Join the Waitlist Book a Consultation
Български English (US) English (UK) Русский (KZ)

GDPR Compliance

Last updated:

1. Our Commitment to GDPR

IndexMemory is fully committed to compliance with the General Data Protection Regulation (EU) 2016/679 ("GDPR"). We recognize the importance of data protection and privacy as fundamental rights, and we have implemented comprehensive measures to ensure that all personal data we process is handled lawfully, fairly, and transparently. This page outlines how we meet our obligations under the GDPR.

2. Data Controller Information

For the purposes of the GDPR, IndexMemory acts as the data controller for personal data collected through our website and services. As a data controller, we determine the purposes and means of processing personal data and are responsible for ensuring compliance with applicable data protection legislation.

Data Controller: IndexMemory
Email: dpo@indexmemory.com

3. Lawful Basis for Processing

We process personal data only when we have a valid lawful basis under Article 6 of the GDPR. The lawful bases we rely on include:

  • Consent (Article 6(1)(a)): Where you have given clear, informed, and unambiguous consent for us to process your personal data for specific purposes, such as subscribing to our newsletter or opting into marketing communications.
  • Contractual Necessity (Article 6(1)(b)): Where processing is necessary for the performance of a contract with you, or to take steps at your request prior to entering into a contract, such as providing our AI-powered memory indexing services.
  • Legitimate Interests (Article 6(1)(f)): Where processing is necessary for our legitimate interests or those of a third party, provided those interests are not overridden by your fundamental rights and freedoms. This includes improving our services, ensuring security, and conducting business analytics.
  • Legal Obligation (Article 6(1)(c)): Where processing is necessary for compliance with a legal obligation to which we are subject, such as tax reporting or responding to lawful government requests.

4. Data Subject Rights

Under the GDPR, you have the following rights with respect to your personal data. We are committed to facilitating the exercise of these rights in a timely manner:

  • Right of Access (Article 15): You have the right to obtain confirmation as to whether your personal data is being processed and, if so, to access that data along with supplementary information about how it is processed.
  • Right to Rectification (Article 16): You have the right to request the correction of inaccurate personal data and to have incomplete data completed.
  • Right to Erasure (Article 17): You have the right to request the deletion of your personal data where there is no compelling reason for its continued processing, also known as the "right to be forgotten."
  • Right to Restriction of Processing (Article 18): You have the right to request the restriction of processing of your personal data in certain circumstances, such as when you contest the accuracy of the data.
  • Right to Data Portability (Article 20): You have the right to receive your personal data in a structured, commonly used, and machine-readable format, and to transmit that data to another controller without hindrance.
  • Right to Object (Article 21): You have the right to object to the processing of your personal data on grounds relating to your particular situation, including objecting to processing based on legitimate interests or for direct marketing purposes.
  • Rights Related to Automated Decision-Making (Article 22): You have the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects or similarly significant effects concerning you.

To exercise any of these rights, please contact our Data Protection Officer at dpo@indexmemory.com. We will respond to your request within 30 days, as required by the GDPR.

5. Data Protection Officer

IndexMemory has appointed a Data Protection Officer (DPO) to oversee our data protection strategy and ensure compliance with the GDPR. The DPO is responsible for monitoring internal compliance, advising on data protection obligations, and serving as the point of contact for data subjects and supervisory authorities.

Data Protection Officer
Email: dpo@indexmemory.com

6. Data Processing Agreements

Where we engage third-party processors to handle personal data on our behalf, we ensure that appropriate Data Processing Agreements (DPAs) are in place in accordance with Article 28 of the GDPR. These agreements require processors to:

  • Process personal data only on our documented instructions
  • Ensure that persons authorized to process personal data have committed to confidentiality
  • Implement appropriate technical and organizational security measures
  • Assist us in responding to data subject requests
  • Delete or return all personal data upon termination of the service
  • Make available all information necessary to demonstrate compliance and allow for audits

7. International Data Transfers

When personal data is transferred outside the European Economic Area (EEA), we ensure that adequate safeguards are in place as required by Chapter V of the GDPR. These safeguards may include:

  • Adequacy Decisions: Transferring data to countries that the European Commission has determined provide an adequate level of data protection.
  • Standard Contractual Clauses (SCCs): Using EU-approved standard contractual clauses to ensure appropriate data protection measures are in place.
  • Binding Corporate Rules: Where applicable, relying on approved binding corporate rules for intra-group transfers.

8. Data Security Measures

In accordance with Article 32 of the GDPR, we implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk, including:

  • Encryption of personal data in transit (TLS/SSL) and at rest (AES-256)
  • Regular testing and evaluation of the effectiveness of security measures
  • Access controls with role-based permissions and multi-factor authentication
  • Regular security audits and vulnerability assessments
  • Employee training on data protection and security best practices
  • Incident response procedures and disaster recovery plans
  • Pseudonymization and anonymization of data where appropriate

9. Data Breach Notification

In the event of a personal data breach, we have procedures in place to comply with Articles 33 and 34 of the GDPR:

  • Supervisory Authority Notification: We will notify the relevant supervisory authority within 72 hours of becoming aware of a breach that is likely to result in a risk to the rights and freedoms of individuals.
  • Data Subject Notification: Where a breach is likely to result in a high risk to the rights and freedoms of individuals, we will notify affected data subjects without undue delay.
  • Documentation: We maintain a record of all data breaches, including the facts surrounding the breach, its effects, and the remedial actions taken.

10. Data Protection Impact Assessments

We conduct Data Protection Impact Assessments (DPIAs) as required by Article 35 of the GDPR when processing is likely to result in a high risk to the rights and freedoms of individuals. This includes assessments for new technologies, large-scale processing operations, and systematic monitoring activities. DPIAs help us identify and mitigate data protection risks before they materialize.

11. Records of Processing Activities

In accordance with Article 30 of the GDPR, we maintain comprehensive records of all processing activities carried out under our responsibility. These records include the purposes of processing, categories of data subjects and personal data, recipients of data, international transfers, retention periods, and a description of technical and organizational security measures.

12. Privacy by Design and by Default

IndexMemory adheres to the principles of data protection by design and by default as set out in Article 25 of the GDPR. We integrate data protection considerations into the design of our systems, products, and services from the outset. We also ensure that, by default, only personal data that is necessary for each specific purpose is processed.

13. Supervisory Authority

If you believe that our processing of your personal data infringes the GDPR, you have the right to lodge a complaint with a supervisory authority. You may do so in the EU Member State of your habitual residence, place of work, or place of the alleged infringement. We encourage you to contact us first at dpo@indexmemory.com so that we can address your concerns directly.

14. Changes to This GDPR Notice

We may update this GDPR Compliance page from time to time to reflect changes in our practices or applicable law. We will post the updated version on this page with a revised "Last updated" date. We encourage you to review this page periodically to stay informed about how we protect your data.

15. Contact Us

If you have any questions about our GDPR compliance or wish to exercise your data protection rights, please contact us at:

IndexMemory
Data Protection Officer
Email: dpo@indexmemory.com