Privacy and Data Protection
More information on security resource
- CNDP MA
- Data Processing Agreement
- Binding Corporate Rules
- Privacy Shield
- Transparency Report
Qalqul Engine prioritizes customer trust. We know that the security and integrity of customer data is important to our customers’ values and operations. That is why we keep it private and safe.
Qalqul Engine supports customers in over 160 countries and territories. Our customers entrust us with large amounts of sensitive information, stemming from a wide range of industries including healthcare, financial services, government, and technology.
Qalqul Engine helps customers maintain control of their privacy and data security in a myriad of ways:
- Data Security: We provide our customers compliance with high security standards,
such as encryption of data in motion over public networks, auditing standards (SOC
2, ISO 27001, ISO 27018), Distributed Denial of Service (“DDoS”) mitigations, and a
Support team that is on-call 24/7.
- Disclosure of Customer Service Data: Qalqul Engine only discloses Service Data to third parties where disclosure is necessary to provide the services or as required to respond to lawful requests from public authorities.
- Trust: Qalqul Engine has developed security protections and control processes to help our customers ensure a secure environment for their information. Independent third-party experts have confirmed Qalqul Engine’s adherence to high industry standards.
- Data Hosting Locality: Customers who purchase the Data Center Location Deployed Associated Service (“Data Center Location Add-on”) have the ability to select the region (from the available Qalqul Engine regional options) where the data center which hosts their Service Data is located.
- Access Management: Qalqul Engine provides an advanced set of access and encryption features to help customers effectively protect their information. We do not access or use customer content for any purpose other than providing, maintaining and improving the Qalqul Engine services and as otherwise required by law.
What is Service Data?
Service Data is any information, including personal data, which is stored in or transmitted via the Qalqul Engine services by, or on behalf of, our customers and their end-users.
Who owns and controls Service Data?
From a privacy perspective, the customer is the controller of Service Data, and Qalqul Engine is a processor. This means that throughout the time that a customer subscribes to services with Qalqul Engine, the customer retains ownership of and control over Service Data in its account.
What are Qalqul Engine’s sub-processors?
Qalqul Engine may use sub-processors, including affiliates of Qalqul Engine as well as third party companies, to provide, secure or improve the Services, and such subprocessors may have access to Service Data. Qalqul Engine maintains an up-to-date list of the names and locations of all sub-processors. The list includes the ability for our customers to sign up for notifications of any changes. Qalqul Engine shall be responsible for the acts and omissions of sub-processors to the same extent that Qalqul Engine would be responsible if Qalqul Engine was performing the services of each subprocessor directly.
How does Qalqul Engine use Service Data?
We use Service Data to operate and improve our services, help customers access and use the services, respond to customer inquiries, and send communications related to the services.
What steps does Qalqul Engine take to secure Service Data?
Qalqul Engine prioritizes data security and combines enterprise-class security features with comprehensive audits of our applications, systems, and networks to ensure customer and business data is always protected. For example, Qalqul Engine servers are hosted at Tier IV or III+, SSAE-16, PCI DSS, or ISO 27001 compliant facilities. Additionally, we engage third-party security experts to perform detailed penetration tests on a periodic basis, and our Support team is on call 24/7 to respond to security alerts and events.
Where will Service Data be stored?
Qalqul Engine uses data centers in the European Union.
What happens to Service Data upon termination or expiration of a customers’ agreement with Qalqul Engine?
Qalqul Engine maintains a publicly available data deletion policy that describes Qalqul Engine’s data deletion processes upon termination or expiration of a customer’s agreement with Qalqul Engine.
How does Qalqul Engine respond to legal request for Service Data?
In certain situations, we may be required to disclose personal data in response to lawful requests by public authorities, including to meet national security or law enforcement requirements. We may disclose personal data to respond to subpoenas, court orders, or Privacy and Data Protection 4 legal process, or to establish or exercise our legal rights or defend against legal claims. We may also share such information with relevant law enforcement agencies or public authorities if we believe the same to be necessary in order to investigate, prevent, or take action regarding illegal activities, suspected fraud, situations involving potential threats to the physical safety of any person, violations of our Master Subscription Agreement, or as otherwise required by law.
Qalqul Engine has been dedicated to privacy, security, compliance, and transparency, including adherence to the regulations set forth by the Commission Nationale de contrôle de la protection des Données à Caractère Personnel (CNDP MA) in Morocco. Our commitment extends to assisting our customers in their compliance with data protection requirements, as defined by the CNDP MA.
If a company collects, transmits, hosts, or analyzes personal data subject to the jurisdiction of the CNDP MA, it is necessary to engage third-party data processors who can guarantee their ability to implement the technical and organizational requirements specified by the CNDP MA. Qalqul Engine is dedicated to earning the trust of our customers, and as such, our Data Processing Agreement (DPA) has been updated to provide contractual commitments ensuring our compliance with applicable data protection laws in Morocco, including the provisions required by the CNDP MA.
What is cndp ma?
CNDP stands for the “Conseil National des Droits de l’Homme” (National Human Rights Council). The CNDP is an independent institution established in 2011 under Moroccan law to protect and promote human rights in the country.
The main objectives of CNDP Morocco include:
Monitoring and reporting on the human rights situation in Morocco: The CNDP conducts investigations, research, and analysis of human rights issues, and produces reports to inform the government, public institutions, and civil society organizations about the human rights situation in the country.
Advising on human rights policies and legislation: The CNDP provides recommendations to the Moroccan government regarding the development of policies, laws, and measures to strengthen human rights protections and ensure compliance with international human rights standards.
Promoting human rights education and awareness: The CNDP organizes campaigns, seminars, and workshops to raise awareness about human rights among the general public, public officials, and civil society organizations. It also works to integrate human rights education into school curricula.
Addressing individual complaints and supporting victims: The CNDP receives and investigates complaints related to human rights violations, provides legal advice and assistance to victims, and advocates for their rights to be upheld and protected.
Since our inception, Qalqul Engine’s approach has been anchored with a strong commitment to privacy, security, compliance and transparency. This approach includes supporting our customers’ compliance with EU data protection requirements, including those set out in the General Data Protection Regulation (“GDPR”), which replaced the EU Data Protection Directive (also known as “Directive 95/46/EC“) and became enforceable on May 25, 2018. If a company collects, transmits, hosts or analyzes personal data of EU citizens, GDPR requires the company to use third-party data processors who guarantee their ability to implement the technical and organizational requirements of the GDPR. To further earn our customers’ trust, our DPA has been updated to provide our customers with contractual commitments regarding our compliance with applicable EU data protection law and to implement additional contractual provisions required by the GDPR. Our contractual commitments guarantee that customers can:
- Respond to requests from data subjects to export, correct, amend or delete personal data.
- Be made aware of and report personal data breaches to relevant supervisory authorities and data subjects in accordance with GDPR timeframes.
- Demonstrate their compliance with the GDPR as pertaining to Qalqul Engine’s services.
What is GDPR?
The General Data Protection Regulation (“GDPR”) is the European privacy regulation which replaced the EU Data Protection Directive (“Directive 95/46/EC”). The GDPR addresses the processing of personal data and the free movement of such data. It aims to strengthen the security and protection of personal data in the EU and harmonize EU Privacy and Data Protection 5 data protection law. Broadly, it sets out a number of data protection principles and requirements which must be adhered to when personal data is processed. The GDPR also established the European Data Protection Board (“EPDB”), which ensures that the data protection law is applied consistently across the EU and works to ensure effective cooperation amongst data protection authorities.
How does the GDPR apply to customers?
Qalqul Engine customers that collect and store personal data are considered data controllers under the GDPR. Data controllers bear the primary responsibility for ensuring that their processing of personal data is compliant with relevant EU data protection law, including the GDPR and uniquely determine what personal data is submitted to, and processed by, Qalqul Engine in accordance with the Services.
What implications does GDPR have for organizations processing the personal data of EU citizens?
One of the key aspects of the GDPR is that it creates consistency across EU member states on how personal data can be processed, used, and exchanged securely. Organizations need to demonstrate the security of the data they are processing and their compliance with GDPR on a continual basis, by implementing and regularly reviewing robust technical and organizational measures, as well as compliance policies.
In its capacity as a data processor, how does Qalqul Engine handle requests made by End-Users?
If Qalqul Engine receives a data subject request from a customer’s End-User (i.e., a user of the Services to whom a customer has provided our Services), Qalqul Engine is the Processor, and Qalqul Engine will, to the extent that applicable legislation does not prohibit Qalqul Engine from doing so, promptly inform the End-User to contact our customer (i.e. the Controller) directly about any request relating to his/her Personal Data such as access or deletion. Qalqul Engine will not further respond to a data subject request without customer’s prior consent.
What are some suggestions for Qalqul Engine customers with regard to GDPR?
Qalqul Engine encourages customers to continually review their privacy and data security processes and policies to ensure compliance with the GDPR. Data controllers Privacy and Data Protection 6 bear the primary responsibility for ensuring that their processing of personal data is compliant with EU data protection law. Below are some key points to consider for GDPR compliance:
- Geographical Application:The GDPR may apply to organizations that are established in the EU as well as certain organizations established outside the EU but which are processing the personal data of EU citizens, depending on their activities.
- Rights of End-Users:Organizations should be cognizant of End-Users whose personal data they may be processing. The GDPR establishes enhanced rights for End-Users, and organizations should be able to accommodate those rights.
- Data Breach Notifications:Organizations that are controllers of personal data should have clear processes in place in order to comply with the GDPR requirement to report data breaches in accordance with the time frames set out within the GDPR. Qalqul Engine will notify affected customers without undue delay if we become aware of a data breach of our services.
- Appointment of Data Protection Officer (“DPO”):Customers may need to appoint DPOs to manage issues relating to the processing of personal data.
- Data Processing Agreement (“DPA”):Where personal data is transferred outside the EEA, a customer may need DPAs in place with its sub-processors to ensure an adequate level of protection for the transferred data.
- Data Protection Impact Assessment (“DPIA”):DPIAs usually describe an organization’s data processes and protective measures, particularly those that may be risky. For data processing activities, customers need to conduct and file with authorities a DPIA.
Data Processing Agreement
Qalqul Engine offers active customers of its paid and trial services the ability to enter into a Data Processing Agreement (“DPA”) to reflect the parties’ agreement with regard to the processing of personal data. If you would like to access the Qalqul Engine DPA for review or signature, please click here. Customers who signed earlier versions of our DPA can sign our current DPA at any time.
What is a Data Processing Agreement (DPA)?
Qalqul Engine offers customers a robust Data Processing Agreement governing the relationship between the customer (acting as a data controller) and Qalqul Engine (acting as a data processor). The DPA facilitates Qalqul Engine’s customers’ compliance with their obligations under EU data protection law and contains strong privacy commitments, and has been updated to confirm our compliance with the GDPR. The DPA also contains data transfer frameworks to ensure that our customers can lawfully transfer personal data to Qalqul Engine outside of the European Union by relying on one of three mechanisms: our Binding Corporate Rules, our Privacy Shield certification, or Standard Contractual Clauses.
The California Consumer Privacy Act, Cal. Civ. Code §§ 1798.100 et seq. (CCPA) is a U.S. law enacted in the State of California with an effective date of January 1, 2020. Generally, it expands upon the privacy rights available to certain California consumers, and requires certain companies to comply with various data protection requirements.
What is CCPA?
The CCPA grants California consumers new rights with respect to the collection of their
personal information and requires companies to comply with certain obligations related
to those rights, including:
- An obligation on businesses to notify a consumer of its data collection practices, including the categories of personal information it has collected, the source of the information, the business’s use of the information, and to whom the business disclosed the information it has collected about the consumer.
- The consumer’s right to receive a copy, in a readily usable format, of the specific personal information collected about them during the twelve (12) months prior to their request.
- The consumer’s right to have such personal information deleted (with exceptions).
- The consumer’s right to know the business data sale practices and to request that their personal information not be sold to third parties.
- A prohibition on businesses on discrimination for exercising a consumer right; and
- An obligation on businesses to notify a consumer of their rights.
How does CCPA apply to Qalqul Engine customers?
Qalqul Engine customers that collect and store personal information in Qalqul Engine Services may be considered “Businesses” under the CCPA. Businesses bear the primary responsibility for ensuring that their processing of personal data is compliant with relevant data protection law, including the CCPA. Qalqul Engine acts as a “Service Provider,” as such term is defined in the current version of the CCPA, with respect to the processing of personal information through our Services. Therefore, Qalqul Engine collects, accesses, maintains, uses, processes and transfers the personal information of our customers and our customer’s end-users processed through the Services solely for the purpose of performing our obligations under our existing contract(s) with our customers; and, for no commercial purpose other than the performance of such obligations and improvement of the Services we provide.
The Brazilian General Data Protection Law, or Lei Geral de Proteção de Dados Pessoais, (LGPD) went into effect on August 16, 2020. It is the primary law in Brazil addressing the protection of personal data.
What is LGPD?
The LGPD is the primary law in Brazil addressing the protection of personal data, aiming to protect “the fundamental rights of freedom and privacy and the free development of the personality of the natural person.” As such, controllers and processors (as defined under the LGPD) are required to adhere to certain principles when processing personal data, including but not limited to purpose, necessity, transparency, and security.
How does LGPD apply to Qalqul Engine customers?
Qalqul Engine customers that collect and store personal data in Qalqul Engine Services may be considered “controllers” under the LGPD. Controllers bear the primary responsibility for ensuring that their processing of personal data is compliant with relevant data protection law, including the LGPD. Qalqul Engine acts as a “processor,” as such term is defined in the current version of the LGPD, with respect to the Privacy and Data Protection 9 processing of personal data through our Services. Therefore, Qalqul Engine processes the personal data of our customers and our customer’s end-users at the instruction of our customers.
Qalqul Engine Privacy and Data Protection Product Readiness
Privacy frameworks from different regions may differ in the terminology they use to
describe the roles and obligations of the respective parties. For consistency, Qalqul
Engine uses the following terms throughout these guides to apply globally. For the
avoidance of doubt, these definitions do not replace any definitions in agreements that
customers or individuals may have with Qalqul Engine.
- Data controller is the party that determines the purposes and means of processing the personal data.
- Data processor is the party that processes personal data on behalf of the data controller.
- Data subject is the identified or identifiable natural person whose personal data is at issue; and.
- Personal data is any information relating to the data subject.