Personal data protection at Skyworker
A general statement for clients
This document outlines current information security and personal data protection practices at Skyworker Inc. (hereinafter, “Skyworker”). The measures and documentation listed in this statement were assessed against per-article GDPR requirements and best industry practices in the field of personal data protection. The privacy and security of our clients’ data are among our priorities. For the purposes of this document, we use the terms “client” and “clients” to refer to companies looking for candidates through the Skyworker website.
We are implementing a comprehensive data governance system, which aims at:
- adhering to information security practices and controls appropriate to risks envisaged as a result of the processing to reduce the risk of a data breach;
- achieving compliance with applicable data protection laws, namely the General Data Protection Regulation (the “GDPR”) and other local data protection laws;
- ensuring that our clients are aware of their compliance obligations as data controllers;
- ongoing monitoring and review of our practices and documentation.
We aim to adhere to industry best practices in the field of information security. Below is the outline of the controls in place at Skyworker that address core requirements with a direct impact on the security of processing:
Confidentiality, integrity and availability
Confidentiality is achieved through an access control restriction. Access to personal data is provided on a “need-to-have” basis, available only to team members for whom access is required to perform their duties. Actions, such as access, rectification, or deletion, are logged in the system to provide traceability and accountability.
Integrity is maintained by making sure that our production environment databases and the production servers are located in one place and are only accessible via a private network. This ensures that information in our possession cannot be accessed from anywhere else. Regular backup schemes are also implemented to ensure data availability.
We additionally make sure that all access keys to our databases, as well as third-party integration access keys, are stored as environment variables and passed to the containers.
We have implemented a process for regularly testing, assessing and evaluating the effectiveness of technical and organisational measures implemented.
Data minimisation and deletion
We conduct permanent deletion of data upon the end of data retention periods and termination of the relationships with clients.
Our employees are provided with corporate software, services, and storage licences. Skyworker guarantees that each employee must make sure the software they are working with is regularly updated.
ISO27001-certified cloud hosting
We rely on an ISO27001-certified company for the storage of personal data, ensuring that our data falls under an externally certified audit of the hosting provider’s information security management system.
Measures to address data subject rights
Data subject rights
To help our website users to be in full control of their personal data, we make sure that they are provided with the ability to contact us for the exercise of their privacy rights.
We have also embedded certain privacy controls into our website functionality so our website users can manage their personal data without necessarily contacting us. Specifically, we remove all personal data from our systems when a website user decides to delete their account. Also, we allow our website users to update their account information and make sure our systems reflect the subsequent changes of the update.
At the moment of the data collection, we provide clients and website users with the details on how their personal data is being collected and processed.
Data Sharing Agreement
We acknowledge that we have a controller-to-controller relationship between us and our clients. As a result of this, we are ready to sign a Data Sharing Agreement (a “DSA”) to clarify the roles and responsibilities over the personal data that is shared between us and the clients.
A sample of the document can be found by the link.
To achieve uniform protection of client data, we are offering to conclude an international transfer mechanism with us, namely the Standard Contractual Clauses (SCCs) as approved by the European Commission on June 4th, 2021.
Limited data retention periods
Personal data stored on our servers have limited retention periods.
Upon termination of the relationship with the client, we ensure that the personal data is destroyed from our systems, as well as from the systems of our subcontractors and vendors.
Data Protection Training
We have engaged an external data protection specialist to provide a data protection training session for our team to help us better understand and tackle our privacy obligations.
We pick only those third-party providers that provide sufficient guarantees of information protection. Our due diligence assesses the following items:
- overall reputation;
- security practices;
- compliance with privacy laws;
- location of data storage;
- commitments to privacy and security certifications or standards;
- readiness for data protection and security audits.
Ongoing monitoring and review
We aim that our privacy and security practices be consistent and systematic. As our organisation and external environment continues to evolve, we regularly monitor and review our practices to ensure that the data is protected at all times.
If you would like to receive more information on our personal data protection practices, please contact us at email@example.com