Spektra Systems’ Commitment to Data Privacy:
Spektra Systems is committed to protecting the privacy of its users and ensuring no unnecessary data is collected other than the required information for providing the services. Spektra Systems does not collect any sensitive data from its users.
To ensure the utmost assurance of privacy for our valued clients and users, we have meticulously crafted a comprehensive Company Privacy Policy. Developed under the careful guidance of our management, this policy takes into consideration the interests of all stakeholders and interested parties. It offers a transparent overview of our Data Collection, Handling, Retention, Cookie Policy, and Data Subject Rights processes.
Our privacy policy is dynamic and reviewed periodically to adapt to the changing needs of the tech environment, without compromising the core principles of Data Privacy.
Each year, all our products undergo rigorous third-party Vulnerability Assessment and Penetration Testing (VAPT) to bolster their security measures. Root-level identification and elimination of potential threats are prioritized, while we also actively encourage and value suggestions from external parties to further fortify our systems.
Our products are further assured through recognized compliances, audited by independent third-party assessors. Reports are available upon request for interested parties.
Compliance with Regulations:
- Regulation (EU) 2016/679 (General Data Protection Regulation-GDPR): The General Data Protection Regulation (GDPR) serves as a fundamental pillar of EU law, ensuring the protection of data and privacy across the European Union (EU) and the European Economic Area (EEA). Deeply integrated into the framework of EU privacy and human rights laws, particularly articulated in Article 8 of the Charter of Fundamental Rights of the European Union, the GDPR carries profound significance. Given our collaborations with European partners and our predominant role as a Data Processor, Spektra Systems diligently upholds GDPR compliance, fostering a culture of strict adherence among all our employees.
According to the General Data Protection Regulation (GDPR), contractual clauses ensuring appropriate data protection safeguards can be used as a ground for data transfers from the EU to third countries. This includes model contract clauses – so-called standard contractual clauses (SCCs) – that have been “pre-approved” by the European Commission. Spektra is a cloud service provider, and all our data is hosted in Cloud Services across different regions of the world. SCCs are in place with our European partners (Data Controllers) to ensure transparency in our Data processing activity. In most scenarios, Module 2 (Controller to Processor) of the SCCs is engaged, as Spektra plays the role of the processor.
Spektra’s adherence to GDPR standards offers reassurance to our partners and users that their data, entrusted to us, is meticulously protected and secured. Upholding data privacy empowers both our partners and individuals, granting them control over their personal information. This control allows them to dictate how their data is gathered, utilized, and shared. By honoring individual autonomy, we ensure that personal information remains safeguarded against exploitation or misuse.
- SOC2 TYPE 2: A SOC 2 Type 2 report is an internal control report capturing how a company safeguards customer data and how well those controls are operating. Companies that use cloud service providers use SOC 2 reports to assess and address the risks associated with third-party technology services. Developed by the American Institute of CPAs (AICPA) and audited by accredited third parties, SOC 2 defines criteria for managing customer data based on five “trust service principles”—security, availability, processing integrity, confidentiality, and privacy. The report also includes a mapping of the controls tested to ISO/IEC 27001:2013 Annex A / ISO/IEC 27002:2013, ISO/IEC 27017:2015, ISO/IEC 27018:2014, HIPAA security requirements, and FFIEC’s examination guidelines for GLBA Information Security.
Spektra Systems and Products are annually audited and attested by Deloitte Shared Services for SOC 2 Type 2 and GDPR Compliance. Additionally, on a monthly basis, the SOC 2 Controls are tested internally to ensure continuous compliance.
Through SOC 2 Type 2 Compliance, we assure the following to our Partners:
- Highest Quality of Services
- Trustworthy Data Security
- Risk Awareness & Mitigation
- Incident Response & Disaster Recovery Protocols
- Continuous Improvements
- California Consumer Privacy Act (CCPA): The California Consumer Privacy Act of 2018 (CCPA) gives consumers in California more control over the personal information that businesses collect about them. This landmark law secures new privacy rights for California consumers, including
- The right to know about the personal information a business collects about them and how it is used and shared.
- The right to delete personal information collected from them (with some exceptions).
- The right to opt out of the sale of their personal information.
- The right to non-discrimination for exercising their CCPA rights.
Spektra has adopted the CCPA regulation for all its products to meet the business needs of our Californian clients. Our CCPA Privacy Notice is built on the “Shine The Light” Law and provides detailed information on the various rights that Californian consumers can exercise with us. Annually, we are audited and attested by Deloitte Shared Services to ensure compliance with the CCPA.
The CCPA offers the advantage of enhanced customer loyalty. By proactively anticipating their needs and devising a well-planned communication strategy, we effectively engage with customers, keeping their brand top of mind. Well-timed and informative communications are essential to building and nurturing ongoing customer relationships and fostering loyalty and trust.
In addition to the above compliances, our product CloudLabs, has been audited and attested to the following:
- Microsoft Supplier Security & Privacy Assurance (SSPA): The Supplier Security and Privacy Assurance (SSPA) Program delivers Microsoft’s data processing instructions, through the Microsoft Supplier Data Protection Requirements (DPR), to suppliers working with Personal Data and/or Microsoft Confidential Data.
CloudLabs is a trusted service provider offering various services to Microsoft. Our relationship with Microsoft is built on trust, and this trust is ensured through our annual compliance with the SSPA Program. A self-attestation is performed annually in alignment with Microsoft’s data protection requirements, following which CloudLabs is audited by Microsoft-nominated assessor A-Lign.
- Provides our customers with the assurance that we have the controls in place to protect their data.
- Assures Microsoft and our clients that we meet the privacy and security safeguard requirements set by Microsoft.
- Family Educational Rights and Privacy Act (FERPA): The Family Educational Rights and Privacy Act of 1974 (FERPA) is a federal law designed to protect the privacy of student education records from unauthorized disclosure. The law applies to all schools and educational institutions that receive funding under a program administered by the U.S. Department of Education.
Customers in the US sign up for CloudLabs and CloudEvents (Hackathons). The CloudLabs platform facilitates hands-on labs, test drives, and Proof of Concepts (POCs) across various scenarios on a large scale. Tailored for organizations and educational institutes of all sizes, CloudLabs delivers an impactful learning experience with minimal to zero management overhead. CloudLabs’ compliance with FERPA and practices can be referred to the FERPA Privacy Notice.
FERPA compliance instills confidence among educators and parents who utilize our platform, assuring them that student data is securely handled. We offer straightforward insights into our product data practices via the product profile, ensuring transparency and peace of mind for our users.
product data practices through the product profile.
- The Children’s Online Privacy Protection Act (COPPA): Spektra Systems is committed to protecting the privacy of children who use our Platforms–CloudLabs & CloudEvents for learning purposes. The Children’s Online Privacy Protection Act (COPPA) is a Federal Trade Commission (FTC) Rule designed to ensure that parents remain in control of personal information collected from their young children online. It applies to operators of websites or online services that collect, use, or disclose personal information from children under the age of 13, and to operators of websites or online services that have actual knowledge that they are collecting personal information from users of another website or online service directed at children.
Spektra upholds its commitment to protecting the data of children under the age of 13, as outlined in our COPPA Privacy Notice. This notice provides detailed insights into our data collection practices for children, our relationships with third parties, and the procedures for obtaining Verifiable Parental Consent (VPC). Please note that children under 13 years old cannot access services from CloudLabs and CloudEvents (Hackathons) without official consent from their parents or guardians.
Data Security Controls:
In addition to the above, the Spektra Systems Data Privacy ecosystem is governed by policies and procedures ranging from Information Security, Business Continuity, and Disaster Recovery. The following provides an insight into the various technological and organizational measures taken to ensure Data Privacy and Information Security across our products and services.
Organizational controls
- We maintain a data protection and information security policy.
- All employees and individuals authorized to access personal data receive thorough training on the significance of data protection and information security. This training emphasizes everyone’s responsibilities regarding data protection and information security measures.
- Designated Data Protection Officer.
- Regular Internal Audits, Periodic Risk Assessments & Penetration Tests.
- Third Parties offering services to Spektra systems are evaluated and onboarded. Annual re-evaluations are carried out to ensure Data security in our supplier chain.
Virtual Access Control
- Multi-factor authentication is enabled across the organization.
- System passwords must be changed every 90 days as a mandatory requirement. Additionally, passwords must include special characters and numeric values.
Data Access Control
- Access to customer data is given only to employees and management as and when needed.
- Data is stored in a protected cloud environment (Azure Resources).
- Access Management is regulated through the Ticketing tool (Azure DevOps). The creation and termination of User IDs are done based on relevant approvals.
- Audit logs are monitored every quarter.
- Admin access to users is controlled and reviewed periodically or as required.
- Shared User IDs are not used.
- Passwords are stored in a protected Cloud environment (Key Vault) and access is controlled.
- Password reset is done through Multi-Factor Authentication
- Encryption of Data when in Transit and Rest- TLS 1.2 and DB Protection.
- Data Subject Rights enforced: Customers can request access to their data or its deletion. All requests are addressed promptly, with responses provided within a 72-hour timeframe.
Availability Control
- Customer data is backed up on Azure storage.
- We engage Microsoft Defender, which provides Vulnerability alerts for network devices ▪ IDS/IPS enabled.
- Our public portals have SSL Certificates issued by Godaddy, Azure Managed Certificates, Databricks, etc.
- Antivirus and Antimalware are deployed through Intune, and Windows Defender ATP Antivirus policy is used.
Separation Control
- Databases are maintained separately for each customer. Customer Data is Logically separated.
- Dev, Test, QA, and Production environments are available, and Development and testing are done on synonymous data. Only the Production environment uses real-time customer data. ▪ Data is stored & backed on Azure Cloud; no local storage is utilized.
- Our applications store data in the Azure SQL Database, which is certified by Microsoft to meet FIPS 140-2 level 1 compliance standards.
Privacy@spektrasystems.com is the door to shine a light on our Data privacy and Compliance practices.