This document outlines the steps to be taken in the event of any security incident and how to mitigate the risk of incidents occurring. 


When SuperSync customers use our integration solutions, SuperSync is the Data Processor while the customers are the Data Controllers. This means that SuperSync does not own nor control the data that is being transferred between the different endpoints that are being integrated via SuperSync products. SuperSync also cannot change the purpose nor the means in which the data is being used. Furthermore, SuperSync is bound by the instructions given by the Data Controllers, meaning SuperSync’s customers and are further bound by the regulations and policies set out by the platform we are integration with. 


When SuperSync uses our customers’ personal data for the purpose of conducting business, such as sales, marketing, and support, SuperSync is the Data Controller. As such, SuperSync has measures in place for adhering to GDPR requirements as Data Controller and manages personal data according to these six lawful processing conditions of GDPR:  

  • Compliance with a legal obligation
  • Performance of a contract
  • Legitimate interest
  • Public interest
  • Vital interest
  • Consent 


Categories of Personal Data 

Personal data of SuperSync customers that may be used by us to manage the sales, consulting, support, payment, and billing processes may include: 

  • Name
  • Email address
  • Unique customer identifier
  • Order ID Data Protection Policy 2
  • Bank account details
  • Payment or payment card details
  • Card expiration date
  • CVC code
  • Date/time/amount of transaction
  • Merchant name/ID
  • Location 


SuperSync does not knowingly process special categories of data as defined by the GDPR in the context of processing our internal business activities. 


Information we Process on Behalf of Our Customers 

In the course of using our products and services, SuperSync customers and their end-users may choose to integrate data that contains personal data of their individual customers. The information our customers and their end-users integrate through SuperSync services is processed by SuperSync purely on behalf of the customer at the customer’s sole discretion and direction. 


SuperSync has no direct relationship with the individuals whose personal data it processes through our cloud-based integration. If you have any questions or concerns about how such information is handled or would like to exercise your rights with respect to such data, you should in the first instance contact the person or entity (i.e the data controller) who has contracted with SuperSync to use the SuperSync service to host or process this information (e.g. your employer). They control the personal information in these cases and determine the security settings within the account, its access controls and credentials. We will, however, provide assistance to our customers to address any concerns you may have, in accordance with the terms of our contract with them. 

Where necessary, SuperSync adheres to the policies and terms set out with the product it is contracted to collect information from. Data collected from external services may be subject to additional encryption and data retention policies. SuperSync endeavors to adhere to the policies set out by any platform used to gather information on behalf of our customers. 


SuperSync Governance Structure 

Data privacy is discussed throughout SuperSync with regular presentations to all our Employees and the Executive Team. 


Data privacy and GDPR is a company priority at SuperSync among our Employees and the Executive Team. 


Data Mapping 

We have identified data that we have, where it is held, and how the data is being accessed. Furthermore, we understand the classification of data, records for transfer, and have flowcharts to illustrate how it moves between systems, processes, and countries. 


Information Security 

SuperSync maintains a rigid information security program that includes: 

  • Technical security measures; (e.g. intrusion detection, firewalls, monitoring),
  • Restricted access to personal data,
  • Protection of our physical premises and hard assets,
  • Maintaining security measures for our team members (e.g. background pre-screening),
  • A data-loss prevention strategy, and
  • Regular testing of our security. 


Privacy Impact Assessments 

Where appropriate, a Privacy Impact Assessment has been completed. 


Responding to Subject Access Requests / Rectification / Deletion 

As a Data Processor, processes are in place for SuperSync to respond within 30 days to any requests from a Data Subject for access, corrections, or deletion of personal data as mandated by GDPR. Data Breach Reporting As the Data Processor, SuperSync has processes in place to notify Data Controllers of any data breaches that occur without undue delay as required by GDPR. However, we recognize that for our Customer, the Data Controller, the clock will only start ticking when they become aware there has been an incident. In situations where SuperSync is the Data Controller, SuperSync has processes in place to ensure the required notification is sent to the appropriate authority within 72 hours. 


Cookies & Privacy Policies 

SuperSync is committed to ensuring the privacy of all Data Subjects, regardless of their locations. 


Access Management 

All developers with access to protected information are required to access this information using their own unique identification. No shared accounts or generic accounts will be used. 

SuperSync undertakes to ensure that access to reviewed and maintained only to those individuals who require access to the data for development and support purposes. 


Development Environments and Data

Developers are required to delete any Customer information that is retrieved on their development environments after the retrieval of the data. Periodic checks are to be performed to ensure that PII data is correctly purged from any relevant development environments. 


Data Governance

SuperSync does keep inventory of software and physical assets (e.g. computers, mobile devices) with access to PII, and update regularly. A record of data processing activities such as specific data fields and how they are collected, processed, stored, used, shared, and disposed for all PII Information should be maintained to establish accountability and compliance with regulations. We further abide by our Customer’s privacy policy for their consent and data rights to access, rectify, erase, or stop sharing/processing their information where applicable or required by data privacy regulation. 


Data Retention and Recovery

SuperSync will retain PII only for the purpose of, and as long as is necessary to fulfill orders (no longer than 30 days after order shipment), or to calculate/remit taxes. 


Logging and Monitoring

SuperSync gather logs to detect security-related events (e.g., access and authorization, intrusion attempts, configuration changes) to their Applications and systems. This logging is implemented on all channels (e.g., service APIs, storage-layer APIs, administrative dashboards) providing access to any Customer PII data. All logs must have access controls to prevent any unauthorized access and tampering throughout their lifecycle. Logs themselves should not contain PII and must be retained for at least 90 days for reference in the case of a Security Incident. SuperSync has mechanisms to monitor the logs and all system activities to trigger investigative alarms on suspicious actions (e.g., multiple unauthorized calls, unexpected request rate and data retrieval volume, and access to canary data records). SuperSync performs investigation when monitoring alarms are triggered, and this should be documented in the Developer's Incident Response Plan. 


In case of a security breach – all clients must be notified including any related 3rd parties: 


To download: