Being a service provider, Zifo will act as a data processor to all our customers, who are data controllers. Such processing activity will be restricted to the instructions of the data controller through mutually established contractual agreements.

Zifo will primarily process any address book information given freely as part of sales and business agreements for communication and system support purposes.

All clinical data we process is pseudonymised and hence protected by default. Clinical data in generality, both blinded and unblinded, is treated as sensitive personal data and proportionate data protection measures, in accordance to GDPR and other applicable regulations, will be in place.

Where Zifo is a sub-processor, the processor organization who subcontracts the processing activities to Zifo shall define Zifo’s roles and responsibilities for the same and Zifo shall comply with all GDPR requirements applicable to data processors in such cases.

Zifo shall not engage sub-processors without prior consent from the data controller. When such an engagement is agreed upon, Zifo will ensure the sub-processor complies with necessary GDPR requirements by signing GDPR compliant agreements.

GDPR also brings about changes in marketing, sales and HR functions to organisations such as Zifo, which operates globally. We will act as a data controller in this case.

To account for these requirements, Zifo will ensure that marketing is done for legitimate interests, restricting to address book information. All prospects and customers shall be given the explicit option to opt out.

Every EU employee will be made aware of the rights and any restriction to rights as a data subject at the time of on-boarding through an agreement, and is expected to adhere to applicable GDPR requirements while handling personal data within the organisation.

All technological solutions developed by Zifo will address the privacy of personal data as an integral component of the product development process right from its conception, throughout the Software development lifecycle, ensuring that personal data is protected by design.

We are ISO/IEC 270001/2013 certified, the International Standard for Information Security Management system.

Standardised physical / logical controls and security measures are in place to maintain data integrity, confidentiality and availability

We believe in achieving compliance to GDPR by integrating data protection best practices into our organisational structure. Following are the best practices:

• Data Protection Impact Assessment (DPIA) – Define, Assess, Review controls, Implement data governance strategies, Monitor

• We are ISO/IEC 270001/2013 certified, the International Standard for Information Security Management system

• Standardised physical / logical controls and security measures are in place to maintain data integrity, confidentiality and availability

• Transparent Data Privacy and Confidentiality policy

• Continuous employee training on privacy policies and personal data handling procedures

• Data breach and non-compliance redressal system

• Mechanisms to ensure appropriate agreements are signed with data controllers and data processors we engage.

• Access to personal data only through authorized user accounts

• All technological solutions provided by Zifo as well as configurations made over these solutions:

  • comply with regulatory requirements for computerized systems

  • are validated for their fitness for use and applicable regulations

• Data subject’s “opt-out” status is tracked and monitored for processing activities such as marketing

• Process in place to assess and monitor compliance to GDPR on a periodic basis

Any breach to privacy of personal data will be considered and logged as an incident, within Zifo. The data controller/ data subject, as applicable shall be notified within 1 business day of detection of the breach. Resolution actions, as needed, shall be initiated and communicated appropriately.

Please reach out to us at dataprotection@zifornd.com