Ardoq Privacy and Data Protection

Privacy and Data Protection

Protection of customer data is critical to Ardoq, and privacy and data protection are considered a high priority for the management team. This document aims to provide an overview of Ardoq’s internal policies, procedures, and guidelines meant to enhance protection of personal data processed by Ardoq.

By documenting our approach to privacy and data protection, and sharing it with our customers, we aim to foster transparency, accountability, and trust. This document shows that we handle personal data with the utmost care and in compliance with applicable laws.

Data Protection Principles

At Ardoq we are committed to respecting the privacy and data protection principles to safeguard personal data shared with us by our customers (customer data). We strive to ensure that all personal data collected and processed by Ardoq adheres to the following principles:

  • Lawfulness, Fairness and Transparency

    Ardoq processes personal data when we have a lawful basis, clearly communicated and easily accessible to the data subjects. The data processing activities initiated by Ardoq are not unexpected or misleading to the concerned individuals.

  • Purpose Limitation

    Personal data is collected by Ardoq for specific and legitimate purposes, clearly communicated to the individuals, and not processed in any manner incompatible with those purposes.

  • Data Minimisation

    Ardoq only collects and retains personal data that is relevant, necessary, and limited to the purposes for which it was obtained.

  • Storage Limitation

    Personal data is retained only for as long as necessary to fulfill the purposes for which it was collected, unless a longer retention period is required by law.

  • Integrity and Confidentiality

    Ardoq implements appropriate technical and organizational measures to protect personal data from unauthorized access, disclosure, alteration, and destruction. For more information please check our Information Security page.

  • Accountability

    We take responsibility for our privacy and data protection practices, and have mechanisms in place to address related complaints and inquiries. As part of the accountability efforts, a Record of Processing Activities (also known as the RoPA) is maintained for all types of personal data processed either directly by Ardoq or on behalf of our customers.

  • Accuracy

    In our internal processes we make reasonable efforts to ensure that personal data is accurate, up-to-date, and complete. In relation to our customers, we offer a standardized self-service platform, where the customers have full control over the types of data to be introduced into the platform and the accuracy of this data.

Data Subject Rights Requests

As part of Ardoq’s commitment to privacy and data protection, the fundamental rights of data subjects are continuously recognized and upheld as outlined in the laws and regulations applicable to Ardoq.

In relationship with our customers, Ardoq offers a standardized service that facilitates the exercise of data subject rights directly through the Ardoq SaaS platform. These functionalities allow customers to access, delete, modify and extract personal data at all times.

Privacy Policy and Documentation

At Ardoq we have documented our approach to privacy and data protection to ensure compliance with data protection laws, to establish the necessary roles and responsibilities, and to inform the data subjects about Ardoq’s data processing activities.

Ardoq’s online Privacy Policy serves as the primary document outlining how we collect, use, disclose, and protect personal data of external data subjects with whom we have a direct processing relationship, when we are the data controller. This policy is readily accessible on our website and is regularly updated to reflect any changes in Ardoq’s practices or to comply with relevant regulations.

Besides the online Privacy Policy, addressed to external data subjects, we have established comprehensive internal data protection policies, procedures and guidelines that outline the steps taken to safeguard personal data and privacy in Ardoq’s daily operations. This documentation covers our approach to the applicable data protection landscape, emphasizing specific directions and delegating the necessary roles and responsibilities.

Data Breaches

At Ardoq we continuously strive to improve our security infrastructure and data protection practices to prevent data breaches. In the event of a data breach that compromises the security of personal data, we are committed to taking prompt and transparent action to address the incident.

At Ardoq we have adopted documented procedures which delegate a response team to conduct thorough investigations and assess the scope and extent of a potential breach. We have established reporting mechanisms to ensure any suspicious activity is promptly flagged, and, should the scope of the breach require it, report it to the concerned parties, such as customers, data protection authorities, or data subjects. We also maintain a comprehensive Data Breach Register to document and track any suspicious incidents and data breaches.

Choosing the Appropriate Suppliers

When customer data is entrusted to other suppliers, we take additional measures to ensure those suppliers are compliant with the applicable data protection and privacy regulations, including the regulations around international data transfers. Customer data is shared with other suppliers according to the instructions received from Ardoq’s customers in their customer agreement.

Before engaging an external supplier, we undergo internal privacy reviews and ensure that a Data Processing Agreement is entered with the supplier should there be any personal data processed by the supplier on behalf of Ardoq, or on behalf of Ardoq’s customers.

Some of the suppliers we engaged might process customer data and take a sub-processor role. In such cases, we shall rely on a general written authorisation offered by our customers to appoint new sub-processors and our customers shall have the opportunity to object to the addition or replacement of the sub-processors. Additionally, we shall sign a Data Processing Agreement with our sub-processors that requires an equivalent level of data protection to the one agreed with our customers.

Data Storage Location

The storage location of customer data hosted in the Ardoq SaaS platform is based on the location and/or preference of the customer. For example, customers established in Europe, will have their data hosted in data centers located in the EEA, unless a customer specifically requests Ardoq to choose another region. More information regarding Ardoq's hosting providers can be found here.

International Data Transfers

When we transfer personal data outside of the countries/regions where Ardoq is established, we take appropriate measures to maintain an equivalent level of protection in the destination country as required by the data protection regime applicable to Ardoq in the EU, EEA, UK or the US.

When data originating in the EU/EEA is transferred to a third country we may rely on the presence of an adequacy decision, the implementation of appropriate safeguards, or the utilization of a recognized certification mechanism. When deemed necessary, a Transfer Impact Assessment (TIA) will also be conducted to ensure the protection of personal data.

Data Protection Officer (DPO)

At Ardoq we have appointed a Data Protection Officer (DPO) responsible for overseeing and ensuring our compliance with privacy policies and practices.

If you have any questions, concerns, or inquiries related to Ardoq’s privacy and data protection documentation or practices, please feel free to reach out to our Data Protection Officer at privacy@ardoq.com.