Flocklink Data Processor Privacy Policy

Last Updated: 1 January 2025

1. Introduction

1.1 Purpose

This Privacy Policy describes how Flocklink, as a data processor, collects, uses, and protects personal data on behalf of our clients (data controllers). We are committed to complying with the EU General Data Protection Regulation (GDPR) and the UK Data Protection Act 2018.

1.2 Scope

This policy applies to all personal data processed by Flocklink under the documented instructions of our data controllers.

2. Data Processing Principles

2.1 Lawfulness, Fairness, and Transparency

Flocklink processes personal data lawfully, fairly, and transparently, acting in accordance with the documented instructions outlined in our Data Processing Agreement (DPA), which includes our standard processing activities and default instruction set. We ensure that all processing activities align with GDPR and the UK Data Protection Act 2018.

2.2 Purpose Limitation

Personal data is processed only for the specific, explicit, and legitimate purposes outlined in the DPA.

2.3 Data Minimization

We process only the personal data necessary for the specified purposes, minimizing data collection and retention as instructed by the data controller.

2.4 Accuracy

We maintain the accuracy of personal data and promptly rectify inaccuracies as instructed by the data controller.

2.5 Storage Limitation

Personal data is retained only for the duration specified by the data controller, adhering to agreed-upon retention policies.

2.6 Integrity and Confidentiality (Security)

We implement appropriate technical and organisational measures to ensure the security, integrity, and confidentiality of personal data, including:

• AWS WAF and SSL/TLS encryption
• Regular vulnerability scans and penetration tests
• Secure data storage and transmission
• Automated deployment pipelines
• Robust logging and monitoring
• Data encryption at rest and in transit

3. Data Subject Rights

3.1 Facilitating Data Subject Rights

We assist data controllers in fulfilling their obligations regarding data subject rights, including:

• Access, rectification, erasure, restriction of processing, data portability, and objection
• Direct access and control via our mobile application and other communication channels
• Robust verification and authentication procedures

3.2 Multi-Channel Request Handling

We provide multiple communication channels (mobile app, email, phone) for data subjects to exercise their rights, with all requests logged and tracked.

4. Data Security and Breach Management

4.1 Security Measures

We implement robust security measures, including those detailed in section 2.6.

4.2 Data Breach Response

We have a dedicated Incident Response Team (IRT) and a clear data breach response plan, including:

• Rapid initial assessment
• 72-hour reporting to supervisory authorities
• Notification to affected individuals (if high risk)
• Documentation and remediation
• Forensic readiness plan for digital evidence preservation

4.3 Continuous Monitoring and Detection

We employ SIEM, IDS/IPS, and log monitoring tools, alongside regular vulnerability scans and penetration testing.

5. Sub-Processors and Third-Party Services

5.1 Due Diligence

We conduct thorough due diligence on sub-processors and third-party service providers, ensuring they comply with GDPR and UK Data Protection Act 2018.

5.2 Contractual Agreements

We establish contractual agreements with sub-processors and third-party service providers, outlining their data protection obligations.

5.3 Reputable Vendors

We utilise reputable third-party services (e.g., Google, Stripe etc.) that adhere to industry-recognised security and privacy standards.

6. Data Transfers

6.1 International Transfers

We implement appropriate safeguards for international data transfers, such as Standard Contractual Clauses (SCCs) or adequacy decisions.

7. Data Retention

7.1 Data Retention Policies

We adhere to data retention policies as instructed by the data controller.

8. Training and Awareness

8.1 Employee Training

We provide regular training to employees on data protection principles, procedures, and best practices.

9. Audits and Compliance

9.1 Regular Reviews

We conduct regular reviews of our data protection policies and procedures to ensure ongoing compliance.

9.2 Cooperation

We cooperate with supervisory authorities and data controllers in audits and investigations.

10. Business Continuity and Disaster Recovery

10.1 BC/DR Measures

We maintain business continuity and disaster recovery plans to ensure data availability and minimise disruptions.

11. Policy Review and Updates

11.1 Policy Review

This policy is reviewed and updated annually or as needed to reflect changes in legislation and best practices.