CHEQ takes data privacy seriously and is dedicated to complying with all relevant data protection laws, including the EU’s GDPR and applicable US privacy laws. In this whitepaper, we have outlined the key aspects of our privacy policies and procedures, as well as answered frequently asked questions about GDPR and applicable US privacy laws compliance, for our customer’s information and compliance assessment purposes.
For any further questions, do not hesitate to contact your CHEQ representative, or use the contact details provided below.
Legal Framework
Since CHEQ operates globally, it has aligned itself with the requirements of various applicable privacy laws and requirements. These laws include but are not limited to the EU General Data Protection Regulation (‘GDPR’) and the California Consumer Privacy Act (‘CCPA’). Our teams are constantly tracking new privacy legislation, and our internal procedures are frequently being updated to satisfy new requirements.
In providing CHEQ services, it assumes the role of a processors (or, where applicable, ‘service provider’) of its customers’ end-users’ (“Users”) personal data. To learn more about CHEQ privacy practices as part of its role as controllers, please visit CHEQ’s website privacy policy, available here.
As outlined below, CHEQ has established and implemented policies and procedures that ensure lawful, fair, and transparent processing of Users’ personal data, including conducting data protection impact assessments and incident response plans. In addition, we have representation in the EU and UK to ensure compliance with regional regulations.
CHEQ maintaining a robust security and privacy posture is of utmost importance. We have implemented technical and organizational measures to safeguard Users’ personal data and data subject rights. Additionally, we regularly review and update our security and privacy controls and practices to align with the appropriate compliance standards and regulations, ensuring the confidentiality, integrity, and availability of Users’ personal data. CHEQ ( Vendor ID 572 ) is participation in the IAB Europe Transparency & Consent Framework, compliance with the Policies and Specifications with the Transparency & Consent Framework (TCF 2.2), includes changes designed to improve the transparency and control that users have over their data.
Processing of Personal Data
CHEQ uses the IP address to determine whether a session is fraudulent and block access to the customer’s website. If you choose to use the ‘Sign-up and Lead Protection’ service, CHEQ will also use email address, phone number and user-agent of Users. This information is considered personal data under the GDPR.
Purpose Limitation and Data Minimization. CHEQ processes personal data only as necessary to provide its services to CHEQ customers who authorize the processing of such data. If a customer opts to use CHEQ’s product to track fraudulent services, the data processed will be used only for this purpose, and in compliance with the GDPR and CCPA.
Storage Limitation. All data we retain is for the purposes of providing our services, or to comply with legal obligations, resolve disputes or as otherwise described in detail in our publicly available privacy policies. We delete Personal Information periodically, or sooner upon a customer’s request, unless we have a valid legal need to retain such data.
Data Processing Agreement. CHEQ enters into a Data Processing Agreement (“DPA“) with all our customers. The DPA can be found here: https://cheq.ai/data-processing-agreement/. The DPA defines the role of CHEQ as “processor” and our customers as “controller” and describes their respective rights and obligations.
Technical and Organizational Measures
CHEQ takes appropriate technical and organizational measures to protect personal data from unauthorized access, disclosure, alteration, or destruction. We use industry- standard security measures, such as encryption and access controls, to safeguard personal data. We also conduct regular security assessments and audits to identify and mitigate potential security risks.
We have implemented a comprehensive Information Security Management System (ISMS) that covers all aspects of our data processing activities, including data collection, processing, storage, and transmission. Our ISMS is based on the ISO/IEC 27001 standard, which is a globally recognized standard for information security management.
We have established an extensive Privacy Information Management System (PIMS) that encompasses all dimensions of our data processing operations, encompassing data aggregation, handling, retention, and transfer. Our PIMS aligns with the ISO/IEC 27701 standard, a universally acknowledged framework for privacy information management.
For more information, please visit CHEQ SECURITY POSTURE.
Cookie Consent
To prevent fraudulent activity on our customers’ websites and services, CHEQ uses cookies and similar technologies (together “Cookies“). Those cookies are considered by CHEQ as ‘essential’ Cookies because:
- They are used only to identify and block fraudulent access to our customers’ websites
- They are stored for a strictly limited period of time, as necessary to exercise its purpose
Therefore, our customers are not required to obtain their Users’ consent in order to integrate CHEQ’s Cookies on their Users’ devices.
Moreover, we acknowledge that our customers have a legitimate business interest in ensuring the prevention of malicious access as an inherent part of making their website available. Therefore, we believe that CHEQ Cookies are strictly necessary for Users to access the services provided by our customers. This assumption was also recognized and acknowledged by EU judicial bodies.
Third-Party Service Providers and Sub-Processors
CHEQ may share data processed through its product with a limited number of third-party service providers as necessary for the operation of the services, specifically our hosting provider. Certain optional features of the CHEQ service offering, which are not part of CHEQ’s core offering, may involve additional transfers of data, as described in the relevant feature documentation.
Before sharing any data with third-party providers, CHEQ performs an assessment of the service providers to ensure that it provides appropriate safeguards to protect the privacy and security of the data in compliance with GDPR requirements.
Please view this link to see our Sub-Processors list.
Any transfers of personal information will be subject to a data processing agreement (DPA), detailing the parties’ obligations under the applicable privacy laws and implementing all safeguards necessary by law to ensure that personal data will always be treated in accordance with the requirements of privacy laws and industry best standards, wherever it may be transferred. These DPAs apply to any transfer outside CHEQ.
Whenever required by law, CHEQ also implements the GDPR’s Standard Contractual Clauses (SCCs), or their UK counterpart, providing further protection in privacy and security matters whenever Personal Information is transferred to certain jurisdictions.
CHEQ DPAs also oblige the receiving party to assist CHEQ and maintain various security mechanisms, all to ensure the security of personal information transferred. For example, data recipients must:
- Implement and maintain appropriate technical and organizational methods to protect personal information against accidental or unlawful destruction.
- Comply with a detailed list of measures ensuring the security of the information, including having a written security management system; maintaining a security policy that is regularly reviewed; applying encryption; maintaining a firewall configuration and limiting personal information storage to that which is necessary.
- Conducting periodic reviews of network security and adequacy, measured against industry security standards.
- Notify CHEQ without undue delay after becoming aware of a security incident and to assist in investigations and resolution thereof.
Personal Data Transfer and Hosting Services
Depending on the desired configuration, our customers may choose which CHEQ servers should be used for data processing and storing. Personal data will be stored and processed either in the US or EU, specifically on AWS eu-west-1 or us-east-1, and upon customer request. Additionally, aggregative data and redacted data (Pseudonymization) may be transferred and processed in the US.
We do not transfer any information to countries outside the EU or UK without making sure it is being transferred lawfully and that it will be in “good hands”, through our performance of transfer impact assessments (“TIAs“). These TIAs ensure that any recipient of personal data has the proper legal, organizational, and security mechanisms in place to avoid any mishandling or abuse of personal information.
TIAs performed by CHEQ include, among other things, a wide variety of topics regarding the level of security the recipient can provide to personal data transferred. This includes questions such as the organizational, technical, and contractual mechanisms being implemented, the possibility of disclosure of personal data to a governmental authority and the feasibility of transferring personal information exclusively to data centers allowing the maximum protection possible.
TIAs also require conducting a comprehensive and extensive research in matters such as the recipient’s jurisdiction and whether its laws ensure the integrity of Users’ privacy rights.
TIAs allow CHEQ to make informed decisions and to maintain control over where personal information is being kept and how it is processed on CHEQ’s behalf.
Data Breach Response
CHEQ has implemented a data breach response plan to detect, respond to, and recover from data breaches. In the event of a data breach, we will promptly notify relevant customer, affected individuals and authorities, as required by law. We have established a dedicated incident response team that is responsible for managing data breaches, and we conduct regular training and simulations to ensure that our team is prepared to respond to data breaches. We have also implemented appropriate technical and organizational measures to prevent, detect, and respond to data breaches, such as intrusion detection systems and firewalls. We conduct regular vulnerability assessments and penetration testing to identify and mitigate potential security risks.
Privacy by Design and Default
CHEQ incorporates the Privacy by Default principle in our processes and Privacy by Design in our products and services. We implement appropriate technical and organizational measures to ensure that personal data is protected from the outset and that data protection is embedded into all aspects of our data processing activities.
Therefore, CHEQ designated several senior positions across the organization in order to ensure that all aspects of the data safekeeping are attended properly:
Data Protection Officer (DPO) – First and foremost, our DPO has a major role in assuring CHEQ complies with all necessary security legislation and plays an important part in the drafting and application of our procedures and internal policies. The DPO developed a comprehensive privacy compliance practice at CHEQ, based on in-depth knowledge and understanding of CHEQ technology and collaborated with multiple stakeholders in all departments across the company, ensuring CHEQ’s various products and processes are compliant with the rapidly evolving legal privacy landscapes across the globe. In addition, the DPO ensures that our employees are trained on privacy and security matters during their on boarding process, as well as on an annual basis, and that they are bound to disciplinary measures in case of a breach of our policies.
Chief Information Security Officer (CISO) – Our teams follow strict security policies and procedures, designed by our CISO and his highly qualified team of experts. Its purpose is to protect personal information from disclosure, unauthorized access, and leakage by setting up the proper classifications, controls, and measurements. CHEQ employees must receive proper clearance for accessing personal information.
In addition, our employees may access personal data on a ‘need-to-know’ basis, and as necessary to provide the services.
Privacy Policy
CHEQ maintains a privacy policy that provides individuals with information on our data processing activities, their rights, and how to exercise them if they access our corporate website. Our privacy policy is regularly reviewed and updated to ensure compliance with data protection laws and regulations and to provide transparency and clarity on our data processing activities. Link to Privacy Policy
Training and Awareness
CHEQ provides regular training and awareness programs to all employees and contractors on data protection laws and regulations, our privacy policies and procedures, and best practices for protecting personal data. We also conduct regular audits and assessments to ensure that our employees and contractors are complying with our data protection policies and procedures.
EU and UK Representatives
Pursuant to the GDPR, Cheq AI Technologies (2018) Ltd has appointed European Data Protection Office (EDPO) as its GDPR Representative in the EU. You can contact EDPO regarding matters pertaining to the GDPR:
- by using EDPO’s online request form: click here
- by writing to EDPO at Leuchtenfabrik, House A, 1st floor, Edisonstrasse 63, Berlin, 12459 Berlin, Germany
Pursuant to Article 27 of the UK GDPR, Cheq AI Technologies (2018) Ltd has appointed EDPO UK Ltd as its UK GDPR representative in the UK. You can contact EDPO UK regarding matters pertaining to the UK GDPR:
- – by using EDPO’s online request form: click here
- – by writing to EDPO UK at 8 Northumberland Avenue, London WC2N 5BY, United Kingdom
We are committed
CHEQ is committed to protecting the privacy and personal data of our customers, partners, and users. We believe that privacy is a fundamental human right and that it is our responsibility to ensure that personal data is collected, processed, and used in a transparent, lawful, and responsible manner. We will continue to monitor and update our privacy policies and procedures to ensure that we are compliant with applicable data protection laws and regulations and that we are providing the highest level of privacy protection to our stakeholders.