In other words, the data controller determines the purposes for which and the means by which personal data is processed and the data processor processes personal data only on behalf of the controller. The data processor is usually a third-party external to the company.
In general, the controller assumes responsibility for all personal data collected and must ensure that rights of the data subject and the controller’s own legal obligations are also covered by the processor.
The Data Processing Agreement is important, so that both parties understand their responsibilities and liabilities. When it comes to Zycus, our customers are data controllers when they use Zycus applications (Source to Pay suite of procurement performance solutions). Zycus is a data processor on behalf of the customer by means of Data Processing Addendum.
ULTRIA’ DATA PROCESSING AGREEMENT (DPA)
Zycus’ Data Processing Agreement terms are designed to ensure that processing carried out by a processor meets all the requirements of the GDPR (not just those related to keeping personal data secure). By having such DPA in place with the required terms, we are ensuring that we are complying with the GDPR.
Key pointers surrounding GDPR pertaining to Zycus
GDPR roles and definitions relating to Zycus:
At Zycus we have state-of-the-art security to ensure that data from our prospects and customers is never compromised. We know that security is crucial to you; therefore, security is our top priority and it is fundamental to successful operation of Zycus. We devote significant resources to continually improve our world-class security infrastructure. The result: unsurpassed security and privacy for our customers’ information.
Standards and Specifications:
Zycus relies on SOC 2 Type I & II audits and reports to build trust and confidence. The SOC 2 Type I report provides reasonable assurance over the effectiveness of the controls at Zycus which are directly or indirectly relevant to our customers financial reporting and SOC 2 type II report provides reasonable assurance over the controls that are relevant to the Trust Service Principals of Service Organization Control (security, availability and confidentiality). The SOC 2 Type II report also describes the operating effectiveness of these controls and it is the most comprehensive type of report. With our SOC2 audit report, we can assure our customers that we meet the most demanding requirements for the security, availability and confidentiality of their information.
Also, Zycus follows ISO 27001:2013 ISMS standard and we have developed our policies and procedures based on this framework. Zycus is in the process of incorporating GDPR compliance management structure in our current ISMF, which is cross-functional and represents all key areas within the business. The current ISMS risk management process is also under review to incorporate privacy risk management.