GDPR, CCPA & Privacy

Privacy in Every Process

Commitment to GDPR & CCPA

To earn our customer’s trust, Haptik demonstrates strong commitment towards privacy, security, compliance and transparency. This includes compliance with General Data Protection Regulations according to EU data protection requirements.

What is the GDPR?

The General Data Protection Regulation (GDPR) is a privacy law in the EU that came into effect on May 25, 2018. The GDPR sets out a number of regulations and principles that organizations must adhere to collect, store, and transfer personal data of EU individuals.

What is the CCPA?

The California Consumer Privacy Act (CCPA) is a state statute intended to enhance privacy rights and consumer protection for residents of California, United States. The CCPA gives consumers more control over the personal information that businesses collect about them and in what fashion they use the data.

Privacy by design

Every feature, process at Haptik is defined keeping the user's privacy in mind. Whether it’s for our customer or their end-users, Haptik ensures utmost privacy and maintains end-end data protection and security cycles. 

Our Secure Development Life cycle caters to all privacy requirements and ensures every product manager and engineering manager considers data collection, storage and retrieval of the feature being built or improved.

Stringent Go-Live Process

Go-Live process refers to the process of deploying an integration/Intelligent Virtual Assistant (IVA) in the production environment. 

Our Information-security driven Go-live process ensures that users and their data are safely purged and masked as per the configuration in Haptik platform. Haptik follows extra diligence in case of Privacy & Data Protection features, consent requirement in chat, requirement of medical information, privacy notice/note etc.

Privacy for Data

Usage and protection of personal Data

Haptik customers that collect and store personal data are considered data controllers under the GDPR. Data controllers bear the primary responsibility for ensuring that their processing of personal data is compliant with the GDPR. Haptik is the Data processor -party that processes personal data on behalf of the data controller.

Haptik may use personal information in a variety of ways across our products and organization.  We  use  this  information  to  support  our  customers  in  customer engagement and customer acquisition efforts, and to optimize customer website experiences on client websites.All the data we store and the process is only used for the purpose of improving our customer’s virtual assistants.

Data Masking

• Some of our bots collect sensitive information from our customers such as Pan Card No, Policy No., Passport No., etc. Once utilized for the purpose of processing these entities are stored in an anonymized fashion in the database. 
• Entities are encrypted using AES 256 algorithmic keys by default on our Analytics. The entities list keeps increasing as per the product roadmap.
• During bot building, any other entity can be marked as personal which then will get detected and masked. This provides more control to the customer.
• Some customers might not want masking and that comes at their own risk. We recommend enabling this wherever possible.

International data transfers

Our deployments today span across US, India & Singapore. Our first approach is to onboard customers to the region they & and their customers are in. If not, then we make sure we are able to do international data transfers with the controls we have in place:

• End-end encryption during transit & rest at storage layer
• Legally sign Data Processing Addendum with the customer to lawfully transfer the data
• Privacy consent within the flow of the IVA
• Ensure we are complying to basic requirements in the region of the customer and end users - done during onboarding.

Haptik Internal Programs

Individual’s privacy rights and consent

Whether it's our end users or our customers or customer’s end users, with Haptik every individual has their own privacy rights. Consent being critical, is built into our systems and capabilities that enables us and customers to use it the way they want to comply.

• SAR (Subject Access requests) for our users on our websites along with supporting our customers with requests received by them is available out of the box. 
• We have the ability to build Privacy consent within the flow of the IVA which informs our customer’s end-users about how the data entered by them will be processed and where.

DPO

We have appointed DPO (Data Protection Officer) to handle day-to-day data privacy-related processes, complaints and make sure user data is stored & handled in the most secure fashion. Internal audits to external audits, all are managed by our DPO.

Stringent Access Control

Access control is taken very seriously at Haptik and we only provide access on a need-to-know basis. From our platform to internal tools, all have RBAC enabled and privilege access is restricted.

• For the Haptik platform permissions are managed based on https://docs.haptik.ai/admin-tools/permission-management
• For infrastructure, Cloud, Systems, the process to get access has multiple layers. We have a full access control ticket flow built on JIRA to track, approve and get full visibility into everyone’s access to tools.
• We perform Monthly access reconciliation to ensure that no one has been provided with the wrong level of permissions. This is taken care of by individual teams and the central Infosec team at Haptik. 

Detailed analysis & DPIA: We commit to carrying out Data Protection Impact Assessments to ensure proper treatment of data, in consultation with regulators where appropriate

Staff training: Monthly/Quarterly/Yearly training for our employees on how to handle data, and maintain its confidentiality, integrity, and availability. On new employee training, this is part of their first sessions with Infosec and Human Resource teams.

Quarterly GDPR, CCPA, PDPA & Privacy Internal Audit: Infosec teams and other business teams do internal audits for Privacy and try to find as many gaps as possible so that we can improve the security posture.