GDPR - What Crisco is doing

about it.

Crisco has always honored its users’ rights to data privacy and protection.

Over the years, we’ve demonstrated our commitment to this by consistently

exceeding industry standards. We have no need to collect and process users’

personal information beyond what is required for the functioning of our

products, and this will never change. We have a privacy-conscious culture

here and GDPR is an opportunity for us to strengthen this even further.

What is GDPR?

GDPR is an EU-wide privacy and data protection law that regulates how EU

residents' data is protected by companies and enhances the control the EU

residents have, over their personal data.

The GDPR is relevant to any globally operating company and not just the EU-

based businesses and EU residents. Our customers’ data is important

irrespective of where they are located, which is why we have implemented

GDPR controls as our baseline standard for all our operations worldwide.

GDPR has taken effect from 25th August 2021.

What is personal data?

Any data that relates to an identifiable or identified individual. GDPR covers a

broad spectrum of information that could be used on its own, or in combination

with other pieces of information, to identify a person. Personal data extends

beyond a person’s name or email address. Some examples include financial

information, political opinions, genetic data, biometric data, IP addresses,

physical address, sexual orientation, and ethnicity.

How prepared is Crisco for GDPR?

We have acted on many fronts to adhere to this new regulation.

 We have raised awareness across the organization through frequent

discussions in our internal channels, and trained employees to

handle data appropriately. They now understand the importance of

information security and the high standards set by GDPR.

 We have assessed all Crisco products, individually, against the

requirements of the GDPR and have implemented new features that

will give you more control over your data and ease your burden of

achieving GDPR compliance.

 We have constituted an Information Management Document(IMD),

which includes information on all the roles Crisco assumes, such as a

data controller and processor. It details on various categories of

personal data processed by our organization and which department

is getting access to which data and for what purpose. It has a

comprehensive coverage of all our processes and procedures.

 We have assessed our sub-processors (third party service providers,

partners) and streamlined the contract process with them to ensure

that they have addressed the pressing needs of the current security

and privacy world.

 We have appointed internal privacy champions for all our teams. We

have also appointed a Data Protection Auditor (DPA).

 Our application teams have embraced the concept of privacy by

design and have provided you more control over the data you store

in our systems. These provisions may vary based on a product’s

characteristics and domain. We constantly endeavour to provide you

with more enhancements, which shall be rolled out in phases.

 We have amended our Data Processing Addendum (based on Model

Contractual Clauses) to be compliant with the data processing

requirements of GDPR.

If you are the organization administrator and would like to sign a DPA

with us, please drop an email to legal@criscoconsulting.in to request a

copy of the Data Processing Addendum mentioning in which Data

Center you've signed up for your Crisco account.

 We conducted Data Protection Impact Assessments (DPIA). Based

on the results, we have put in place appropriate controls on data

processing and management.

 We conducted internal audits of our products, processes, operations,

and management. The findings were communicated to our teams,

who have worked out the solutions to the identified problems.

 Based on the DPIAs and internal audits, we have improved our data

security methods and processes. This includes encrypting data at

rest, based on the level of sensitivity and likelihood of risks. We have

developed in-house tools for better governance and discovery of

data.

 We have cleaned up our databases to ensure that we have only the

latest and most accurate information. This cleanup process includes

removing terminated and dormant accounts as per our Terms of

Service.

 When needed, breach notifications will be done according to our

internal Privacy Incident Response policy. Customers will be notified

of a breach within 72 hours after Crisco becomes aware of it. For

general incidents, we will notify users through our blogs, forums, and

social media. For incidents specific to an individual user or an

organization, we will notify the concerned party through email (using

their primary email address).

 We have revised our Privacy Policy to incorporate the requirements

of the applicable privacy laws based on our data inventory, data

flows, and data handling practices.