auditor on an annual basis. This helps us adhere with all applicable laws. |
6.5.3 |
Secure Destruction of Personal Information |
Utilize secure methods to dispose of or destroy, both physical and digital media, that contains personal data. |
Wingify Customer data is hosted in a secure cloud data center service provider and also logically segregated by the VWO application and already has a mechanism in place to De-identifying personal information. And, Wingify follows NIST SP 800-88 Rev 1- Guidelines for Media Sanitization for PII Deletion / Disposal of Media. Refer to this link for more details. |
6.5.4 |
Geolocation Restrictions |
Restrict the location of processing, storage and service locations to comply with the privacy notice, as well as applicable statutory, regulatory and contractual obligations. |
As mentioned above, Wingify has established and maintains Data Flow Diagram for personal information processing and that clearly mentions the information storage and location. We store or process personal information about Website visitors and Attendees within the United States and in other countries and territories to facilitate our global operations. Refer to this Sub-Processor utilized by Wingify for Third-party processing, storage and service locations details. Personal Information may be processed outside of the EEA and in countries that are not subject to an adequacy decision by the European Commission. In this event, Wingify will ensure that the recipient of personal information offers an adequate level of protection, for instance by entering into standard contractual clauses for the transfer of data as approved by the European Commission Article 46 of the GDPR. |
6.5.5 |
Data Portability |
Provide the functionality to export personal data in a structured, commonly-used and machine-readable format that can be transferred to another controller without hindrance. |
Wingify has taken all the necessary and appropriate steps to protect and respect data subject rights and personal information. Wingify has a robust Data Subject Access Request (DSAR) Procedure and Process in place. We will provide information in a structured, commonly-used electronic format after submission of such requests by email to Note:We may request specific information from you to help us confirm your identity and process your request. |
6.5.6 |
Record of Disclosures |
Develop and maintain an account of personal data disclosures, that upon request, can be made available to the individual whose personal data was disclosed. |
Wingify keeps accurate information held in each system of records under its control including date, nature and purpose of information of record, name and address of the person or agency to which the disclosure was made. Retaining the accounting of disclosures for the life of the record or as per applicable data protection laws. And makes the accounting of disclosures available to the person named in the record upon request by data protection authority or applicable. |
6.5.7 |
Integrity Protections |
Maintain the accuracy and relevance of personal data across the information lifecycle as personal data is collected, created, used, disseminated, maintained, retained and/or disclosed. |
Yes,Wingify confirms to the greatest extent practicable upon collection or creation of personal information lifecycle , the accuracy, relevance ,timeliness and completeness of that information. Collects personal information directly from the individual to the greatest extent practicable. And additionally Wingify revalidated collected information via sending email for VWO Services account creation. |
6.5.8 |
De-Identification |
Process personal data in such a manner that it is not attributable to a data subject through technical or organizational measures (e.g., anonymization, pseudonymization or data minimization). |
Wingify Customer data is hosted in a secure cloud data center service provider and also logically segregated by the VWO application and already a mechanism in place to De-identifying personal information. And following measures in place: i. VWO Services does not collect nor does it require any sensitive information by default, for its functioning. ii. VWO Services has also adopted a method where the UUID stored on the client-side is pseudonymized by using a one-way hash before storing on its servers. iii. Any IP address intended to be stored is stored with anonymization of at least the last octet (configurable by a user up to complete anonymization). Refer to VWO Privacy Center for more details. |
6.5.9 |
Quality Management |
Maintain quality assurances throughout the information lifecycle with such accuracy, relevance, timeliness, and completeness as is reasonably necessary to ensure fairness to the individual. |
As mentioned above section #5.7, Wingify have proper internal guidelines which ensures and maximizing the quality, utility, objectivity and integrity of disseminated information. |
6.5.10 |
Flaw Remediation with Personal Information |
Identify and correct flaws related to personal data as it is collected, created, used, disseminated, maintained, retained and/or disclosed. |
Wingify have following measures and process in place: i. Technical Vulnerabilities program in place. ii. Software Development LifeCycle process in place which includes not limited to system change control procedure, technical and security review of application after any release or platform, robust information security & privacy weakness program in place (Responsible Disclosure Policy) etc. |
6.6 Data Subject Rights
Provide individuals with appropriate access to personal data.
# |
Principal Name |
Privacy Management Principle Description |
Wingify Adherence Details |
6.6.1 |
Inquiry Management |
Maintain a capability to receive and respond to privacy-related requests, complaints, concerns or questions from individuals. |
Wingify have taken all necessary and appropriate steps to protect and respects data subject rights and personal information. Wingify have robust Data Subject Access Request (DSAR) Procedure and Process in place. We will provide information about our processing of Customer personal information and give them access to personal information. Customer can submit these requests by email to Note:We may request specific information from you to help us confirm your identity and process your request. |
6.6.2 |
Updating Personal Information |
Provide individuals with appropriate opportunity to correct or amend their personal data. |
As a controller, Wingify provides Right To Rectification under which data-subject has the right to rectification of inaccurate personal information concerning you, including completion of incomplete personal information. Contact Wingify at [email protected] for any questions or to update your information. As a processor, upon instruction by the Controller, Wingify shall correct, rectify, or block Personal Information. Any request from a data subject directly to the Processor shall be directed to the Controller. |
6.6.3 |
Redress |
Provide individuals with appropriate opportunity to challenge the organization’s compliance with its privacy principles. |
As a controller, Wingify provides Rights To Object that provides the data-subjects right to object at any time to our processing of personal information concerning you. For example, if you have requested to receive information from us, e.g., newsletters, but do not wish to receive further information, you can easily opt out of receiving further information from us. Contact Wingify at [email protected] for any questions or to update your information. As a processor, upon instruction by the Controller, Wingify shall correct, rectify, or block Personal Information. Any request from a data subject directly to the Processor shall be directed to the Controller. |
6.6.4 |
Notice of Correction or Amendment |
Notify affected individuals when their personal data is corrected or amended |
We will provide information about our processing of your personal information and give you access to your personal information. You can submit these requests by email to We may request specific information from you to help us confirm your identity and process your request. |
6.6.5 |
Appeal |
Provide individuals with appropriate opportunity to appeal an adverse decision to have incorrect personal data amended. |
Yes, You can submit these requests by email to [email protected]. |
6.6.6 |
Right to Erasure |
Provide individuals with appropriate opportunity to request the deletion of personal data where it is used, disseminated, maintained, retained and/or disclosed, including where the personal data is stored or processed by third-parties. |
As a controller, VWO provides Right To Erasure. Under certain circumstances, you have the right to the erasure of personal information concerning you. Contact Wingify at [email protected] for any questions or to update your information. As a processor, upon instruction by the Controller, VWO shall correct, rectify, or block Personal Information. Any request from a data subject directly to the Processor shall be directed to the Controller. |
6.7 Security by Design
Establish administrative, technical, and physical safeguards to protect personal data commensurate with the risk and magnitude of the harm that would result from its unauthorized access, use, modification, loss or dissemination.
# |
Principle Name |
Privacy Management Principle Description |
Wingify Adherence Details |
6.7.1 |
Cybersecurity Considerations |
Incorporate privacy requirements into enterprise architecture to ensure that risk is addressed so that the systems, applications and services achieve the necessary levels of trustworthiness, protection, and resilience. |
We back ourselves up with robust information security and privacy practices that form an integral part of our product engineering and services principles and follow security by design principles. We have a top-down governance and security in our DNA that lets us constantly wade through our threat vectors and calibrate to strengthen our security posture. That way, we align to the changing business and technology landscape. Following necessary measures are in place: i. Secure Engineering Principles guidelines. ii. Robust Software Development Life Cycle procedure and process is in place which includes security and privacy by design practices in the specification, design, development, implementation, and modification phases of systems and services. |
6.7.2 |
Cryptographic Protections |
Ensure personal data is encrypted both at rest and in transit. |
Wingify has implemented best practices cryptographic protection controls using trusted cryptographic technologies. i. All data flow (in transit) in data pipelines is encrypted using a secure channel like TLS1.2. ii.Data at rest is encrypted using AES 256 standards (one of the strongest block ciphers available). |
6.7.3 |
Physical Protections |
Ensure physical security and environmental controls to provide appropriate protection for environments where personal data is stored, transmitted and/or processed. |
Wingify data centers are hosted in some of the most secure facilities available today in locations that are protected from physical and logical attacks as well as from natural disasters, such as earthquakes, fires, and floods. Physical security measures for these data centers include intrusion protection measures and security guards. We rely on third-party attestations of their physical security. Within our office premises, we employ a number of best industry-standard physical security controls. |
6.7.4 |
Embedded Technology |
Facilitate the secure implementation of embedded technologies so that the sensors minimize the collection of personal data and alert individuals to the personal data collected by those sensors. |
This is not applicable as of now. |
6.7.5 |
Retire Outdated Systems |
Upgrade, replace, or retire any system, application or service for which appropriate protections, commensurate with risk, cannot be effectively implemented. |
Wingify has a mechanism in place for all EUC (End User Computing) and all EUC replacement is done before the prescribed end of life, that is within 3 years. We also have an intelligence defence mechanism in place (Carbon Black Defence) which help us with any vulnerbailities wrt. any unsupported component in real time. |
6.7.6 |
Personnel Security |
Implement personnel management practices, covering employees, contractors and other entities, that ensure appropriate vetting and clearance to systems, applications and/or services that contain, store or transmit personal data. |
As mentioned above section #1.11, Wingify has established a security program which includes awareness and training program for all workforce members. Mandatory Security & Privacy Awareness training of all workforce members on an annual basis. Workforce members who access a system for processing, storing or transmitting personal information or sensitive information are formally trained in data handling requirements prior to authorizing access to the system. |
6.7.7 |
Rules of Behavior |
Require employees and contractors to read and agree to abide by the organization’s rules of behavior, prior to being granted access to systems, applications and/or services that store, transmit or process personal data. |
Wingify has a Acceptable Use Policy (AUP) and every workforce member acknowledges it on an annual basis. AUPs define acceptable and unacceptable use of technologies, including consequences for unacceptable behavior. |
6.7.8 |
Employee Sanctions |
Utilize employee sanctions to hold personnel accountable for complying with the organization’s privacy policies and processes. |
Wingify has a robust Disciplinary Policy for sanctioning personnel who fail to comply with established security & privacy policies, standards and procedures of the organization. |
6.7.9 |
Workforce Management |
Respond to changing mission requirements and maintain workforce skills in a rapidly-developing technology environment through recruiting and retaining the talent needed to support the organization’s mission. |
Wingify has Human Resource personnel security mechanisms in place as per A.7 of ISO 27001 standard control requirement and validated on an annual basis by external third-party auditor. |
6.7.10 |
Professional Competency |
Develop and enforce privacy competency requirements for staff members involved in the acquisition, management, maintenance and use of information resources, to ensure they have the appropriate knowledge and skill. |
As mentioned above in section #7.9, Wingify has mechanisms (eg. BGV) in place to manage personnel security risk by screening individuals prior to authorizing any information system access. And as well clearly defined cybersecurity and privacy responsibilities for all personnel and RACI matrix is in place for the same. |
6.8 Incident Response
Maintain adequate incident response capabilities and provide training for employees and contractors on how to report and respond to incidents.
# |
Principle Name |
Privacy Management Principle Description |
Wingify Adherence Details |
6.8.1 |
Breach Notification |
Report data breaches involving personal data to relevant regulators, law enforcement and affected parties in accordance with applicable statutory, regulatory and contractual obligations for breach notification. |
Wingify has a robust Security Incident Policy & Procedure and Breach Notification Plan where any security incident or data breaches are reported with any undue delay. Please refer to the section 9 “Incident Response and Breach Notification” of our DPA |
6.9 Risk Management
Implement a risk management framework to ensure that risks are identified, evaluated and addressed to achieve the necessary levels of trustworthiness, protection, and resilience.
# |
Principle Name |
Privacy Management Principle Description |
Wingify Adherence Details |
6.9.1 |
Evaluate Risks |
Utilize appropriate risk analysis methods to evaluate the likelihood and magnitude of harm, from unauthorized access, use, disclosure, disruption, modification or destruction of personal data where it is stored, transmitted and/or processed. |
Wingify has a robust Risk Management Program in place, which includes but not limited to Risk assessment, Risk treatment, Business Impact Analysis, Privacy Impact Assessment etc. We conduct an annual assessment of risk that includes the likelihood and magnitude of harm , from unauthorized access, use, disclosure, disruption, modification or destruction of the information systems and information. And, our critical systems and application runs Vulnerability Assessment Penetration Testing (VAPT) on an annual basis through a third-party service provider and performs quarterly security audits for all production environment systems. |
6.9.2 |
Risk Awareness |
Maintain a current and accurate register of risk. |
As part of Risk Management, we maintain a risk register that facilitates monitoring and reporting of risks, if any. |
6.9.3 |
Assess Supply Chain Risk |
Assess supply chain risks associated with systems, system components and services for privacy implications. |
As mentioned above in section #9.1, we have a robust Risk Management Program in place, supply chain risk as well as part of RMP, associated with information systems, system components and services. Before contracting with third-party supplier or sub-processor, Wingify to exercise due diligence in reaching as much understanding as possible of the information security & data protection approach controls the company has in place.and initiate due diligence process for existing third party supplier on an annual basis. Business Impact Assessment process is in place as well. |
6.9.4 |
Data Protection Impact Assessment (DPIA) |
Utilize Data Protection Impact Assessments (DPIAs) to effectively identify and reduce privacy risks to an acceptable level. |
Wingify conducts a Privacy Impact Assessment (PIA) on all information systems, applications and services to evaluate any privacy implications and associated risk on an annual basis and same is validated by an external third party auditor. |
6.10 Third-Party Management
Provide privacy oversight of third-parties with access to personal data, so that only trusted third-parties are contracted with.
# |
Principle Name |
Privacy Management Principle Description |
Wingify Adherence Details |
6.10.1 |
Supply Chain Protections |
Govern the disclosure of personal data to ensure it is only provided to trusted third-parties that can store, process and/or transmit it in a secure manner. |
As mentioned above in section #9.3, we evaluate security and privacy risks associated with the services and product supply chain. Section 5.9. Third-Party Supplier of our information security policy: |
6.10.2 |
Secure Disclosure To Third-Parties |
Govern third-party use of personal data to ensure privacy requirements are enforced when a third-party stores, processes or transmits personal data on behalf of the organization. |
Wingify has proper mechanisms and measures in place to disclose Personal Information to any third parties or sub processors for only the purposes identified in the privacy policy and with the proper consent of the individual. |
6.10.3 |
Contractual Obligations for Third-Parties |
Require terms and conditions in contracts and other agreements to cover the collection, creation, use, dissemination, maintenance, retention, and/or disclosure of personal data. |
Wingify enters into a contractual agreement with all of its vendors/service providers and confidentiality clause is an essential part of such agreements. Further, wherever any personal information is involved, we sign a data protection agreement with our vendors/service providers to ensure that roles and responsibilities with respect to personal information are clearly defined. |
6.10.4 |
Third-Party Compliance |
Validate that privacy controls for systems, applications and services used or operated by third-parties are effectively-implemented and align with industry-recognized secure practices, as well as comply with applicable statutory, regulatory and contractual obligations. |
Wingify has a process and plan in place for conducting security and privacy training, assessment, monitoring activities associated with the organizational systems and comply with all applicable statutory, regulatory and contractual obligations. We don’t provide any information access to any third-parties or vendors. |
Respect our Users and Customers, Respect their privacy.
We believe these ideas are inseparable. Together, they represent a single, core belief that has influenced everything we’ve made since day one, and everything we’ll make moving forward. When people use our products they trust us with their information, and it’s our job to do right by them. This means always being thoughtful about what information we use, how we use it, and how we protect it.