Kurtosys takes great pride in our respect for client and employees privacy and our Risk, Security and Compliance team is dedicated to ensuring that the company meets its global privacy requirements and protects the privacy of individuals, clients, applicants, and employees.
1. Our core privacy tenets
Transparency
We believe that our clients’ trust in us is best solidified by utmost transparency. From our data handling practices to our policies and procedures, Kurtosys knows the strongest client relationships are built upon honesty and visibility. We are equally committed to the privacy of our employees and promote transparency about how employee data is managed.
Privacy as a feature
Kurtosys doesn’t just think of privacy for clients because it’s something we are asked about or once something goes wrong. Privacy is embedded into our products, with direct impact into how features are engineered and implemented. Privacy is a key consideration in how we design and deploy our hosted services. This is a fundamental aspect of our Information Security policies underpinned by ISO 27001 certification and SOC2 compliance.
Global compliance
Kurtosys have clients that do business all over the world. Our Risk, Security and Compliance team understand and apply data protection laws and regulations spanning the globe. We translate those requirements into measurable controls in order to ensure compliance.
2. Data handling
Contractual arrangements
Kurtosys serves as a Data Processor for clients, handling client data in accordance with the terms and conditions established to align with the objectives of our products and services, our professional service agreements and the requirements of our clients’ regulators and stakeholder expectations. Our clients act as Data Controllers and are responsible for the data provided to Kurtosys, maintaining it for the purposes agreed and ensuring that we are informed of aspects such as classification, sensitivity as well as conditions that apply to the confidentiality, integrity and availability requirements.
Methods of transfer
Kurtosys provide secure data transfer applications for clients to send their data to our platform through internet protocols via sFTP and API end points. Clients manage the quantity and types of data that is sent to Kurtosys according to application requirements. Clients may also provision and configure connections to their own access points using features provided by Kurtosys. These integrations may be facilitated by Kurtosys or by your component providers, or they may be built by your own teams. Those that are facilitated by Kurtosys are subject to separate license agreements and acknowledgement that the client is selecting and using their own additional data processor and not a sub processor of Kurtosys. As such, their services must be independently vetted by clients and not Kurtosys for all operational and security matters.
Types of data
a) Kurtosys provides clients with a single pane of glass [MN1] to enable effective analysis of the operations of your infrastructure and applications. Kurtosys will only collect data needed to provide the products and services we offer, limiting this to the basic business information provided to use our services, such as name and email address for authentication.
b) For clients uploading more sensitive information, including personal data, additional contractual obligations may be required to meet regulatory requirements. We provide our own data processing addendum (DPA), or agree to client terms in this respect.
c) Clients can add services to the Kurtosys products such as SEO and visitor tracking tools. These are added using the clients’ own accounts and Kurtosys take no responsibility for this data or its data processing.
Exclusion of data
Kurtosys provides, within the secure data transfer applications, the ability for clients to add, remove, update or otherwise reduce the inclusion of, and access to, any unnecessary private or personal data that may be contained in the data you choose to upload to Kurtosys applications.
Location of data
We provide three hosting locations (UK, EU and US) where our clients can select the country where their data will be hosted from when setting up their account. Kurtosys will not change a client’s data hosting location or transfer data out of that region unless there is a specific and verifiable instruction from the client. Data may be accessed by the nominated users of the client and Kurtosys personnel outside of the host country as part of our follow-the-sun support model. Access by Kurtosys personnel will be limited according to role, e.g. administration of services or support functions, and will not allow data to be copied or moved.
Security of data
Privacy, security, and confidentiality are part of the design of the Kurtosys platform and each service we offer. Kurtosys provides privacy and security training within its security awareness programme for all its employees. You can visit our security page for an overview of our security posture and discussion of our SOC 2 Type 2 audit and ISO 27001 and 22301 certification. Kurtosys has created a self-service Trust Centre that customers and prospects can use to review the documents that support its privacy, security, and compliance programs. Please reach out to your Kurtosys representative who can assist you with gaining access to this portal for detailed documentation relevant to the security of the Kurtosys platform, including copies of our independent third-party audit certificates, BC/DR plans, and more.
3. Privacy by region
UK and EU: General Data Protection Regulation (GDPR)
In July 2020, the Court of Justice of the European Union issued a decision in Data Protection Commissioner v. Facebook Ireland and Maximillian Schrems (“Schrems II”), in which it held, among other things, that (1) the U.S.’s Privacy Shield program could no longer be used for data transfers to the U.S., and (2) the transfer mechanisms identified in the GDPR — including the European Commission-issued Standard Contractual Clauses (“SCCs”) — could only be used where the laws and practices in the data importer’s country do not impinge on the protections provided by the transfer tool.
Whereas Kurtosys had previously subscribed to the US-EU Privacy Shield in order to protect and backup data between regions for business continuity purposes, our assessment was that where clients required GDPR compliance, we would always retain data in that region and not transfer any data from that region.
Kurtosys has legal entities in the UK and EU which provide clients with specific regional hosting and commit to clients that when they select either of these regions, their data will reside only in the region selected in accordance with GDPR requirements. We observe all of the requirements of the GDPR, in cooperation with official bodies and in support of our clients’ role as Data Controllers.
Kurtosys design, develop, deploy and manage our services without the support of sub processors. In order to provide our services, including 24/7 support, data may be viewed to certain employees of Kurtosys working outside of the region. Unless stipulated and configured at the clients’ request, no other parties will have access to data. In the event that other parties are given access, this will be subject to client and Kurtosys audits and on the basis that they are qualified as end users to access the systems.
United States: California Consumer Privacy Act (CCPA) and California Privacy Rights Act (CPRA)
The CCPA is a landmark state law that established certain privacy rights and more control over the personal data for California consumers. Most notably, the CCPA includes an individual’s right to know, right to delete, right to opt-out, and right to non-discrimination. The CPRA expanded the CCPA to further privacy protections and expand the rights of California consumers in relation to their personal data.
Kurtosys operates in the same way in the US region as it does in the UK and EU regions, applying its role as a Data Processor in accordance with the requirements of CCPA. We do not transfer data out of region and provide the same levels of service and security.
United States: Health Insurance Portability and Accountability Act (HIPAA)
HIPAA is a US federal law that establishes national standards for protecting certain health data, Protected Health Information (PHI).
Kurtosys do not process any PHI data and we do not accept any PHI data from clients in regard to the services that we offer. As such, we recognise HIPAA but have any requirement to support this Act.
4. Key definitions
Personal data
Data that can be used, either directly or indirectly, to identify an individual. An example of Personal Data that Kurtosys may process is account email addresses to authenticate and use the Kurtosys services.
Client data
Data from our clients’ environments that are sent to or made accessible to Kurtosys. In GDPR terms, we are a Processor of this data, the client remains the Controller. The client has control over the types and amount of this data we receive.
Account data
Data about the clients’ users that the clients provide to Kurtosys when creating accounts. This includes fields like first and last names as well as email addresses and IP addresses for logins. It is easiest to think about this as data from the employees of our clients. Account data may also be included in client data to match with users and provide entitlements through fields such as portfolio and investment account ids.
Usage data
Any data related to our clients’ configuration and use of Kurtosys products.
Processing
Under the GDPR, Processing refers to any operation an organisation takes that involves personal data. Examples include, recording, structuring, combination, alteration, and more.
Data Processing Agreement (DPA)
Under the GDPR, any data processing activities by a third party require a DPA to outline stipulations like the purpose for processing this data, data subject rights, data breach procedures, and more.
Standard Contractual Clauses (SCCs)
SCCs are clauses added to our DPAs to ensure there are adequate data protection safeguards in place for any data sent from the EU to third party countries that are not a part of the Union. We no longer send data from the UK or the EU to third party countries.
Services
In our DPA, Services refers to the product to which a client subscribes (Kurtosys App, APIs, etc.). The Services is the technology collecting and processing Client Data.
Subprocessors
Subprocessors are third or fourth parties that receive and provide other data processing activities. Kurtosys does not employ subprocessors.