KnowledgeNet.ai and the GDPR
KnowledgeNet.ai is committed to the fair and respectful treatment of our customers and business partners, and of the personal data to which we are entrusted through our business relationships. Our policies and practices reflect our commitment to compliance with laws, regulations, and principles for the protection of personal data, including the EU General Data Protection Regulation (GDPR). This note contains information about the GDPR, and KnowledgeNet.ai’s infrastructure and business practices relevant to personal data handling as required by the GDPR. It does not specify our compliance with any specific privacy and data protection laws and rules of jurisdictions including, but not limited to, GDPR. If, after reading this note you have additional questions regarding the subject matter, please contact us at compliance@knowledgenet.ai.
General Information About the GDPR
The GDPR (Regulation (EU) 2016/679) is a legal framework governing the handling of personal data that occurs in the context of activities of an EU entity or a non-EU entity that offers goods or services to individuals in the EU (or monitors behavior of individuals in the EU). Personal data is considered to be any information relating to an identified or identifiable person. Examples include (but are not limited to): name, ID number, location data, personal traits, and details that would tend to identify a person by singling them out from others (think of a dataset which identifies a characteristic that only one person in the dataset possesses). Particular rules of processing apply under the GDPR to the special categories of personal data, including:
- Racial and ethnic origin
- Political opinions
- Religious and philosophical beliefs
- Trade union membership
- Sexual orientation, sex life, health
- Genetic and biometric date
- “controller” – a natural or legal person that determines the purposes and means of processing personal data; and
- “processor” – a natural or legal person that processes personal data on behalf of a controller.
GDPR Principles Governing Personal Data Processing
Six principles govern personal data processing under the GDPR, and both controllers and processors are obliged to comply with these principles. The principles, and KnowledgeNet.ai’s practices in support of them are described below.
- Lawfulness, Fairness, and Transparency.
- Must be a lawful basis for processing;
- Processed in a way that the data subject would reasonably expect and not unjustifiably and unduly detrimental to the data subject;
- Transparency in relation to the data subject and processing operations, including clear communication with data subject regarding rights and other information.
- Purpose Limitation.
- Collection only for specified, legitimate purposes;
- Not processed in an incompatible manner to the collection purposes, with limited exceptions.
- Data Minimization.
- Personal data should be adequate, relevant, and limited to that necessary for the processing purposes.
- Personal data is kept up-to-date and corrected without delay when inaccurate.
- Storage Limitation.
- Personal data is kept in identifiable form only as long as necessary to fulfill the collection purposes, with limited exceptions.
- Integrity and Confidentiality.
- Adequate technical measures are used by the organization to prevent unauthorized processing, loss, destruction, or damage.
- Consent of the data subject; and
- A “legitimate interest” to use the data that is not outweighed by fundamental “rights and freedoms,” taking into account data subjects’ “reasonable expectations” of how data may be used.
KnowledgeNet.ai’s Practices in Support of the GDPR Principles
The KnowledgeNet.ai team works diligently to ensure that we effectively secure and maintain data for the benefit of both the company and our customers. Our platform is more complex in how it handles data than most.
Where we collect and otherwise process personal data, it is only for the limited, legitimate purposes we have specified in this Note and other privacy documentation, as applicable, and not for purposes incompatible with the specified purposes.
We work hard to maintain transparency of our processing activities. Our Privacy Policy and Terms of Service help users control what we do with their data and grant them the freedom to access, have inaccurate data corrected, and/or remove their data from our system if they so desire, among other rights. For our B2B customers, the following conditions apply regarding their data control, access and removal rights and capabilities.
- Data Control: – Customers are in complete control of what data they collect and enter into the platform. – Customers determine which users have access to the platform and the information stored there.
- Data Access and Removal: – KnowledgeNet.aiassists customers with Data Subject Access Requests (DSARs) and helps identify data stored in their dataset if requested. – Addressing the principle of storage limitation, data is retained while the company subscription is active, and details regarding data deletion and retention policies are outlined in the terms of service and privacy policy documents, which are publicly available.
- Security Audits: KnowledgeNet.ai has achieved SOC 2 Type 2 compliance. These audits evaluate our controls relevant to data security, availability, and confidentiality. We must prove the success of our controls and their ability to maintain security, availability, and confidentiality over a predetermined span of time.
- Advanced Data Controls: We have implemented advanced data controls, including the encryption of all user data, designed to help protect our customers’ data. Our team regularly tests our product to fix any potential problems and maintains the industry’s highest standards in information security.
- Incident Response Processes: We have built and follow data incident response processes, which are tested annually for continued effectiveness.
- Data Recovery and Integrity: We have processes to support data recovery and integrity.
- Customer Rights Protection: We have clear language and definitions in place to protect all customers’ rights to their own data footprint in the platform.
- Key Data Sub-Processors: Our key data sub-processors, such as Amazon Web Services (AWS), MongoDB and neo4j, have similarly high-level security standards (SOC 2 and/or ISO 27001 certifications, where possible) and have undergone rigorous security evaluations. It is our policy and practice to put in place a contract to govern our relationship with a sub-processor.
KnowledgeNet.ai's Practices Specific to the Role of Data Controller
As it stands, KnowledgeNet.ai is considered a data controller by the standards contained in the GDPR when we market to customers and prospects. We manage this data to ensure it is secure to the best of our ability.
We market our services on a B2B basis, in good-faith reliance on this as a legitimate interest. We do not solicit, collect knowingly or attempt to collect any data under the special categories of personal data from our B2B activities. In our communications with EU B2B entities, we do identify our company and provide contact details.
KnowledgeNet.ai's Practices Specific to the Role of Data Processor
As it stands, KnowledgeNet.ai is considered a data processor by the standards contained in the GDPR when we store and manage customer data to help ensure it is compliant to the best of our ability. We also view it as our responsibility to educate customers to keep them informed and prepared to use our data in a way that similarly keeps them in compliance.
Our users can exclude citizens of member countries within the EU to help protect themselves against accidentally emailing someone they shouldn’t. This prevents our customers from having to comb through lists of prospects to double-check their own compliance while prospecting.
Customers that sell or market to EU citizens must be transparent in their intentions with any personal data they collect and must have consent from individuals before sending them any information. If they do send any form of communication, they must also provide the ability for people to opt out of any future messages.
We can enrich data pertaining to citizens of the EU should our customers decide to. For example, if a user has the email address and name of an individual working for Louis Vuitton, we can enrich title and company information. However, this ability is only applicable if the enrichment is for the purpose of data hygiene and cleanliness or if you have a good faith reason to believe that the recipient has a demonstrated interest in receiving the information or offer, such as information that would help them perform their job.
As a data processor, KnowledgeNet.ai maintains our own compliance and aids users with their compliance, but we highly recommend that all of our customers familiarize themselves with the regulations and seek additional support from privacy advisors if any questions remain.
Beyond the precautions and measures laid out above, KnowledgeNet.ai has completed and will undertake the following actions to support compliance as a data controller and/or processor:
- Legal Counsel Consultation: Working with our legal counsel (and when requested, those of our customers) to discuss preparation and compliance.
- Use Case Evaluation: Evaluating use cases within our platform to back up decisions we make should they face legal scrutiny.
- Internal Workflows: Crafting internal workflows to promptly assist with data subject requests when requested from Customers.
- Requirement Review: Conducting an in-depth review of data sub-processors and where we may be a joint controller.
- Contact Information Updates: Updating all contact information and notices so data subjects and customer data controllers may contact us if necessary.
- Resource Acquisition: Obtaining all resources necessary for ongoing SOC2 or similar compliance requirements and documentation.
- Data Security Standards: Updating and maintaining data security standards and processes.
- Customer Contract Evaluations: Evaluating all customer contracts where necessary to ensure we’ve clearly laid out our responsibilities to avoid any potential confusion.
