Skip Navigation
VWO Logo VWO Logo
Dashboard
Request Demo

Privacy at Wingify

Wingify believes privacy is a fundamental human right. We are committed to providing you with products, information, and controls that allow you to choose how information is processed, collected and used.

1. Protecting your information is our highest priority 

When you use Wingify’s VWO Services, then you trust its privacy will be protected and that it will only be used in a way that’s consistent with your expectations.

Our time-tested approach to privacy is grounded in our commitment to give you control over the collection, use, and distribution of your customer data. We are transparent about the specific policies, operational practices, and technologies that help ensure the privacy of your data in Wingify’s VWO Services.

2. Our commitment to GDPR

As part of our commitment to privacy, we made a number of investments and improvements to our data handling practices to support GDPR and the privacy rights of individuals. Learn more

3. Our commitment to CCPA

As part of our commitment to privacy, we made a number of investments and improvements to our data handling practices to support CCPA and the privacy rights of individuals. Learn more 

4. Built-in privacy

The Security Development Lifecycle (SDL) and Privacy Policy provide additional details on our development process and transparent approach to keeping your data private. 

Wingify Security Development Lifecycle (SDL): Privacy requirements are defined and integrated into the SDL, the software development process that helps developers build more secure products and services. The SDL consists of a set of practices that support security assurance and compliance requirements which help address data protection and privacy requirements including effective privacy reviews of each release of a Wingify product or service. The Wingify SDL introduces security and privacy considerations throughout all phases of the development process. 

VWO Privacy Policy puts our commitment in writing and details out Wingify’s data protection policies and practices in a clear & straightforward language.

5. Wingify’s contractual commitments back our privacy best practices

Wingify makes broad contractual commitments to business in our Terms and Conditions. Wingify will use customer data only to provide the services agreed upon, and for purposes compatible with providing those services. We do not use customer data or derive information from it for advertising.

Furthermore, we will not disclose the customer data process in Wingify services to a government agency, unless required by law. If law enforcement demands customer data, we will attempt to redirect the agency to request that data directly from the customer. If we are compelled to disclose customer data to law enforcement, we promptly notify the customer and provide a copy of the demand, unless legally prohibited from doing so.

6. Our Privacy Management Principles & Controls

As mentioned above in Our beliefs, we are committed to privacy and data protection of individuals and customers. This is especially important as technology progresses and privacy laws evolve. 

In support of the Security & Privacy by Design initiative, a volunteer effort created the Wingify Security & Privacy Management Principles. These Principles have a robust framework for building and maintaining secure systems, applications, and services that address cybersecurity and privacy consideration by default and by design.

Comparison between global privacy control frameworks was complicated to understand, what We did was identify a dozen of the leading privacy frameworks and created a set of comprehensive privacy management principles, Privacy Control Framework Principles which is a subset of Wingify Security & Privacy Management framework that is tailored for privacy and is intended to help us with designing, building and maintaining processes, systems, and applications that include both cybersecurity and privacy principles by default. The below-mentioned table clearly provides an understanding of how our Privacy Management Principles meet the control requirements for SOC 2, APEC, CCPA, EU GDPR, FIPPs, PIPEDA, GAPP, ISO 29100, NIST 800-53 Rev 4, etc.

We adopted these principles to guide our products, our processes, and our people in keeping our Customer’s and User’s information private, safe and secure. 

This will help us address multiple requirements since it brings a common integrated approach to privacy requirements like accountability, transparency & clarity. 

The sixty-four (64) principles of the Privacy Management Principle are organized into ten (10) domains. The table below depicts each privacy principle that We adhere to along with Wingify’s implementation status for each of them making sure you get meaningful choices about how and why the information is collected/processed and used, ensuring that you have all the information you need to make the choices that are right for you across our products and services.

6.1 Privacy by Design

Establish and maintain a comprehensive privacy program that ensures privacy considerations are addressed by design in the development of policies, standards, processes, systems, applications, projects and third-party contracts.

#

Principle Name

Privacy Management Principle  Description

Wingify Adherence Details

6.1.1

Assigned Responsibilities

Assign accountability through documented roles and responsibilities to qualified individuals for maintaining compliance with all applicable privacy requirements that involve appropriately monitoring and documenting the privacy program.

Wingify has appointed a Data Protection Officer and assigned responsibilities to liaise on matters of information security, data protection, compliance and overseeing the security and compliance of PII, Company IP, etc. for the Wingify which aligns with data protection by law and local law(s).

6.1.2

Policies, Standards & Procedures

Ensure appropriate policies, standards and procedures exist to operationalize the privacy program.

Wingify follows ISO 27001:2013 standard control framework as a baseline, cross-mapping control with BS 10012, ISO 27701, PCI DSS, CSA, SOC 2, GDPR, CCPA, HIPAA and certified with ISO 27001 and BS10012 standard.

Wingify has an integrated Information Security & Privacy management policy in place. Refer to this link https://wingify.com/information-security-policy for more details.   

6.1.3

Periodic Review

At planned intervals or after significant changes, policies, standards, and procedures are reviewed to ensure continuing suitability, adequacy, and effectiveness to meet the organization’s applicable statutory, regulatory and contractual needs.

Wingify has established the Corporate Security & Compliance Committee (CSCC) comprising of the workforce who are knowledgeable in legal cross-regulation, policy, product and IT  to ensure confidentiality, privacy, and security related as required by applicable law. The CSCC meets on a quarterly basis to discuss and review concerns that arise during the quarter. 

 Wingify runs Vulnerability Assessment Penetration Testing (VAPT) on an annual basis through a third-party service provider and performs quarterly security audits for all production environment systems.

6.1.4

Oversight

Provide oversight of privacy controls throughout the lifecycle of systems, applications, and services to ensure that in a timely manner, senior leaders with the organization are made aware of privacy-related risks that are not appropriately remediated.

As mentioned above #1.3, CSCC ensures that overall controls are in place. CSCC is headed by the  CEO and members from various departments.

6.1.5

Management Visibility

Provide performance metrics and trend analysis to enable management visibility and coordinate privacy efforts across the organization.

Yes, as mentioned in #1.1, DPO provides overall visibility to the CEO, Top, and Senior Management on a regular basis.  

6.1.6

Compliance

Oversee the execution of privacy controls with appropriate evidence of due care and due diligence, demonstrating compliance with all applicable statutory, regulatory and contractual obligations, including age-based restrictions.

Yes, Wingify adheres to all applicable law(s) and regulatory and contractual controls are in place. Also, we don’t knowingly collect any personal information from children under the age of 13.

Refer to our  Privacy Policy for more details. 

6.1.7

Data Classification

Classify data according to the sensitivity and type of personal data as defined by appropriate statutory, regulatory and contractual contexts.

Wingify has a robust data & assets classification mechanism in place that ensures categorization in accordance with applicable law(s), regulatory & contractual requirements only. 

6.1.8

Registering Databases

Register applicable databases containing personal data with the appropriate Data Authority, when required.

Wingify has created Personal Data Inventory and Data Flow in accordance with all applicable law(s), regulatory requirements. We also maintain ROPA (Record of Processing Activities) as defined in Article 30 of GDPR. 

6.1.9

Resource Planning

Identify and plan for resources needed to operate a privacy program and include privacy requirements in solicitations for technology solutions and services.

Yes, Wingify implemented a robust Privacy Program which comprises DPO, Core privacy team, departmental level DPRs (data protection representatives) and facilitates regular training for them. 

6.1.10

Inventory of PI

Maintain an inventory of both the type of personal data and specific data elements, as well as the systems, applications, and processes that collect, create, use, disseminate, maintain, and/or disclose that personal data.

Yes, as mentioned above Wingify established and maintains the Personal Information Inventory & flow which covers the whole information lifecycle from entry to exit of information like collection, processing, storing, and deletion, and reviewed and updated on an annual basis.

6.1.11

Privacy Training

Provide recurring privacy awareness and training for all employees and contractors.

Yes, Wingify has established a robust privacy program which includes awareness and training program to all the workforce members.

Mandatory Privacy & Security Awareness training is provided to all workforce members on an annual basis. workforce members who access any system for processing, storing or transmitting personal information or sensitive information are formally trained in data handling requirements prior to being authorized to access the system. 

6.2 Data Subject Participation

Individuals are directly involved in the decision-making process regarding the fair and lawful processing of the individual’s personal data and, to the extent practicable, directly-engaged to receive explicit permission to use their personal data.

#

Principle Name

Privacy Management Principle  Description

Wingify Adherence Details

6.2.1

Clear Choices

Provide clear and conspicuous choices that enable an individual, or a person authorized by the individual, to permit or prohibit the collection, creation, use, dissemination, maintenance, retention, and/or disclosure of the individual’s personal data. This is also referred to as the right to “opt-out.”

Refer to Privacy Policy which clearly mentions all privacy attributes and management practices in detail such as how we collect, process information, how to exercise data protection rights, retention, etc. 

Note: Wingify provides Services primarily intended for use by organizations. Where the VWO Services are made available to Users through an organization (such as your employer), that organization is responsible for administering the accounts over which it has control. If this is the case, please direct your information privacy and security questions and requests to your administrator. We are not responsible for the privacy and security practices of your administrator’s organization, which may be different than VWO policy. When our Customers use VWO Services as part of their own websites, apps, and services, they are responsible for their own privacy and security practices. 

6.2.2

Initial Consent

Prior to the collection, creation, use, dissemination, maintenance, retention, and/or disclosure of the individual’s personal data, the knowledge and consent of the individual are required.

Yes, Wingify is committed to providing Services with information. controls and transparency that allows users to choose from opt-in or opt-out. We may ask for consent as a legal basis for information processing to collect, use and share personal information

 Refer to the section Legal basis for processing andNotice to Users of Our Customers and End Users of the Services of VWO  Privacy Policy for more details. 

6.2.3

Updated Consent

Based on changes to privacy practices that affect the parameters of an individual’s initial consent, the updated consent of the individual is required to continue the collection, creation, use, dissemination, maintenance, retention, and/or disclosure of the individual’s personal data. This is also referred to as the right to “opt-out” at any time after the initial consent was provided.

Processing is based on your consent. Where we rely on Your consent You have the right to withdraw it anytime by sending a request to support@vwo.com with the word “Opt-out” or “UNSUBSCRIBE” in the subject field of the email.

Note: Even after You opt-out from receiving promotional messages from us, if You have any account for VWO Services, we will still send You non-promotional communications, like service-related emails.

6.2.4

Equal Service & Price

Implement business processes to protect the right of data subjects to equal service and price, even if they exercise their privacy rights.

Yes, as mentioned above in #1.6, Wingify is committed and adheres to all applicable law(s) relevant to Services and regulatory and contractual controls in place. Refer to the Privacy Policy for more details.

6.2.5

Prohibit The Sale of Personal Data

Provide a clear and conspicuous link on the organization’s Internet-based homepage, titled “Do Not Sell My Personal Information” that enables a consumer, or a person authorized by the consumer, to opt-out of the sale of the consumer’s personal data.

We do not “sell” our customers’ personal information to anyone, meaning that we also do not rent, disclose, release, transfer, make available or otherwise communicate that personal information to a third party for monetary or other valuable consideration.

Refer to section Privacy Commitmentof VWO Privacy Policy for reference.

6.3 Limited Collection & Use

Ensure that the design of information collection is consistent with the intended use of the information, and the need for new information is balanced against any privacy risks.

#

Principle Name

Privacy Management Principle  Description

Wingify Adherence Details

6.3.1

Authority to Collect

Identify the authority given to collect, create, use, disseminate, maintain, and/or disclose an individual’s personal data. Document the authority in the organization’s privacy notice.

Yes, Refer to VWO Privacy Policy.

6.3.2

Data Minimization

Take steps to minimize the collection, creation, use, dissemination, maintenance, retention, and/or disclosure of the individual’s personal data to what is directly relevant and necessary to accomplish a legally authorized purpose.

Yes, Wingify has established a Privacy Impact Assessment and Privacy Risk Treatment  (PIA & PRT) exercise which is conducted on an annual basis and validated by an external third party auditor. 

6.3.3

Internal Use

Restrict the internal use of personal data to the only authorized purpose(s) that are consistent with the stated privacy notice.

Wingify has adopted the least access privileges principles and role-based access provision across all the information systems, this is our by-design and by-default approach.

Wingify has Information Retention, Archive, and Retention /Disposal Policy and Procedure in place which is consistent with applicable laws and clearly defines ownership and accountability, access, use, storage location, etc.  of information and the same is validated by an external third-party auditor on an annual basis. 

6.4 Transparency

Provide a transparent notice to the public about privacy practices through a clear and conspicuous notice on all organizational websites, mobile applications, and other digital services regarding the collection, creation, use, dissemination, maintenance, retention, and/or disclosure of personal data.

#

Principle

Name

Privacy Management Principle  Description

Wingify Adherence Details

6.4.1

Notice & Purpose Specification

Provide notice of the specific purpose(s) for which personal data is collected, created, used, disseminated, maintained, retained and/or disclosed.

As a controller, Wingify clearly mentions about information collection and its usage under its Privacy Policy. This policy is updated on an annual basis and the same is notified to all the individuals over the email.
As a processor, the controller (Customers)  is responsible for mentioning the information collection and uses purposes to its end-users or customers.

6.5 Data Lifecycle Management

Limit the collection, creation, use, dissemination, maintenance, retention, and/or disclosure of personal data to that which is legally authorized, relevant, and deemed “reasonably necessary” for the proper performance of business functions.

#

Principle Name

Privacy Management Principle  Description

Wingify Adherence Details

6.5.1

Data Flow Mapping

Maintain a record of processing activities that document the flow of personal data that includes:

– Geographic locations and third-parties involved in the storage, transmission and/or processing of personal data;

– Contact details of the controller(s) involved in the storage, transmission and/or processing of personal data;

– The purposes of the storage, transmission, and processing;

– A description of the categories of data subjects and personal data;

– Where possible, the time limits for erasure of the different categories of data; and

– Where possible, a description of the cybersecurity and privacy measures of the data controller.

As mentioned above in section #1.8, Wingify has a robust Data Inventory and DataFlow document in place as per Article 30 requirements under EU GDPR and applicable laws.   

We also maintain the Network Architecture Diagram that contains details to assess the security of the networks, reflect the current state of network or information transmission.

6.5.2

Retention of Personal Information

Ensure that all records containing personal data are maintained in accordance with the organization’s records retention schedule and comply with applicable statutory, regulatory and contractual obligations.

As mentioned above, Wingify has maintained ROPA (Record of Processing Activities) and Information Retention, Archive, and Retention /Disposal Policy and Procedure are in place, which clearly define ownership & accountability, access, use, storage location etc  of information and the same is validated by external third-party auditor on an annual basis. This helps us adhere with all applicable laws.

6.5.3

Secure Destruction of Personal Information

Utilize secure methods to dispose of or destroy, both physical and digital media, that contains personal data.

Wingify Customer data is hosted in a secure cloud data center service provider and also logically segregated by the VWO application and already has a mechanism in place to De-identifying personal information.

And, Wingify follows NIST SP 800-88 Rev 1- Guidelines for Media Sanitization for PII Deletion / Disposal of Media. Refer to this link for more details.    

6.5.4

Geolocation Restrictions

Restrict the location of processing, storage and service locations to comply with the privacy notice, as well as applicable statutory, regulatory and contractual obligations.

As mentioned above, Wingify has established and maintains Data Flow Diagram for personal information processing and that clearly mentions the information storage and location. We store or process personal information about  Website visitors and Attendees within the United States and in other countries and territories to facilitate our global operations. Refer to this  Sub-Processor utilized by Wingify for Third-party processing, storage and service locations details. 

Personal Information may be processed outside of the EEA and in countries that are not subject to an adequacy decision by the European Commission. In this event, Wingify will ensure that the recipient of personal information offers an adequate level of protection, for instance by entering into standard contractual clauses for the transfer of data as approved by the European Commission Article 46 of the GDPR. 

6.5.5

Data Portability

Provide the functionality to export personal data in a structured, commonly-used and machine-readable format that can be transferred to another controller without hindrance.

  Wingify has taken all the necessary 

   and appropriate steps to protect 

   and respect data subject rights and 

   personal information.

   Wingify has a robust Data Subject  

   Access Request (DSAR) Procedure   

   and Process in place. We will 

   provide information in a structured, 

   commonly-used electronic format  

   after submission of such requests by email to  

   support@vwo.com.  

   Note:We may request specific 

  information from you to help us 

  confirm your identity and process 

  your request.

6.5.6

Record of Disclosures

Develop and maintain an account of personal data disclosures, that upon request, can be made available to the individual whose personal data was disclosed.

Wingify keeps  accurate information held in each system of records under its control including date, nature and purpose of information of record, name and address of the person or agency to which the disclosure was made. 

Retaining the accounting of disclosures for the life of the record or as per applicable data protection laws. And makes the accounting of disclosures available to the person named in the record upon request by data protection authority or applicable. 

6.5.7

Integrity Protections

Maintain the accuracy and relevance of personal data across the information lifecycle as personal data is collected, created, used, disseminated, maintained, retained and/or disclosed.

Yes,Wingify confirms to the greatest extent practicable upon collection or creation of personal information lifecycle , the accuracy, relevance ,timeliness and completeness of that information. Collects personal information directly from the individual to the greatest extent practicable. And additionally  Wingify revalidated collected information via sending email for VWO Services account creation. 

6.5.8

De-Identification

Process personal data in such a manner that it is not attributable to a data subject through technical or organizational measures (e.g., anonymization, pseudonymization or data minimization).

Wingify Customer data is hosted in a secure cloud data center service provider and also logically segregated by the VWO application and already a mechanism in place to De-identifying personal information. And following measures in place:

i. VWO Services does not collect nor does it require any sensitive information  by default, for its functioning.

ii. VWO Services has also adopted a method where the UUID stored on the client-side is pseudonymized by using a one-way hash before storing on its servers.

iii. Any IP address intended to be stored is stored with anonymization of at least the last octet (configurable by a user up to complete anonymization).

Refer to VWO Privacy Center for more details.

6.5.9

Quality Management

Maintain quality assurances throughout the information lifecycle with such accuracy, relevance, timeliness, and completeness as is reasonably necessary to ensure fairness to the individual.

As mentioned above section #5.7, Wingify have proper internal guidelines which ensures and maximizing the quality, utility, objectivity and integrity of disseminated information. 

6.5.10

Flaw Remediation with Personal Information

Identify and correct flaws related to personal data as it is collected, created, used, disseminated, maintained, retained and/or disclosed.

Wingify have following measures and process in place:

i. Technical Vulnerabilities program in place.

ii. Software Development LifeCycle process in place which includes not limited to system change control procedure, technical and  security review of application after any release or platform, robust information security & privacy weakness program in place (Responsible Disclosure Policy) etc.  

6.6 Data Subject Rights

Provide individuals with appropriate access to personal data.

#

Principal Name

Privacy Management Principle  Description

Wingify Adherence Details

6.6.1

Inquiry Management

Maintain a capability to receive and respond to privacy-related requests, complaints, concerns or questions from individuals.

  Wingify have taken all necessary 

   and appropriate steps to protect 

   and respects data subject rights and 

   personal information.

   Wingify have robust Data Subject  

   Access Request (DSAR) Procedure   

   and Process in place. We will   

   provide information about our 

   processing of Customer personal 

   information and give them access to 

   personal information. Customer can 

   submit these requests by email to 

   support@vwo.com

   Note:We may request specific 

   information from you to help us 

  confirm your identity and process 

  your request. 

6.6.2

Updating Personal Information

Provide individuals with appropriate opportunity to correct or amend their personal data.

As a  controller, Wingify provides Right To Rectification under which data-subject has the right to rectification of inaccurate personal information concerning you, including completion of incomplete personal information. Contact Wingify at support@vwo.com  for any questions or to update your information.

As a processor, upon instruction by the Controller, Wingify  shall correct, rectify, or block Personal Information. Any request from a data subject directly to the Processor shall be directed to the Controller.

6.6.3

Redress

Provide individuals with appropriate opportunity to challenge the organization’s compliance with its privacy principles.

As a controller, Wingify provides Rights To Object that provides the data-subjects  right to object at any time to our processing of personal information concerning you. For example, if you have requested to receive information from us, e.g., newsletters, but do not wish to receive further information, you can easily opt out of receiving further information from us. Contact Wingify at support@vwo.com  for any questions or to update your information.

As a processor, upon instruction by the Controller, Wingify  shall correct, rectify, or block Personal Information. Any request from a data subject directly to the Processor shall be directed to the Controller.

6.6.4

Notice of Correction or Amendment

Notify affected individuals when their personal data is corrected or amended                 

  We will provide information about our

   processing of your personal 

   information and give you access to 

   your personal information. You can 

   submit these requests by email to 

   support@vwo.com

We may request specific information from you to help us confirm your identity and process your request.

6.6.5

Appeal

Provide individuals with appropriate opportunity to appeal an adverse decision to have incorrect personal data amended.

Yes, You can submit these requests by email to support@vwo.com

6.6.6

Right to Erasure

Provide individuals with appropriate opportunity to request the deletion of personal data where it is used, disseminated, maintained, retained and/or disclosed, including where the personal data is stored or processed by third-parties.

As a  controller, VWO provides Right To Erasure. Under certain circumstances, you have the right to the erasure of personal information concerning you. Contact Wingify at support@vwo.com  for any questions or to update your information.

As a processor, upon instruction by the Controller, VWO shall correct, rectify, or block Personal Information. Any request from a data subject directly to the Processor shall be directed to the Controller.

6.7 Security by Design

Establish administrative, technical, and physical safeguards to protect personal data commensurate with the risk and magnitude of the harm that would result from its unauthorized access, use, modification, loss or dissemination.

#

Principle Name

Privacy Management Principle  Description

Wingify Adherence Details

6.7.1

Cybersecurity Considerations

Incorporate privacy requirements into enterprise architecture to ensure that risk is addressed so that the systems, applications and services achieve the necessary levels of trustworthiness, protection, and resilience.

We back ourselves up with robust information security and privacy practices that form an integral part of our product engineering and services principles and  follow security by design principles.

We have a top-down governance and security in our DNA that lets us constantly wade through our threat vectors and calibrate to strengthen our security posture. That way, we align to the changing business and technology landscape. Following necessary measures are in place:

i. Secure Engineering Principles guidelines.

ii. Robust Software Development Life Cycle procedure and process is in place which includes security and privacy by design  practices in the specification, design, development, implementation, and modification phases of systems and services. 

6.7.2

Cryptographic Protections

Ensure personal data is encrypted both at rest and in transit.

Wingify has implemented best practices cryptographic protection controls using  trusted cryptographic technologies.

i. All data flow (in transit) in data pipelines  is encrypted using a secure channel like TLS1.2.

ii.Data at rest is encrypted using AES 256 standards (one of the strongest block ciphers available).

6.7.3

Physical Protections

Ensure physical security and environmental controls to provide appropriate protection for environments where personal data is stored, transmitted and/or processed.

Wingify  data centers are hosted in some of the most secure facilities available today in locations that are protected from physical and logical attacks as well as from natural disasters, such as earthquakes, fires, and floods.

Physical security measures for these data centers include intrusion protection measures and security guards. We rely on third-party attestations of their physical security. Within our office premises, we employ a number of best industry-standard physical security controls.

6.7.4

Embedded Technology

Facilitate the secure implementation of embedded technologies so that the sensors minimize the collection of personal data and alert individuals to the personal data collected by those sensors.

This is not applicable as of now.

6.7.5

Retire Outdated Systems

Upgrade, replace, or retire any system, application or service for which appropriate protections, commensurate with risk, cannot be effectively implemented.

Wingify has a mechanism in place for all EUC (End User Computing) and all EUC replacement is done before the prescribed end of life, that is within 3 years.

We also have an intelligence defence mechanism in place (Carbon Black Defence) which help us with any  vulnerbailities wrt. any unsupported component in real time.  

6.7.6

Personnel Security

Implement personnel management practices, covering employees, contractors and other entities, that ensure appropriate vetting and clearance to systems, applications and/or services that contain, store or transmit personal data.

As mentioned above section #1.11, 

Wingify has established a security  program which includes awareness and training program for all workforce members.

Mandatory Security  & Privacy Awareness training of all workforce members on an annual basis. Workforce members who access a system for processing, storing or transmitting personal information or sensitive information are formally trained in data handling requirements prior to authorizing access to the system.

6.7.7

Rules of Behavior

Require employees and contractors to read and agree to abide by the organization’s rules of behavior, prior to being granted access to systems, applications and/or services that store, transmit or process personal data.

Wingify has a Acceptable Use Policy (AUP) and every workforce member acknowledges it on an annual basis. AUPs define acceptable and unacceptable use of technologies, including consequences for unacceptable behavior.  

6.7.8

Employee Sanctions

Utilize employee sanctions to hold personnel accountable for complying with the organization’s privacy policies and processes.

Wingify has a robust Disciplinary Policy for sanctioning personnel who  fail to comply with established security & privacy policies, standards and procedures of the organization. 

6.7.9

Workforce Management

Respond to changing mission requirements and maintain workforce skills in a rapidly-developing technology environment through recruiting and retaining the talent needed to support the organization’s mission.

Wingify has Human Resource personnel security mechanisms in place as per A.7 of ISO 27001 standard control requirement and validated on an annual basis by external third-party auditor.

6.7.10

Professional Competency

Develop and enforce privacy competency requirements for staff members involved in the acquisition, management, maintenance and use of information resources, to ensure they have the appropriate knowledge and skill.

As mentioned above in section #7.9, Wingify has mechanisms (eg. BGV)  in place to manage personnel security risk by screening individuals prior to authorizing any information system access. And as well clearly defined cybersecurity and privacy  responsibilities for all personnel and RACI matrix is in place for the same. 

6.8 Incident Response

Maintain adequate incident response capabilities and provide training for employees and contractors on how to report and respond to incidents.

#

Principle Name

Privacy Management Principle  Description

Wingify Adherence Details

6.8.1

Breach Notification

Report data breaches involving personal data to relevant regulators, law enforcement and affected parties in accordance with applicable statutory, regulatory and contractual obligations for breach notification.

Wingify  has a robust Security Incident Policy & Procedure and Breach Notification Plan  where any security incident or  data breaches are reported with any undue delay. Please refer to the section 9 “Incident  Response and Breach Notification”  of our DPA

6.9 Risk Management

Implement a risk management framework to ensure that risks are identified, evaluated and addressed to achieve the necessary levels of trustworthiness, protection, and resilience.

#

Principle Name

Privacy Management Principle  Description

Wingify Adherence Details

6.9.1

Evaluate Risks

Utilize appropriate risk analysis methods to evaluate the likelihood and magnitude of harm, from unauthorized access, use, disclosure, disruption, modification or destruction of personal data where it is stored, transmitted and/or processed.

Wingify has a robust Risk Management Program in place, which includes but not limited to Risk assessment, Risk treatment, Business Impact Analysis, Privacy Impact Assessment etc. We conduct an annual assessment of risk that includes the likelihood and magnitude of harm , from unauthorized access, use, disclosure, disruption, modification or destruction of the information systems and information. 

And, our critical systems and application runs Vulnerability Assessment Penetration Testing (VAPT) on an annual basis through a third-party service provider and performs quarterly security audits for all production environment systems.

6.9.2

Risk Awareness

Maintain a current and accurate register of risk.

As part of Risk Management, we maintain a risk register that facilitates monitoring and reporting of risks, if any. 

6.9.3

Assess Supply Chain Risk

Assess supply chain risks associated with systems, system components and services for privacy implications.

As mentioned above in section #9.1, we have a robust Risk Management Program in place, supply chain risk as well as part of RMP, associated with information systems, system components and services. 

Before contracting with third-party supplier  or sub-processor, Wingify to exercise due diligence in reaching as much understanding as possible of the information security & data protection approach controls the company has in place.and initiate due diligence process for existing third party supplier on an annual basis. 

Business Impact Assessment process is in place as well. 

6.9.4

Data Protection Impact Assessment (DPIA)

Utilize Data Protection Impact Assessments (DPIAs) to effectively identify and reduce privacy risks to an acceptable level.

Wingify conducts a Privacy Impact Assessment (PIA) on all information systems, applications and services to evaluate any privacy implications and associated risk on an annual basis and same is validated by an external third party auditor. 

6.10 Third-Party Management

Provide privacy oversight of third-parties with access to personal data, so that only trusted third-parties are contracted with.

#

Principle Name

Privacy Management Principle  Description

Wingify Adherence Details

6.10.1

Supply Chain Protections

Govern the disclosure of personal data to ensure it is only provided to trusted third-parties that can store, process and/or transmit it in a secure manner.

As mentioned above in section #9.3, we evaluate security and privacy risks associated with the services and product supply chain. 

Section 5.9. Third-Party Supplier of our information security policy:
https://wingify.com/information-security-policy

6.10.2

Secure Disclosure To Third-Parties

Govern third-party use of personal data to ensure privacy requirements are enforced when a third-party stores, processes or transmits personal data on behalf of the organization.

Wingify has proper mechanisms and measures in place to disclose Personal Information to any third parties or sub processors for only the purposes identified in the privacy policy and with the proper consent of the individual. 

6.10.3

Contractual Obligations for Third-Parties

Require terms and conditions in contracts and other agreements to cover the collection, creation, use, dissemination, maintenance, retention, and/or disclosure of personal data.

Wingify enters into a contractual agreement with all  of its vendors/service providers and confidentiality clause is an essential part of such agreements.  Further, wherever any personal information is involved, we sign a data protection agreement with our vendors/service providers to ensure that roles and responsibilities with respect to personal information are clearly defined.

6.10.4

Third-Party Compliance

Validate that privacy controls for systems, applications and services used or operated by third-parties are effectively-implemented and align with industry-recognized secure practices, as well as comply with applicable statutory, regulatory and contractual obligations.

Wingify has a process and plan in place for conducting security and privacy training, assessment, monitoring activities associated with the organizational systems and comply with all applicable statutory, regulatory and contractual obligations. 

We don’t provide any information access to any third-parties or vendors. 

Respect our Users and Customers, Respect their privacy.

We believe these ideas are inseparable. Together, they represent a single, core belief that has influenced everything we’ve made since day one, and everything we’ll make moving forward. When people use our products they trust us with their information, and it’s our job to do right by them. This means always being thoughtful about what information we use, how we use it, and how we protect it.

Choose Privacy. Choose VWO.

Deliver great experiences. Grow faster, starting today.

Start Free Trial Request Demo