Xperix GDPR Compliance Statement

Xperix ("we") is committed to ensuring the security and protection of the personal information we process, complying with regulations on data protection, and providing a compliant and consistent approach to data protection.

We have written this GDPR Compliance Statement to explain our approach to implementing a GDPR compliance program. We explain the implementation of our roles, policies, procedures, controls, and measures for protecting data to ensure continued GDPR compliance.

The scanner products developed and sold by us do not fall under the personal information processing system mentioned in this Statement.

What is the GDPR?

The EU General Data Protection Regulation (Regulation 2016/679) (EU GDPR) went into effect on May 25, 2018 to harmonize data protection regulations throughout the European Union as well as providing greater protection and rights to individual. GDPR applies to any organization operating within the EU, as well as any organizations outside of the EU which offer goods or services to customers or businesses in the EU.

Data Protection Principles

We, at Xperix, consider the privacy and security of individuals and personal data to be very important.
The principles stated below provide a summary of the basic rules that we follow when processing personal data:

• · We process personal data lawfully, fairly and in a transparent manner.
• · We collect personal data only for specified, explicit and legitimate purposes.
• · We collect and keep personal data only to the extent it is necessary in relation to the purposes for which they are processed.
• · We ensure that the personal data we store is up-to-date and accurate.
• · We merely produce the technology that enables customers to process personal data. We are not a controller nor a processor under the GDPR. When a customer processes personal data using Xperix’s access control products, the customer is a controller under GDPR and is subject to the obligations set out in the GDPR, if the customer fall within the territorial ambit of GDPR.
• · To the extent possible, we implement appropriate technical measures to our products to help our customers comply with GDPR.

Rights of Data Subjects under the GDPR

In regard to the personal data in our custody or control, an individual may request the following information from the Company;
You should bear in mind that this does not apply to an individual who is registered and managed by the customer using our products. The customer shall handle it in accordance with its own policy independently of us.

• · Personal data that we retain regarding individuals
• · Categories of Personal data that we collect from individuals
• · Purpose of individual personal data collection and processing
• · How long personal data will be retained
• · The procedure to rectify or complete incomplete or inaccurate personal data
• · The procedure to request deletion of personal data, or to restrict processing of personal data and reject the Company's direct marketing under the Data Protection Regulations, where applicable
• · Information regarding all automated decision making that we use

GDPR Compliance Plan

To comply with the GDPR, we have taken, and will take, the following steps:

• · We have performed an analysis of the personal information collected by our solutions;
• · We have established procedures and policies to restrict the processing of personal information;
• · We have updated our data infringement and incident response procedures;
• · We have updated our data protection policy, data retention policy, information security policy, cookies policy, and privacy policy; and
• · We have reviewed all processing activities to identify the legal bases for the processing of personal data, and have ensures that each basis is appropriate for the activity involved.

Protective Measures under the GDPR

Xperix considers the privacy and security of individuals and personal information to be very important, and takes all reasonable and precautionary measures to protect the personal data we process.
In order to protect personal information from unauthorized access, alteration, disclosure or destruction, we have the following information security policies and procedures as well as several layers of security measures:

• · Risk Management   We evaluate and manage the risks associated with services as part of our risk management process. The risk management process is included in our regulations.
• · Information Security Management   We maintain an Information Security Management System (ISMS) consistent with good industry practices. It includes security policies, organizations, processes and controls that meet the compliance and security requirements we have identified.
• · Personal Security   We have implemented a process for hiring, retaining and terminating contracts with individual employees. We have implemented background checks, ongoing security awareness, and physical and logical access management, and we identify and address risks, perform other security activities for each role, and comply with all legal requirements and restrictions.
• · Asset Management   We process customer data in accordance with contracts, terms and conditions, privacy policies, and related service documents. We manage the IT resources involved in the provision of our services according to our internal classifications and processes. When data or assets are set to be deleted and disposed of, we follow the established processes to ensure that equipment and storage media are properly removed prior to physical disposal.
• · Access Management   Our personal data processing system is protected using network and logical-level security solutions. We provide the processed personal information necessary for sales and technical support, inquiries, etc., through our website, and use an industry-standard cloud service or SaaS. The personal data processing system can be accesses only by the staff in charge to whom the authority has been separately granted.
• · Encryption   All the network traffic of our personal data processing system is encrypted and transmitted, and personal data is all stored encrypted. In addition, encryption in the cloud service or SaaS used by us is subject to the policy of the service provider. Supplier information can be found in our privacy policy, which is available on our website.
• · Development Security   Our products and services are developed according to our R&D development process. The development process includes step-by-step security requirements and procedures, including analysis, development, implementation, testing, and deployment.
• · Physical Security   Our personal data processing system uses an industry-standard cloud service or SaaS. The cloud service or SaaS provider defines and maintains physical and environmental controls over the production environment. The provider has warranty reports and security certifications that cover such controls. Supplier information can be found in our privacy policy, which is available on our website.
• · Operational Security   We follow good industry practices, such as applicable automation, as well as the provider’s recommendations to configure cloud environments that can be used securely by our personal data processing system. We also use automated and manual activities to keep our software up-to-date and address reported vulnerabilities.
• · Vulnerability Management   We use several methods to identify potential vulnerabilities, such as vulnerability scanning, security testing, diagnostics of source codes, and threat intelligence. The reported vulnerabilities are assessed and addressed using defined processes and activities. We provide a responsible public channel for security administrators to report issues they discover.
• · Security Testing and Auditing   We carry out security checks in accordance with our internal procedures for products and services, conduct a security audit regularly, and manage the results with internal confidentiality.
• · Security Event Management   We monitor the environment of the personal data processing system to identify events and incidents affecting our services and data. Security events that become issues are managed in accordance with the operating processes of the management division and the security division.
• · Business Continuity and Backup   We back up and regularly test customer data to ensure that our recovery point objective (RPO) and recovery time objective (RTO) are met in accordance with our internal regulations.
• · Endpoint Security   We scan and monitor for malware activities in our employees' work environment to detect malicious programs and files. We also have the ability to filter and block spam emails and fraudulent emails.

International Data Transfer

We may collect the personal data necessary to conduct business activities such as sales, technical support, and inquiries. The collected personal information is stored and used in an industry-standard cloud service or SaaS. We inform our service providers through our Privacy Policy, and when we collect the personal data of users, we notify and obtain consent from the data subject. We do not have access to any products and data stored thereof by a customer who use Xperix products.

If you have any questions about the GDPR, please contact us.

If you have any questions about this GDPR Compliance Statement or our privacy policy, please contact us at:

• Email: marketing@xperix.com

Release Date: 2023.6.15

GDPR Compliance - Questions & Answers