Customer Data Protection

We take terms and policies seriously and we value transparency.
Updated as of September 21, 2023

This Customer Data Protection Policy (“Policy”) is incorporated into and is subject to the terms and conditions of the agreement for the supply of goods and/or services (the “Agreement”) between Wenco International Mining Systems Ltd. (together with its Affiliates, “Wenco”) and the customer entity that is a party to the Agreement (“Customer”).

1. Definitions

Affiliate” means an entity that directly or indirectly controls, is controlled by or is under common control with an entity. The term “control” and correlative terms means ownership, directly or indirectly, of more than fifty (50%) of the voting stock or partnership interests of the controlled entity;

Applicable Law” means all present and future laws, statutes, ordinances, regulations, judgement, orders, rules, directions of any court or governmental authority that are enforceable in Canada, and includes Applicable Privacy Law;

Applicable Privacy Law” means all data protection laws and regulations applicable to a party’s processing of Customer Data under the Agreement.

Confidentiality” means that Customer Data is protected against unauthorized disclosure;

Customer” means any individual, firm, partnership, company or organization or any other undertaking, which orders or receives from the Wenco any services pursuant to the Agreement.

Customer Account Data” means data that relates to Customer’s relationship with, including the names or Contact Information of individuals authorized by Customer to access Customer’s account, and billing information of individuals that Customer has associated with its account. Customer Account Data includes any Personal Information Wenco may need to collect for the purpose of identity verification, or as part of its legal obligation.

Customer Data” means any data, in whatever form, which is held on, entered into, processed by, or retrievable from computer, communication or other systems or equipment of the Customer and data processed by the Customer in providing services to its customers. This data encompasses various types of information voluntarily provided by Customers or collected through their engagement with Wenco's products, services, or digital platforms. It includes, but is not limited to:

  • (a) data used to identify the source and destination of a communication, such as (i individual data subjects’ Contact Information, data on the location of the device generated in the context of providing the Services, and the date, time, duration and the type of communication and (ii) activity logs used to identify the source of Service requests, optimize and maintain performance of the Services, and investigate and prevent system abuse;
  • (b) demographic information
  • (c) transactional data,
  • (d) usage data,
  • (e) feedback and support data,

Customer Data also includes Customer Account Data, Personal Information, Personal Health Information and Proprietary Information, as defined in this Policy

“Confidentiality Agreement” means a standard agreement between the Wenco and its Personnel, signed as part of the Wenco’s operating procedures, requiring that the Personnel comply with the confidentiality obligations, in a manner which is intended to ensure compliance by the Wenco and its Personnel under this Policy;

Conflicting Foreign Order” means any order, subpoena, directive, ruling, judgment, injunction, award or decree, decision, request or other requirement issued from a foreign court, agency of a foreign state or other authority outside Canada or any foreign legislation the compliance with which would or could potentially breach Applicable Privacy Law;

“Contact Information” means information to enable an individual at a place of business to be contacted and includes the name, position name or title, business telephone number, business address and business email of the individual;

Excluded Information” or “Excluded Records” means information, documents or recorded information that (a) relate solely to the Wenco’s internal administration, finances, management, or employment matters, unless they contain Personal Information about an individual other than Personnel or other third parties with whom the Wenco has dealings unrelated to the subject matter of the Agreement; or (b) Customer confirms in writing are excluded from the application of this Policy;

Integrity” means ensuring the correctness (intactness) of data and the correct functioning of systems. When the term integrity is used in connection with the term "data", it expresses that the data is complete and unchanged;

“Material Breach” means non-compliance by the Wenco to take reasonable steps to cure any material contravention of this Policy to the satisfaction of Customer within 30 days after written notice is given to the Wenco describing the breach in reasonable detail or otherwise within 30 days of the Wenco becoming aware of the breach;

Permitted Purpose” means access to Records or Customer Data that is necessary for provision of the Services;

Personal Health Information” means personal health information about an individual as defined by Applicable Privacy Law;

Personal Information” means recorded information about an identifiable individual, excluding Contact Information and Excluded Information, that is collected or created by the Wenco or otherwise obtained or held by or accessible to the Wenco as a result of the Agreement or any previous agreement between Customer and the Wenco dealing with the same subject matter as the Agreement, and specifically includes Personal Health Information. Please see Wenco’s Privacy Policy for more information;

Personnel” means any employees, officers, directors, contractors, subcontractors, associates, representatives or other persons engaged by the Wenco for the purposes of fulfilling the Wenco’s obligations under the Agreement;

Privacy Policy" means Wenco's then-current privacy policy available at: https://www.wencomine.com/privacy-policy

Processing” (and “process”) means any operation or set of operations performed on Customer Data or on sets of Customer Data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure, or destruction.

Proprietary Information” means all information and know how, whether or not in writing or other tangible or electronic form, concerning the business or financial affairs, including but not limited to all (i) inventions, discoveries, improvements and trade secrets, (ii) products and services and all plans, service levels, specifications and concepts for products and services, (iii) business plans, business and systems processes, methods, techniques, specifications and formulas, (iv) research and development projects and data, (v) financial and marketing data and information, (vi) information about customers and prospective customers, including contractual terms, customer specifications and the identity of and relationships with customer employees, (vii) names and other data relating to Customer employees, consultants, suppliers and prospective employees, consultants and suppliers, (viii) computer data, reports, computer programs, source codes, object codes, manuals, tapes, listings, specifications, test results, programming sequences, application programming interfaces, screen designs and formats and user interfaces, algorithms, flow charts, program formats, user documentation and operating processes, and (ix) trade names, copyrights and other intellectual property rights, whether developed or invented by Customer or others, and whether patentable, copyrightable or not.

Record” includes books, documents, maps, drawings, photographs, letters, vouchers, papers and any other thing on which Customer Data is recorded or stored by graphic, electronic, mechanical or other means which are collected or produced by the Wenco in the course of delivering Services or otherwise performing its obligations under the Agreement but does not include Excluded Records.

Security Incident” means any unauthorized or unlawful breach of security that leads to the accidental or unlawful destruction, loss, or alteration of, or unauthorized disclosure of or access to, Customer Data on systems managed or otherwise controlled by Wenco.

“Services” means the products and services provided by Wenco or its Affiliates, as applicable, that are (a) used by Customer, including, without limitation, products and services that are on a trial basis or otherwise free of charge; or (b) ordered by Customer under the Agreement or a purchase order form.

“Third-party service provider” means any processor engaged by Wenco or its Affiliates to assist in fulfilling its obligations with respect to providing the Service pursuant to the Agreement or this Policy. Third-party service providers may include third parties or Affiliates of Wenco but shall exclude Wenco employees, contractors, or consultants.

Wenco Network” means Wenco’s data center facilities, servers, networking equipment, and host software systems (e.g., virtual firewalls) that are within Wenco’s control and are used to provide the Services.

2. Purpose and Scope

  • 2.1 Wenco acknowledges that the Customer Data is valuable and requires adequate protection. The purpose of this Policy is to establish measures to ensure the Confidentiality, Integrity, and availability of Customer Data throughout its lifecycle.

3. Data Usage and Restrictions

  • 3.1 The subject matter of processing Customer Data by Wenco is the performance of the Services pursuant to the Agreement. Wenco shall only process Customer Data for the following purposes:
  • (i) processing in accordance with the Agreement;
  • (ii) processing initiated by end users in their use of the Services;
  • (iii) processing to comply with other documented, reasonable instructions provided by Customers (ex. via email) where such instructions are consistent with the Agreement.
  • 3.2 Wenco shall not:
  • (i) process, retain, use, sell, or disclose Customer Data except as necessary to provide Services pursuant to the Agreement, as required to comply with regulatory requirements, or as required by law;
  • (ii) sell such Customer Data to any third party;
  • (iii) retain, use, or disclose such Customer Data outside of the business relationship between Wenco and Customer. Wenco shall only use the Customer Data for the purposes specified in the Agreement or as otherwise agreed upon in writing by the Customer.
  • 3.3 Wenco shall not disclose the Customer Data to any third party without the prior written consent of the Customer, except where required by law or as otherwise specified in the Agreement or any other document between Wenco and Customer. In addition, Wenco shall not use Customer Data to develop or market any product or service that could directly identify or re-identify individuals.
  • 3.4 For the avoidance of doubt, processing, using, or disclosing of Customer Data shall comply with all requirements under NDAs, agreements and applicable laws. Customer shall have sole responsibility for the accuracy, quality, and legality of Customer Data and the means by which Customer acquired Customer Data.

4. Security Safeguards

  • 4.1 Wenco has implemented and will maintain the appropriate technical, organizational, and administrative measures to protect the Confidentiality, Integrity, and availability of Customer Data for the Wenco Network as described herein this Section 4 and as further described in Appendix 2 to this Policy, Security Standards. In particular, Wenco has implemented and will maintain the following technical and organizational measures that address the (i) security of the Wenco Network; (ii) physical security of the facilities; (iii) controls around Personnel access to (i) and/or (ii); and (iv) processes for testing, assessing and evaluating the effectiveness of technical and organizational measures implemented by Wenco.
  • 4.2 Wenco shall implement these measures shall be commensurate with the sensitivity of the Customer Data and the risks associated with its processing. Wenco shall ensure that its Personnel involved in processing the Customer Data are bound by Confidentiality obligations. Wenco shall promptly notify the Customer of any known or suspected unauthorized access, disclosure, or loss of the Customer Data.

5. Control of and Rights in the Record(s) and Consent

  • 5.1 The Parties acknowledge and agree that as between Customer and the Wenco:
  • a. All right, title, interest and control in and to all Records shall remain with Customer. No proprietary right or other interest respecting the Records, other than as expressly set out herein, is granted to Wenco under this Policy or the Agreement, by implication or otherwise. Wenco is granted temporary access to the Customer Data and Records on the terms and conditions of this Policy, for the sole and express purpose of performing the Services and for no other use or purpose. Where the Wenco provides Services under contract with one or more other parties in which such other parties also assert control over the same or overlapping Records, Customer will work with such other parties to resolve each other’s rights and obligations with respect to such Records and Wenco will not be considered to be in breach of this Policy by reason of its inability to provide unfettered control over the Records to Customer.
  • b. It is the responsibility of Customer to identify and have directly or indirectly obtained any consent from, or given any notice to, individuals or entities as required under other agreements or applicable laws, for Wenco’s collection, use, processing, sharing, disclosure, storage, security, destruction, management or administration of Customer Data.

6. Collection, Use & Disclosure of Customer Data

  • 6.1 Wenco will only collect, use and disclose Customer Data as necessary for the performance of the Services or as otherwise authorized by Customer in writing or required or authorized by Applicable Law.
  • 6.2 Wenco will ensure that neither it nor its Personnel collects, creates, copies, reproduces, uses, stores, discloses or provides access to any Customer Data except in compliance with this Policy and NDAs or any agreement between parties and for purposes directly related to or necessary for the performance of the Services or as otherwise required by Applicable Law.
  • 6.3 Wenco will not disclose Customer Data to any government or any other third party, except as necessary to comply with the Applicable Law or a valid and binding order of a law enforcement agency (such as a subpoena or court order). In the event Wenco is legally required to disclose Customer Data, to the extent permitted, Wenco will endeavor to provide Customer with reasonable notice of the demand via email or postal mail to allow Customer to seek a protective order or other appropriate remedy.

7. Aggregate and De-Identified Data

Notwithstanding the provisions of this Policy, Wenco retains the right to use and disclose aggregated and De-Identified Data in any manner. “De-Identified Data” means information (or any portion thereof) that has been the subject of reasonable efforts to de-identify, aggregate and/or anonymize such data with the result that no individual, entity or particular Record can be identified.

8. Access by Personnel

8.1 Wenco will ensure that its Personnel are granted access to the Customer Data only where such access is necessary for the performance of the Services, and subject to the following terms:

  • a. Prior to access, Wenco has entered into its standard Confidentiality Agreement with its Personnel, or the Personnel have expressly agreed to comply with the Wenco’s internal documents acknowledging the obligations of protecting Customer Data pursuant to its standard form Policy, any other related policies, related agreements and Applicable Law;
  • b. Wenco will revoke the access rights of any person who engages in the unauthorized collection, use or disclosure of Customer Data or otherwise breaches their obligations of confidentiality or Applicable Law; and
  • c. Wenco will ensure Personnel with access to Customer Data are familiar and comply with the obligations of Wenco under the Policy, related policies, agreements and Applicable Law.

9. Access and Storage Outside of Canada

Customer hereby acknowledges and consents that Customer Data and Records may be collected, used, processed, shared, disclosed, stored, secured, destroyed, managed or administered from outside of Canada by the Wenco using cloud computing of other information technology infrastructure selected by the Wenco and managed using third parties, and that Customer has provided all required notices and information and/or obtained all required consents and approvals for such collection, use, processing, sharing, disclosure, storage, security, destruction, management and administration outside of Canada.

10. Transfer to Third Party Service Providers

10.1 Authorized Third Party Service Providers. Customer agrees that Wenco may use third-party service providers to fulfil its contractual obligations under the Agreement and this Policy or to provide certain services on its behalf, such as providing support services. Customer hereby consents to Wenco’s use of Third-party service provider as described in this Section 10 and as further described in Appendix 2 to this Policy.

10.2 Third-party service provider Obligations. Where Wenco uses any authorized third-party service provider as described in Section 10.1:

  • a. Wenco will restrict the third-party service provider’s access to Customer Data only to what is necessary to maintain the Services or to provide the Services to Customer and any end users in accordance with the terms of the Service. Wenco will prohibit the third-party service provider from accessing Customer Data for any other purpose;
  • b. Wenco will enter into a written agreement with the third-party service provider and, to the extent that the third-party service provider is performing the same data processing services that are being provided by Wenco under this Policy, Wenco will impose on the third-party service provider substantially similar obligations that Wenco has under this Policy; and
  • c. Wenco will remain responsible for its compliance with the obligations of this Policy and for any acts or omissions of the third-party service provider that cause Wenco to breach any of Wenco’s obligations under this Policy.

11. Security Incident

11.1 Security Incident. If Wenco becomes aware of a Security Incident, Wenco will without undue delay: (a) notify Customer of the Security Incident; and (b) take reasonable steps to mitigate the effects and to minimize any damage resulting from the Security Incident.

11.2 Wenco Assistance. To assist Customer in relation to any data breach notifications Customer is required to make under Applicable Laws, policies, or agreement, Wenco will include in the notification such information about the Security Incident as Wenco is reasonably able to disclose to Customer, taking into account the nature of the Services, the information available to Wenco, and any restrictions on disclosing the information, such as confidentiality.

11.3 Failed Security Incidents. Customer agrees that a failed Security Incident will not be subject to the terms of this Policy. A failed Security Incident is one that results in no unauthorized access to Customer Data or to any of Wenco’s Network, equipment, or facilities storing Customer Data, and may include, without limitation, pings and other broadcast attacks on firewalls or edge servers, port scans, unsuccessful login attempts, denial of service attacks, packet sniffing (or other unauthorized access to traffic data that does not result in access beyond headers) or similar incidents.

11.4 Notification. Notification of Security Incidents, if any, will be delivered to one or more of Customer’s administrators by any means Wenco selects, including via email. It is Customer’s sole responsibility to ensure Customer’s administrators maintain accurate Contact Information on the Wenco management console and secure transmission at all times.

11.5 Corrective Action. Wenco will cooperate with Customer in preventing the occurrence or recurrence of any breach of this Policy, Agreement, or Applicable Law, including, if requested to do so: by preparing a written proposal to address or prevent further occurrences within the Wenco’s systems.

12. Notice of Demands for Disclosure

If  Wenco or anyone to whom  Wenco transmits Customer Data pursuant to a Permitted Purpose becomes legally compelled or otherwise receives a demand to disclose Customer Data other than permitted by Applicable Laws, including without limitation pursuant to any Conflicting Foreign Order, unless prohibited by law,  Wenco will not do so unless and until: (i) Customer has been notified of such requirement; (ii) the party compelling disclosure has appeared before a Canadian Court; and (iii) the Canadian Court has ordered the disclosure.  Wenco is responsible for ensuring that it obtains the obligations with its Personnel or such other third parties to whom it may grant access to Customer Data as may be necessary to enable it to comply with the provisions of this Section. Nothing in this Policy will be interpreted or construed to prohibit Wenco from complying with any valid court order made under the Applicable Laws.

13. No Acknowledgement of Fault by Wenco

Wenco’s obligation to report or respond to a Security Incident under this Policy is not and will not be construed as an acknowledgement by Wenco of any fault or liability of Wenco with respect to the Security Incident.

14. Customer Rights

14.1 Independent Determination
Customer is responsible for reviewing the information made available by Wenco relating to data security and its security standards and making an independent determination as to whether the Services meets Customer’s requirements and legal obligations as well as Customer’s obligations under this Policy. The information made available is intended to assist Customer in complying with Customer’s obligations under Applicable Laws. Customer agrees that the Services and the Security Standards implemented and maintained by Wenco provide a level of security appropriate to the risk to Customer Data (taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of the processing of Customer Data as well as the risks to individuals).

14.2 Audit and Compliance.
a. The Customer reserves the rright to audit Wenco's compliance with the provisions of this Policy. Such audits shall be conducted in a manner that minimizes disruption to the Wenco's operations and preserves the confidentiality of other customers' data.
b. Wenco shall reasonably cooperate with the Customer's audit requests and provide all necessary information and assistance to demonstrate compliance with this Policy.

15. Termination of the Policy

This Policy will continue in force until the termination of our processing in accordance with the Agreement (the “Termination Date”).

16. Return or Deletion of Customer Data

16.1 Except as otherwise specified in the Agreement, Wenco will retain the Customer Data and Records for as long as required to engage in the uses described in this Policy, unless a longer retention period is required by Applicable Law.

16.2 As described in the Services, the Customer may request to return or deletion of Customer Data or Records at Customer’s expense. Customer hereby acknowledges and accepts the functionality of the Services and the data retention and deletion applications as made available by Wenco, which may impact Customer Data. Wenco will enable Customer to delete Customer Data during the term of the Agreement in a manner consistent with the functionality of the Services, terms of the Services and this Policy.

16.3 Upon termination or expiration of the Agreement, or upon the written request of Customer As described in the Services, the Customer may request to return or deletion of Customer Data or Records at Customer’s expense. Customer hereby acknowledges and accepts the functionality of the Services and the data retention and deletion applications as made available by Wenco, which may impact Customer Data. Wenco will enable Customer to delete Customer Data during the term of the Agreement in a manner consistent with the functionality of the Services, terms of the Services and this Policy.

16.4 Wenco will in a reasonable time upon request of the Customer: (i) return or deliver all Customer Data and Records, excluding back-up copies, to Customer; or (ii) destroy, according to Customer`s instructions, Customer Data or other Records, in any form or format whatsoever in Wenco’s possession, excluding back-up copies, if applicable.

16.5 After a request is made under this Section, Wenco will not retain any Records for any purpose without the prior written consent of the Customer, excluding back-up copies. If, for any reason, such as requirements under Applicable Law, Wenco fails to return or destroy any Customer Data or Record in accordance with this Section, Wenco’s obligations pursuant to this Policy will continue in full force and effect.

17. Limitation of Liability

The liability of each party under this Policy will be subject to the exclusions and limitations of liability set out in the Agreement. Customer agrees that any regulatory penalties incurred by Wenco in relation to the Customer Data that arise as a result of, or in connection with, Customer’s failure to comply with its obligations under this Policy and any Applicable Laws will count towards and reduce Wenco’s liability under the Agreement as if it were liability to the Customer under the Agreement.

18. Entire Agreement; Conflict

This Policy supersedes and replaces all prior or contemporaneous representations, understandings, agreements, or communications between Customer and Wenco, whether written or verbal, regarding the subject matter of this Policy.  Except as amended by this Policy, the Agreement will remain in full force and effect.  Unless otherwise expressly provided in the Agreement, if a provision of this Policy is inconsistent or conflicts with a provision of the Agreement, the terms of this Policy will prevail and the conflicting or inconsistent provision in the Agreement will be inoperative to the extent of the conflict.

19. Amendments

If an amendment is required to this Policy in order to comply with the Applicable Laws or any requirements stipulated by the other agreements or policies, Wenco reserves the right to amend this Policy from time to time, and it is presumed that the Customer will adhere to and comply with the amendments.

20. Privacy Officer

Any questions regarding this Policy may be sent to Wenco’s Privacy Officer at privacy@wencomine.com

21. General

21.1 The parties acknowledge and agree that either party may disclose the Agreement or portions thereof as may be required pursuant to Applicable Law.

21.2 If a provision of this Policy or the Agreement conflicts with a requirement of Applicable Law, the conflicting provision of the Agreement (or direction) will be inoperative to the extent of the conflict.

21.3 Wenco’s obligations under this Policy will continue despite the expiry or earlier termination of the Agreement until such time as the Customer Data and Records are returned to Customer or securely destroyed in accordance with this Policy.

Appendix 1

DETAILS OF THE PROCESSING

1. Nature and Purpose of Processing. Wenco will Process Customer Data as necessary to perform the Services pursuant to the Agreement and as further instructed by Customer throughout its use of the Services.

2. Duration of Processing. Subject to this Policy, Wenco will process Customer Data during the effective date of the Agreement. Notwithstanding the foregoing, Wenco may retain Customer Data, or any portion of it, if required by Applicable Laws or regulation, provided that such Customer Data remains protected in accordance with the terms of this Policy and Applicable Laws.

3. Categories of Data Subjects. Customer may upload Customer Data in the course of its use of the Services, the extent to which is determined and controlled by Customer in its sole discretion, relating to the following categories of Data Subjects:

  • Customers: Individuals or entities who are customers of the Customer.
  • Employees: Employees or representatives of the Customer.
  • Suppliers: Individuals or entities who are suppliers or service providers to the Customer.
  • Partners: Individuals or entities who are partners or affiliates of the Customer
  • Other Business Contacts: Other individuals or entities with whom the Customer has a business relationship, such as Customer’s end users.

4. Categories of Customer Data. Customer may upload Customer Data in the course of its use of the Services, the type of and extent to which is determined and controlled by Customer in its sole discretion, and which may include, but is not limited to the following categories of Customer Data:

Contact Information: Names, job titles, work addresses, work phone numbers, work email addresses, and other similar business contact details.

Company information: Company names, company addresses, company phone numbers, company email addresses, and other similar company details.

Transactional data: Details of business transactions or interactions between the Customer and its customers, suppliers, partners, or other business contacts. This may include purchase history, order details, invoices, and other relevant transactional information.

Hardware and Operational Data: Device information, system logs, network data, software usage data, performance metrics.

Appendix 2

SECURITY STANDARDS

I.  Technical and Organizational Measures 
We are committed to protect our customers’ Customer Data.  Taking into account the best practices, the costs of implementation and the nature, scope, circumstances and purposes of processing as well as the different likelihood of occurrence and severity of the risk to the rights and freedoms of natural persons we take the following technical and organizational measures.  When selecting the measures, the Confidentiality, Integrity, availability and resilience of the systems are considered.

1. Confidentiality. We use a variety of physical and logical measures to protect the confidentiality of Customer Data. Those measures include: 

Physical Security

  • Physical access control systems in place (Badge access control, Security event monitoring etc.)
  • Surveillance systems including alarms and, as appropriate, CCTV monitoring
  • Clean desk policies and controls in place (locked cabinets, etc.)
  • Visitor Access Management
  • Destruction of data on physical media and documents (shredding, degaussing etc.)
  Access Control & Prevention of Unauthorized Access 
  • User access restrictions applied, and role-based access permissions provided/reviewed based on segregation of duties principle
  • Strong authentication and authorization methods (Multi-factor authentication, certificate based authorization, automatic deactivation/log-off etc. )
  • Centralized password management and strong/complex password policies (minimum length, complexity of characters, company provided password manager  etc.)
  • Controlled access to e-mails and the Internet
  • Anti-virus & malware detection and response management
  • Intrusion Detection and Prevention System management
Encryption   
  • Encryption of external and internal communication via strong cryptographic protocols
  • Encrypting personal data and sensitive data at rest (databases, shared directories etc.)
  • Full disk encryption for company PCs and laptops
  • Remote connections to the company networks are encrypted via VPN
  • Securing the lifecycle of encryption keys
Data Minimization
  • PII/SPI minimization in application and debuggingand security logs, if applicable
  • Pseudonymization of Personal Information to prevent directly identification of an individual, if applicable.
  • Segregation of data stored by function (test, staging, live), if applicable
  • Logical segregation of data by role-based access rights
Security Testing
  • Regular network and vulnerability scans

2. Integrity. Appropriate change and log management controls are in place, in addition to access controls to be able to maintain the Integrity of Customer Data such as:

Change & Release Management

  • Change and release management process including (impact analysis, approvals, testing, security reviews, staging, monitoring etc.)
  • Role & Function based (Segregation of Duties) access provisioning on production environments
Logging & Monitoring
  • Logging of access and changes on data
  • Centralized audit & security logs
  • Monitoring of the completeness and correctness of the transfer of data (end-to-end check)

3. Availability. We implement appropriate continuity and security measures to maintain the availability of its services and the data residing within those services:

  • Regular fail-over tests applied for critical services
  • Extensive performance/availability monitoring and reporting for critical systems
  • Incident response programme
  • Critical data either replicated or backed up (Cloud Backups/Hard Disks/Database replication etc.)
  • Planned software, infrastructure and security maintenance in place (Software updates, security patches etc.)
  • Redundant and resilient systems (server clusters, mirrored DBs, high availability setups etc.) located on off-site and/or geographically separated locations
  • Use of uninterruptible power supplies, fail redundant hardware and network systems
  • Alarm, security systems in place
  • Physical Protection measures in place for critical sites (surge protection, raised floors, cooling systems, fire and/or smoke detectors, fire suppression systems etc.)
  • DDOS protection to maintain availability
  • Load & Stress Testing

4. Data Processing. It refers to ensuring that Customer Data will only be processed in accordance with the Agreement and the related company measures. We have established internal privacy policies, agreements and conduct regular privacy trainings for employees to ensure Customer Data is processed in accordance with the Agreement and legal obligations.

  • Privacy and confidentiality terms in place within employee contracts
  • Data privacy and security trainings for employees
  • Appropriate contractual provisions to the agreements with sub-contractors to maintain instructional control rights
  • Privacy checks for external service providers
  • Providing customers control over their data processing preferences
  • Security audits

5. Retention Period. We follow generally accepted standards to store and protect the Customer Data we collect, both during transmission and once received and stored, including utilization of encryption where appropriate. We retain Customer Data for as long as required to engage in the uses described in this Policy, unless a longer retention period is required by Applicable Law. The criteria used to determine our retention periods include the following:

  • The length of time we have an ongoing relationship with customer and provide Services to customer (for example, for as long as customer have an account with us or keep using our Services);
  • Whether we have a legal obligation to keep the data (for example, certain laws require us to maintain records of your transactions for a certain period of time before we can delete them); or
  • Whether retention is advisable in light of our legal position (such as in regard to the enforcement of our agreements, the resolution of disputes, and applicable statutes of limitations, litigation, or regulatory investigation).

Appendix 3 - Wenco Third-Party Service Providers

Company Name

Country of Incorporation

Service Description

Categories of Data

Atlassian Cloud

United States of America

Atlassian Cloud services including JIRA, Confluence and Jira Service Management

 Employees, Contractors, Vendors, Customers user profiles including (name, email addresses)

Customer support cases.

Microsoft

United States of America

Azure Cloud Services, Office 365

Employees, Contractors, Vendors, Customers user profiles including (name, email addresses)

Wenco International Mining Systems Ltd.

Canada

Customer Data

Infrastructure & network traffic data sent over for troubleshooting and analysis for break/fix.